Users Find Limitations of Hotfix Checking Tool
In August 2001, Microsoft released a new tool, HFNetChk.EXE, to help administrators stay on top of hotfixes and other software patches in their Windows NT 4.0 and Windows 2000 environments.
Since its introduction, HFNetChk has proven to be an invaluable tool for administrators. And for the most part, users say, it’s worked as advertised:
“HFNetChk is a terrific free tool. Considering its price, its drawbacks are negligible,” says Chris Kim, an IT engineer with e-business solution provider The Igneous Group Inc.. “It is not the most user friendly, especially when compared to pricey products like St. Bernard [Software’s Update Expert], but again, considering the price I'm well satisfied.”
At the same time, most users allow, HFNetChk is not without its flaws.
“It can give you a false sense of security,” maintains Gavin Burris, a visualization systems programmer with the Pennsylvania State University. “Like, if you make changes to your [Windows] configuration, which causes Windows to roll back some components, especially in IIS, to a previous state, it still tells you that your patches are up to date. But that’s not the case.”
Fortunately, Burris says, long experience with Windows NT 4.0 has taught most administrators to re-apply service packs and hotfixes after making changes to their Windows or IIS configurations.
But HFNetChk has other issues, as well. Since its introduction, some users have complained about the limited nature of its reporting facility, which, they say, either doesn’t provide enough information or, in some cases, provides incorrect information.
“I'm not happy with it currently because I still have to use three or four tools and edit out some incorrect data before having a useful report,” says Jay Woody, an IT manager with Thomas & Betts Corp., a supplier of electronics connectors and conduits. “It is a step in the right direction, but right now it is too painful to be of practical use to me.”
According to one IT manager, who characterizes his experience with HFNetChk as “relatively positive considering that the tool is free,” HFNetChk repeatedly told him that a required patch was not installed -– even after he re-applied it on several occasions.
“I … had a case where I installed a required patch repeatedly and HFNetChk kept complaining that I didn't. I think it was the patch for the Nimda worm. [Yet the] Nimda test tool confirmed that my system is properly patched,” he says.
HFNetChk works by evaluating a Windows NT 4.0 or Windows 2000 system’s registry entries and file versions, along with the checksum for each file that is installed with the patch. In certain cases, HFNetChk may be unable to determine whether or not a given patch is present. In this case, then, it’s programmed to respond with a “NOTE” message similar to the following:
NOTE MS01-022 Q296441
Please read KB article 306460
Unfortunately, Microsoft wasn’t very clear on this point. It wasn’t until late October that Microsoft published the knowledge base article, http://support.microsoft.com/default.aspx?scid=kb;EN-GB;q306460&GSSNB=1 that explained the situation. “There are some instances where Hfnetchk.exe is not able to determine the patch installation status because the detailed file and registry key information is not available for the specified security bulletin or patch,” the KB article says.
What this means, Microsoft was at pains to explain, was that “NOTE messages do not indicate that the computer that is being scanned is insecure, they indicate that Hfnetchk.exe is technically not able to determine if the appropriate patch or workaround has been applied.”
Microsoft did not respond to requests for comment from ENT about whether the company planned to create an updated version of the tool that works around the problem.
Five months later, some end users still hadn’t gotten the message.
“Even after [I] apply patches to my W2K SP2 Server for MS01-013 and MS01-022, HFNETCHK still lists them as not being applied,” wrote one exasperated administrator to Microsoft’s IIS Security newsgroup (microsoft.public.inetserver.iis.security) last week. “Is there a way to make HFNETCHK better recognize that these patches are applied?”
And as Thomas & Betts’ Woody points out, this kind of uncertainty has sown the seeds of doubt among many of his colleagues. “There are becoming well known instances where everyone just says, ‘Look it will say that you don't have X and Y [installed]. You probably do, so just disregard that error,’" he says.
It’s for this reason that some administrators have avoided HFNetChk. “Since keeping the networks I manage up to date with security and patches is a full time all encompassing project, relying on HFNETCHK was too chancy,” says Steve Clark, principal of systems integration firm Clark Systems Support LLC. “Based on that conclusion, I paid the [money] and purchased St. Bernard's UpdateExpert.”
Other users, like Igneous Group’s Kim, aren’t quite so willing to give up.
“One should never completely trust any tool, so the reported inaccuracies represent little more than an inconvenience to me,” he says. “This is a free tool, and I'd be pretty demanding to complain about its performance.”
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.