Posted by & filed under Tools & Methodology.

Recently I’ve been checking the patch level on a LOT of Microsoft servers, mostly versions of Microsoft Server and Microsoft SQL Server. Microsoft has a great tool for this, the Microsoft Baseline Security Analyzer. It’s legacy software, but it’s free of charge and still works like a charm.

Obviously, not all administrators are too keen on installing an application on their precious servers, or let me plug my PC into their corporate network in order to perform a remote scan. So often I’m forced to use the standalone version of MBSA and run it through the command line. Since the CL tool is kind of picky, I’ve created a quick tutorial on how to utilize it here.

  1. First, you need the MBSA, downloadable from here
  2. To make the tool standalone, you’ll need to install it somewhere and copy out the mbsacli.exe and wusscan.dll files to a temporary catalog (the default install location is C:\Program Files\Microsoft Baseline Security Analyzer 2\)
  3. You’ll also need Microsoft latest file, which contains details on all the latest updates from Microsoft. You can download it here
  4. Select those three files (or zip them down) and copy them to the server you wish to test
  5. Open a command window, cd into the directory containing the files (on the server), and issue the following command:
mbsacli /xmlout /catalog /unicode /nvc >results.xml

The resulting results.xml file should contain all Microsoft patches that are targeted towards that particular server, both installed and uninstalled. So if the server is a Microsoft Server 2008 running SQL Server 2005, the file will contain both patches for Microsoft Server 2008 and SQL Server 2005.

The easiest way of analyzing the results are to open the file in Excel. Here you can easily filter out all installed patches for example, and gain a quick overview if the server is under a good patch management process or not.

In the example output below, the server is missing a lot of patches (sorted by severity), which makes it vulnerable to a wide range of exploits:

Example output from MBSA in Excel

I’ve had some issues running this on older installations of Windows software such as Windows 2000 and Windows NT (yeah I know, but some people still use non-supported Microsoft products), but for most properly configured servers the above command works as intended. Drop me a comment if you have any trouble!

8 Responses to “How to use MBSA standalone to check a MS server for patch status”

  1. Simon Evans

    so how would I get xmlout to work with multiple computers running remotely? and then xml output to show which device each patch is from?

  2. Ian McLean

    I downloaded the latest cab file and put it in the MBSA folder.
    So how long does the scan take?
    I have left it running for around 20 minutes but no output as yet.

  3. Tabitha

    My spouѕe and I stumƄled over here from a dіfferent wᥱbsite and thߋugɦt I might as well check things out.
    I liкe what I see so now i’m folⅼowing үou. Look forward to finding օut about your web page for a seϲond time.


Leave a Reply

  • (will not be published)