Product Review: Shavlik Updates Hotfix Checker
, which markets a hotfix management tool called HFNetChk Pro, was kind enough to share some of its hotfix-checking expertise with Microsoft Corp. Largely as a result of this assistance, Microsoft in early August began offering a free command-line tool, dubbed HFNetChk.exe, for download
from its Web site. Shavlik continues to collaborate with Microsoft on the development of the free HFNetChk.exe product.
This month, Shavlik released the latest rev – version 3.6 – of its flagship HFNetChk Pro tool.
HFNetChk Pro 3.6 can be installed on any Windows NT 4.0 (SP6a), Windows 2000 or Windows XP system. It requires version 2.6 of Microsoft’s Data Access Components (MDAC), which ships by default with Windows XP but which must be manually installed under Windows NT 4.0 and Windows 2000.
Installation and Use
Packaged in a self-extracting .EXE file, HFNetChk Pro 3.6 is a cinch to install. We configured it on two test systems, a Windows 2000 Advanced Server (SP2) system, as well as on a Windows XP Professional Edition client. On our Windows 2000 Advanced Server box, we were required to install MDAC 2.6, which introduced the need for a reboot. The installation of the HFNetChk Pro 3.6 tool itself does not require a reboot.
Using HFNetChk Pro 3.6 to scan Windows systems is a pretty straightforward affair: Click the “Perform New Scan” icon on HFNetChk Pro 3.6’s toolbar or select “New Scan” from its file menu. Either way, you’ll be presented with a menu box that offers a variety of scan customization settings. You can choose to make your scans as comprehensive or as uninvolved as you like. For example, you can choose to scan the systems in a domain, on a subnet, or in all of the domains across a Windows network for (1) installed patches; (2) all installed and missing patches; (3) all missing patches; (4) or all necessary patches.
It’s in setting the parameters of a scan that one most appreciates HFNetChk Pro 3.6’s GUI interface. First of all, Shavlik’s pay-for-use HFNetChk Pro tool automatically enumerates the members of a Windows domain, which enables you to select – by pointing and clicking – the systems that you want to include in your scan. Obviously, this simply isn’t possible with Microsoft’s free HFNetChk download. And if you’re not sure of exactly what you have in your environment, you can exploit HFNetChk’s discovery features, which seem to work as advertised. When we set it to scan an IP address range, for example, it detected without difficulty all of our test clients and servers. Moreover, it didn’t choke on any of the non-Microsoft systems (a Sun UltraEnterprise 1 server and a Debian Linux box, among others) on our network, either.
Like the free HFNetChk tool, you can configure HFNetChk Pro 3.6 to disable registry checks (which can occasionally trigger false positives during the scanning process), disable file checksum checks, or suppress warning notes – although you won’t have to remember a series of command-line arguments to do so. Simply click the appropriate check box or check boxes on the HFNetChk Pro 3.6 GUI and you’ll be set.
You can also exploit HFNetChk Pro 3.6’s integrated scheduling service to automate the scanning of systems across your enterprise.
Once it’s scanned the Windows systems in your environment, HFNetChk Pro 3.6 will tell you whether or not your patches are up to date for Windows NT, 2000 or XP; IIS; and even SQL Server. Note: Microsoft’s XML database doesn’t contain any checks for SQL Server patches, so HFNetChk Pro simply returns all relevant SQL Server informational items. Because of this, Shavlik’s helpfile cautions, “it is the network administrator's responsibility to read the corresponding bulletin information to determine if the patch is install[ed] or not.”
Those of you who’ve dealt in the past with the sometimes bewildering array of Windows NT 4.0, Windows 2000 and IIS hotfixes can be forgiven if you’ve felt overwhelmed at times. To its credit, HFNetChk Pro 3.6 provides an intelligent and coherent display of information about a system’s patches – typically summarizing with an excerpt from a hotfix’s description in the Microsoft knowledge base – and, if applicable, alerts you to problems with missing or questionable patches.
While using HFNetChk Pro 3.6 to scan for missing hotfixes is straightforward enough, deploying patches to vulnerable systems is more complicated. Because Microsoft’s current XML database doesn’t provide information which can tell HFNetChk about the locations of hotfixes, Shavlik requires that you first download a patch – courtesy of a hyperlink embedded in a scan result – and save it to HFNetChk Pro 3.6’s “Download Center.” Shavlik says that Microsoft is currently working on a new version of the XML database, slated to be unveiled by the end of Q1 2002, which will eliminate the problem.
In any event, once you’ve downloaded and saved a patch to the “Download Center,” you can deploy it to a vulnerable system or systems simply by right-clicking on the “Warning” or “Missing Patch” scan result and selecting “Deploy”. This invokes the Shavlik Patch Deployment Wizard, which walks you through the process of remotely distributing the patch. You’re given the option of copying the patch installation files only; copying but waiting for a reboot (and accompanying administrative login); installing automatically within a two-minute period; or scheduling an install. If a particular system is plagued with missing patches, the Shavlik Patch Deployment Wizard gives you the option of pushing all relevant hotfixes to it. HFNetChk Pro 3.6 even generates event log entries so that you can keep track of the success or failure of a patching effort.
HFNetChk Pro’s strongest value proposition has traditionally been its robust reporting facility, which provides export support for Microsoft Excel, Access or SQL Server. You can leverage any of HFNetChk Pro 3.6’s canned reporting features – which include summaries of patches by machine; machines by patch; patch listings; condensed patch listings (optimized for CSV files); missing service packs; and machines not scanned – to publish detailed reports based on the results of a scan. The reports that HFNetChk Pro 3.6 creates as a result of this process are highly intelligible and ideal for printing.
If canned reports don’t cut it for you, you can save your data as a CSV file and export it to Excel, Access or to a SQL Server repository. From there, you can create your own custom reports.
HFNetChk Pro 3.6 represents a significant improvement over its predecessor, which, although distinguished by stellar reporting capabilities, lacked an actionable hotfix deployment component.
Shavlik seems reasonably confident that administrators who are pleased with the capabilities of the free HFNetChk tool, but who also desire more powerful features – such as flexible reporting options, robust hotfix and service pack compliance scanning and the ability to remotely deploy missing hotfixes – will be tempted to take its HFNetChk Pro tool for a spin.
Based on what we’ve seen, the St. Paul-based software vendor’s confidence isn’t misplaced. Administrators in large environments, especially, will likely find in HFNetChk Pro 3.6 an invaluable tool well suited to the challenge of monitoring thousands of distributed Windows NT 4.0, Windows 2000 or Windows XP clients and servers.
Corporate CIOs, on the other hand, will find in HFNetChk Pro 3.6’s robust reporting facilities a one-stop shop for authoritative hotfix and service pack auditing in their enterprise environments.
Both Windows administrators and corporate CIOs alike will find in HFNetChk Pro 3.6 a must-have tool for peace of mind.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.