How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

View products that this article applies to.

Note On October 7, 2003, Microsoft released an updated version (1.00.0257) of the KB 824146 scanning tool (KB824146scan.exe) that incorporates several feature requests that are based on customer feedback. The major changes in version 1.00.0257 include the following:

The ability to scan Microsoft Windows NT 4.0-based computers that have the RestrictAnonymous value turned on in the registry
Improved output categories that help to clarify the security patch level of scanned computers
NetBIOS name output for scanned computers

SUMMARY

Microsoft has released the KB 824146 scanning tool (KB824146scan.exe) that network administrators can use to identify host computers on their networks that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. This tool replaces the KB 823980 scanning tool (KB823980scan.exe).

Note If you use the KB823980scan.exe tool to scan a computer that has the 824146 security patch installed, the tool will incorrectly report that the computer is missing the 823980 security patch (MS03-026). Microsoft encourages customers to run the KB824146scan.exe tool to determine whether the host computers on their networks have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. For additional information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 (http://support.microsoft.com/kb/824146/ ) MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs

For additional information about the 823980 security patch (MS03-026), click the following article number to view the article in the Microsoft Knowledge Base:

823980 (http://support.microsoft.com/kb/823980/ ) MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution

For additional information about a new worm virus that tries to exploit the DCOM RPC vulnerability that is fixed by the 823980 security patch (MS03-026), click the following article number to view the article in the Microsoft Knowledge Base:

826955 (http://support.microsoft.com/kb/826955/ ) Virus Alert About the Blaster Worm and Its Variants

For additional information about how network administrators can use Windows Management Instrumentation scripting to install the 823980 security patch (MS03-026) on unpatched computers in their Microsoft Windows NT, Microsoft Windows 2000, or Microsoft Windows Server 2003 domain, click the following article number to view the article in the Microsoft Knowledge Base:

827227 (http://support.microsoft.com/kb/827227/ ) How to Use a Visual Basic Script to Install the 824146 (MS03-039) or 823980 (MS03-026) Security Patch on Remote Host Computers

Back to the top

MORE INFORMATION

The KB824146scan.exe tool can scan remote computers to help network administrators identify which Windows-based computers do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. The scan does not require authentication (that is, you do not have to supply valid credentials on the remote computer). The KB824146scan.exe tool does not affect the stability of the target operating system that is scanned.

You can use the KB824146scan.exe tool from a computer that is running Windows Server 2003, Windows XP, or Windows 2000. You can use it to scan Windows Server 2003-based, Windows XP-based, Windows 2000-based, or Windows NT 4.0-based computers on your network.

Back to the top

Download and Setup Information

To download the KB824146scan.exe tool, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=13AE421B-7BAB-41A2-843B-FAD838FE472E&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyId=13AE421B-7BAB-41A2-843B-FAD838FE472E&displaylang=en)

Download the Dcom-kb827363-x86-enu.exe installation package. To install the KB824146scan.exe tool, double-click the Dcom-kb827363-x86-enu.exe installation package that you downloaded. The tool is a command-line utility that is installed in the KB824146scan subfolder of the Program Files folder, or in the KB824146scan subfolder of the Program Files (X86) folder for 64-bit versions of Windows XP or Windows Server 2003.

Back to the top

Usage Information

To run the KB824146scan.exe tool, follow these steps:

Click Start, and then click Run.
In the Open box, type cmd and then click OK.
At the command prompt, type cd %programfiles%\kb824146scan, and then press ENTER.
Type kb824146scan switches.

For information about the available switches to use with the KB824146scan.exe tool, type KB824146scan.exe /?. The following information is shown:

Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86
Copyright (c) Microsoft Corporation 2003. All rights reserved.

The purpose of KB824146Scan.exe is to audit Windows systems over the network
for KB824146 and KB823980patch compliance. KB824146Scan.exe allows
administrators to quickly scan enterprise networks for unpatched systems.

Usage: KB824146Scan.exe [/?] [/i:input_file] [/l[:log_file]] [/n]
                        [/o:out_file] [/r] [/t:timeout] [/v] target ...

Targets can take any of the following forms:

    a.b.c.d             - IP address
    a.b.c.d-i.j.k.l     - IP address range
    a.b.c.d/mask        - IP address with CIDR mask
    host                - unqualified hostname
    host.domain.com     - fully-qualified domain name
    localhost           - check local machine

Targets can be specified on the command line & in user-specified input files.
The format of the input file is one target per line.

KB824146Scan.exe maintains a log file in the current directory if the /l
switch is specified on the command line. (Otherwise output is only sent to the
screen.) The log files will take the form of KB824146Scan_YYMMDD[a-z][a-z].log,
where YY is the two digit year, MM is the two digit month, and DD is the two
digit day. The [a-z][a-z] will be appended to the log file name as additional
scans are completed on the same day. Please note that the log output will only
contain essential information. To capture full information, please specify the
/v switch for verbose logging.

KB824146Scan.exe will create a list of vulnerable systems (unpatched as well
as those with KB823980 installed) in the current working directory. The log
files will take the form of Vulnerable_YYMMDD[a-z][a-z].log, where YY is the
two digit year, MM is the two digit month, and DD is the two digit day. The
[a-z][a-z] will be appended to the log file name as additional scans are
completed on the same day. Its name can be changed with the /o switch.

KB824146Scan.exe will resolve IP addresses to DNS names if the /r switch is
given on the command line. This may incur a performance penalty if your DNS
servers are slow in responding.

KB824146Scan.exe will resolve IP addresses to NetBIOS names if the /n switch
is given on the command line. This may incur a performance penalty if the
remote NetBIOS connection is slow in responding.

KB824146Scan.exe has a default timeout of 5 seconds, which should be fine
for most networks. If your network is slow or has IPSec enabled then you
might want to increase the timeout to 10 seconds or more. Use /t to specify
the number of seconds for the timeout.

Back to the top

Sample Output

The following is a sample of the command-line output that is shown by KB824146Scan.exe when you use it to scan a range of IP addresses (10.1.1.0 through 10.1.1.255 in this example).

C:\>kb824146scan 10.1.1.1/24

Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86
  Copyright (c) Microsoft Corporation 2003. All rights reserved.

<+> Starting scan (timeout = 5000 ms)

Checking 10.1.1.0 - 10.1.1.255
10.1.1.1: unpatched
10.1.1.2: patched with both KB824146 (MS03-039) and KB823980 (MS03-026)
10.1.1.3: Patched with only KB823980 (MS03-026)
10.1.1.4: host unreachable
10.1.1.5: DCOM is disabled on this host
10.1.1.6: address not valid in this context
10.1.1.7: connection failure: error 51 (0x00000033)
10.1.1.8: connection refused
10.1.1.9: this host needs further investigation

<-> Scan completed

Statistics:

Patched with both KB824146 (MS03-039) and KB823980 (MS03-026) .... 1
Patched with only KB823980 (MS03-026) ............................ 1
Unpatched ............................. 1
TOTAL HOSTS SCANNED ................... 3

DCOM Disabled ......................... 1
Needs Investigation ................... 1
Connection refused .................... 1
Host unreachable ...................... 248
Other Errors .......................... 2
TOTAL HOSTS SKIPPED ................... 253

TOTAL ADDRESSES SCANNED ............... 256

Back to the top

Error Messages, Status, and Statistics

An "unpatched" status indicates that the host that you scanned is a Windows host but that the host does not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. To help protect this computer, you must install the 824146 (MS03-039) security patch.
A "patched with KB823980" status indicates that the host was scanned and that host has the 823980 (MS03-026) security patch installed. The computer does not have the 824146 (MS03-039) security patch installed. To help protect this computer, you must install the 824146 (MS03-039) security patch.
A "patched with KB824146 and KB823980" status indicates that the host was scanned and that the host has the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed.
A "host unreachable" error message indicates that no host is present at the specified Internet Protocol (IP) address. Additionally, black hole routers, or firewalls that drop packets, such as Internet Connection Firewall (ICF), also return the "host unreachable" error message.
A "DCOM is disabled on this host" status indicates that DCOM has been disabled on the target host computer. DCOM may have been disabled to help protect against the vulnerabilities that are addressed by the 823980 (MS03-026) and the 824146 (MS03-039) security patches. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
825750 (http://support.microsoft.com/kb/825750/ ) How to Disable DCOM Support in Windows
A "address is not valid in this context" or a "connection failure" error message indicates there was some problem connecting to the remote computer. To determine whether the target computers have been patched, you must manually inspect them.
A "connection refused" error message indicates either that no service is listening on TCP port 135 or that TCP port 135 is being filtered (either by the Windows TCP/IP stack or by a firewall or a router). To determine whether the target computers have been patched, you must manually inspect them.
A "this host needs further investigation" error message indicates that there was some problem scanning the remote host. To determine whether the target computers have been patched, you must manually inspect them.
A "connection failure, error 67 (0x00000043)" error message indicates that the network name cannot be found. To determine the cause of similar error messages, type the following at the command prompt, where nn is the decimal error number:
net helpmsg nn
The "Patched with KB824146 and KB823980" statistic is a count of the target computers that were marked with the status message "patched with KB824146 and KB823980."
The "Patched with KB823980" statistic is a count of the target computers that were marked with the status message “patched with KB823980.”
The "Unpatched" statistic is a count of the target computers that were marked with the status message "unpatched."
The "TOTAL HOSTS SCANNED" statistic is a total of the "Patched with KB824146 and KB823980," the "Patched with KB823980," and the "Unpatched" statistics.
The "DCOM Disabled" statistic is a count of the target computers that were marked with the status message "DCOM is disabled on this host."
The "Needs Investigation" statistic is a count of the target computers that were marked with the status message "this host needs further investigation."
The "Connection refused" statistic is a count of the target computers that were marked with the status message "connection refused."
The "Host unreachable" statistic is a count of the target computers that were marked with the status message "host unreachable."
The "Other Errors" statistic is a count of the target computers that were marked with any other error message that is not included in this list.
The "TOTAL HOSTS SKIPPED" statistic is a total of the "DCOM Disabled," the "Needs Investigation," the "Connection refused," the "Host unreachable," and the "Other Errors" statistics.
The "TOTAL ADDRESSES SCANNED" statistic is a total of the "TOTAL HOSTS SCANNED" and the "TOTAL HOSTS SKIPPED" statistics.

Back to the top

Log Files That the KB824146Scan.exe Tool Creates

Note These log files are created in the current working folder (that is, the folder where you run KB824146Scan.exe). By default, this is the KB824146scan subfolder of the Program Files folder, or the KB824146scan subfolder of the Program Files (X86) folder for 64-bit versions of Windows XP or Windows Server 2003.

KB824146Scan_YYMMDD[a-z][a-z].log: This log file contains information that is similar to the information in the "Sample Output" section of this article.
Vulnerable_YYMMDD[a-z][a-z].log: This log file contains a list of the IP addresses for computers on your network that do not have the 824146 (MS03-039) security patch installed. You can use the Vulnerable_YYMMDD[a-z][a-z] file without modification as the input file (Ipfile.txt) for the Patchinstall.vbs script that is described in Microsoft Knowledge Base article 827227. If you run KB824146Scan.exe more than one time a day to perform a scan, letters [a-z][a-z] are added to the Vulnerable_YYMMDD[a-z][a-z] file name after the date. For example, if you run KB824146Scan.exe five times on August 21, 2003, the following log files are created in this order:
1. Vulnerable_030821.log
2. Vulnerable_030821a.log
3. Vulnerable_030821b.log
4. Vulnerable_030821c.log
5. Vulnerable_030821d.log
For the sample output that is described in the "Sample Output" section in this article, the Vulnerable_YYMMDD[a-z][a-z].log log file would contain the following entries:
10.1.1.2
10.1.1.8

Back to the top

Known Issues

If remote access or file sharing is enabled, the KB824146scan.exe tool may incorrectly report that the following versions of Windows are vulnerable :
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Millennium Edition
The original version of the KB824146scan.exe tool (1.00.0249 ) cannot determine whether the 823980 (MS03-026) and the 824146 (MS03-039) security patches are installed on a Windows NT 4.0-based computer that has the RestrictAnonymous value set to 1 in the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

In this case, the KB824146scan.exe tool reports the following error status for the target computer: “cannot get workstation info: error 997 (0x000003E5).” To determine whether these computers have been patched, use version 1.00.0257 of the KB824146scan.exe, or manually inspect all Windows NT 4.0-based computers that have the RestrictAnonymous value turned on.
You cannot use double-byte character set (DBCS) characters in the path for the input file, the output file, the log file, or the host computer when you use the KB824146scan.exe tool.

Back to the top