How to use the ASP.NET ValidatePath Module Scanner (VPModuleScanner.js)

Article ID: 887290 - View products that this article applies to.
Expand all | Collapse all

On This Page

SUMMARY

Microsoft has released the Microsoft ASP.NET ValidatePath Module Scanner (VPModuleScanner.js) file. The VPModuleScanner.js file tests a computer to determine if the ASP.NET ValidatePath Module is installed. The VPModuleScanner.js reports whether any of the following conditions are true:
  • The ASP.NET ValidatatePath module is installed on the scanned system.
  • The ASP.NET ValidatatePath module is not installed on the scanned system.
    • The installation status of the ValidatePath module could not be obtained for one of the following reasons:
    • Microsoft Internet Information Services (IIS) is not installed on the scanned computer.
    • ASP.NET is not installed on the scanned computer.
    • The scan exeperienced an error while scanning the computer.

You can use the VPModuleScanner.js file with the VPMultimachineWrapper.js file to scan more than one computer. For more information about how to look for canonicalization issues with ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:
887289
(http://support.microsoft.com/kb/887289/ )
HTTP module to check for canonicalization issues with ASP.NET
For more information about how to determine the version of ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:
318785
(http://support.microsoft.com/kb/318785/ )
Determine whether service packs are installed on the .NET Framework
Back to the top | Give Feedback

Download information

The following file is available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the VPModuleScanner package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=BE7366F5-82A1-444F-9EBC-D70B6C8830DD&displaylang=en)


Release Date: October 14, 2004

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591
(http://support.microsoft.com/kb/119591/ )
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Known limitations and issues

  • You must have administrative access to run this tool remotely or locally.
  • You cannot specify credentials to run this tool. However, you can use the run as command to start a command-line session that has the right credentials. For more information about the run as command, click the following article number to view the article in the Microsoft Knowledge Base:
    294676
    (http://support.microsoft.com/kb/294676/ )
    How to enable and use the "run as" command when running programs in Windows
  • VPModuleScanner.js uses the Active Directory Service Interfaces (ADSI) proxy to connect to a remote metabase. Therefore, the computer that runs the script must have the IIS Common Files subcomponent installed. Otherwise, the tool reports that IIS is not installed on the client computer.
  • This tool relies on a registry key to determine whether the inner script timed out. Therefore, you must run only one instance of the tool on each computer.
  • With IIS version 6.0 only, the computer reports the status of the ValidatePath module even if ASP.NET is disabled through the Web Service Extension list.
  • The scanner reports "ASP.NET not active" if Microsoft .NET Framework is installed before IIS. In this case, IIS has no ASP.NET mapping and the ASP.NET functionality cannot be used.

Technologies used

VPModuleScanner.js uses the following technologies that might be disabled or limited in a corporate or datacenter environment:
  • ADSI: VPModuleScanner.js uses DCOM to connect to the IIS metabase.
  • SMB shares to connect and retrieve files from a remote admin share. Remote admin shares must be enabled.
  • The COM component FileSystemObject (Scrrun.dll) must be registered on the computer that runs the script. The FSO component is used to open the Machine.config file on the remote file system. Certain security policies recommend disabling this component on production IIS servers. For more information about these policies, visit the following Microsoft Web sites:
    Helping to secure IIS 6.0
    http://www.microsoft.com/smallbusiness/support/articles/sec_IIS_6_0.mspx
    (http://www.microsoft.com/smallbusiness/support/articles/sec_IIS_6_0.mspx)


    Helping to secure IIS 5.0 and 5.1
    http://www.microsoft.com/smallbusiness/support/articles/sec_IIS_5_0_5_1.mspx
    (http://www.microsoft.com/smallbusiness/support/articles/sec_IIS_5_0_5_1.mspx)

Using the ASP.NET ValidatePath module scanner

VPModuleScanner.js scans a computer that you specify for the ASP.NET ValidatePath module. In enterprise environments where multiple computers have to be scanned, you can use VPModuleScanner.js together with VPMultiMachineWrapper.js.

VPMultiMachineWrapper.js

Command-line switches

  • /l specifies a file that contains a list of computers to scan. Computer names can be a NetBIOS name or IP address. There is one entry per line.
  • /d domainname limit specifies a Windows domain that should be scanned, where domainname is the name of the domain and limit is the limit of entries. The following example command scans the first 1,000 computers in the example.domain.com domain:
    VPMultiMachineWrapper.js /d example.domain.com 1000
    Note The domain scan only looks for computer accounts that are inside the CN=Computers organizational unit (OU). This is the built-in OU where computer accounts are stored in Active Directory. However, if computer accounts are located in a custom OU such as OU=Web_Servers, the script does not find them.
  • /t specifies the time-out for the inner script (VPModuleScanner.js). Certain calls in VPModuleScanner.js do not time out. This made it necessary to wrap VPModulescanner.js with VPMultimachineWrapper.js and to introduce a time-out that an administrator can use to specify how long VPMultimachineWrapper.js should wait for VPModulescanner.js to return. The following example scans the computers that are listed in the Computers.txt file. The inner script (VPModulescanner.js) times out after 30 seconds and a time-out entry is added to the log file:
    VPMultiMachineWrapper.JS /t 30 /l computers.txt
  • /o specifies the location and name of the log file. If this switch is not specified, the tool logs to VPModuleScanner.log in the folder where the script is located. The name that you specify can be a file name or a full path to where you want the file to be located. The file is saved in a comma-delimited .csv file format so that you can open it with Microsoft Excel or with LOGPARSER. If /o is not specified, the output (VPModulescanner.log and VPModulescanner_trace.txt) is written to the current folder. The following example scans the first 100 computers of domain example.com and writes the log and trace output to the directory the system variable %temp% points to: PVMScanner.js /d example.com 100 /o %temp%\vpoutput.txt
  • /? displays Help.

What VPMultiMachineWrapper.js does

VPMultiMachineWrapper.js gathers a list of computers from either a text file or through an LDAP query from Active Directory. When VPMultiMachineWrapper.js has the complete list of computers, it starts a loop, calling VPModuleScanner.js for every computer.

Debugging

VPMultiMachineWrapper.js logs its debugging messages in the file VPMultiMachineWrapper_Trace.txt. You can use the trace file if you need to troubleshoot VPMultiMachineWrapper.js.

VPModulesScanner.js logs its debugging messages in the file VPModulesScanner_Trace.txt. You can use the trace file if you need to troubleshoot VPModulesScanner.js.

How VPModuleScanner.js is started

The following is an example of how VPMultiMachineWrapper.js starts VPModuleScanner.js:
cscript //nologo //t:30 VPModuleScanner.js /o "c:\temp" Machine1
The following table explains the switches used:
Collapse this tableExpand this table
//t:30time-out value, in this case 30 seconds, supported by the script engine
/o “c:\temp”specifies the output directory that should be used
Machine1specifies the computer to be scanned

VPModuleScanner.js

Command-line switches

  • /install installs the mitigation on the local computer
    NOTE /install can only be used locally. Using /install together with a computer name generates an error message. You must have VPModule.msi in the same directory as VPModuleScanner.js.
    VPModuleScanner.js uses the following command-line to install VPModule.MSI:
    MSIexec /install script_path\VPModule.msi /qn
  • /O specifies the directory for the scan log. If you do not specify a directory, the report is written to VPMultiMachineWrapper.log.
  • <machinename> specifies the remote computer name that VPModuleScanner.js is to scan. This switch cannot be used with /install.
  • /? displays Help.

How to read the log files

The log files use the following format:
DATETIME,SERVERNAME,NETFX_VERSION_STRING,MACHINESTATUS,PATCHSTATUS
The following items describe the elements of this format:
  • DATETIME specifies the date and time when the scan entry was generated.
  • SERVERNAME is the NetBIOS name or the IP address of the scanned system.
  • NETFX_VERSION_STRING is the .NET run-time version that is installed on the scanned system. This entry is set to Unknown if the computer cannot be found.
  • MACHINESTATUS is the computer status. The following computer status strings are possible:
    • IIS installed IIS and the .NET Framework are installed, and ASP.NET is enabled.
    • IIS not installed on client computer The scanning computer (client) cannot scan because it is does not have the IIS Common Files component installed.
    • Error (errnumber: Error description) An error was reported while trying to connect to IIS or during the scan.
    • Config file not found The script determines the remote UNC path, but cannot connect to the administrator share of the remote system. This occurs, for example, if you turn off the Server Service on the remote computer or if the administrator shares are disabled.
  • PATCHSTATUS specifies whether the update has been installed. The following update status strings are possible:
    • Module not installed The computer does not have the ValidatePath httpModule installed.
    • Module installed The computer does have the ValidatePath httpModule installed.
    • Unknown status The status of the update could not be obtained.
The following are log entry examples:
  • 10-5-2004 12:00:05 PDT,SERVER1,Unknown, Unknown,Error(0x800A0046: Permission denied),Unknown status
    The user who ran the script does not have administrative rights on the server.
  • 10-5-2004 12:00:06 PDT,SERVER2,v1.1.4322,IIS installed,Module installed
    VPmodule is installed on SERVER2.
  • 10-5-2004 12:00:07 PDT,SERVER3,v1.1.4322,IIS installed,Module not installed
    VPmodule is not installed on SERVER3.
You can use VPModuleScanner.js as an SMS script. The following return codes are used to comply with SMS:
  • 20000 VPmodule is not installed on the system.
  • 20001 Machine.config cannot be found. IIS is not installed.
  • 0 VPmodule is installed.
  • <other> An error occurred that the above codes do not account for.
The following are log file error messages in MACHINESTATUS:
  • Error(0x800A01CE: The remote server machine does not exist or is unavailable) IIS is not installed on the scanned computer or the computer that is specified is not responding.
  • Error(0x800A0046: Permission denied) The user who is performing the scan does not have administrator rights on the scanned computer.
  • Error(0x80070424: ) Only the IIS Common Files component is installed on the scanned computer.
  • Unknown,Error(0x80070422: ) The IIS Administration Service is disabled.
Back to the top | Give Feedback

REFERENCES

For more information about LOGPARSER, click the following article number to view the article in the Microsoft Knowledge Base:
840671
(http://support.microsoft.com/kb/840671/ )
The IIS 6.0 Resource Kit tools
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
887405
(http://support.microsoft.com/kb/887405/ )
How to use Windows Installer and Group Policy to deploy the VPModule.msi in an Active Directory domain
887404
(http://support.microsoft.com/kb/887404/ )
How to use Systems Management Server 2003 to deploy the ValidatePath module
887787
(http://support.microsoft.com/kb/887787/ )
You may receive error messages from Reporting Services after you install the ASP.NET ValidatePath Module
Back to the top | Give Feedback

Properties

Article ID: 887290 - Last Review: December 3, 2007 - Revision: 2.4
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft ASP.NET 1.0
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 Service Pack 1
  • Microsoft .NET Framework 1.0 Service Pack 2
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework Software Development Kit 1.0 Service Pack 2
  • Microsoft .NET Framework Software Development Kit 1.0 Service Pack 1
  • Microsoft .NET Framework Software Development Kit 1.0 Service Pack 2
Keywords: 
kbsecurity atdownload KB887290
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top