How to deploy a new version of Windows Update Agent (WUA).

When using software Updates with Configuration Manager you may   want to deploy a new WU Agent to your machines for several reasons. WUA might cause all kinds of problems with client scanning and deployment. So my recommendation is to keep the WU Agent up to date. It’s not all times the clients update the agent by itself so therefore you will see a manual way of deploying it in this article.

1. Download the wuredist.cab from this url http://update.microsoft.com/redist/wuredist.cab 
2. When you have downloaded the file you need to extract and open the wuredist.xml file.
3. In the file you should look for the download source for the different platform agents. Below I have listed the current once but it will change as time go by.
   • http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.2.6001.788/WindowsUpdateAgent30-x86.exe
   • http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.2.6001.788/WindowsUpdateAgent30-x64.exe
   • http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.2.6001.788/WindowsUpdateAgent30-ia64.exe
4. After that you need to create a package with the source files and distribute it to your DPs.
5. You also need to specify a program for the package I use this syntax for my x86 platform as I don’t want to force a restart and hide it from the end user. 
   

   WindowsUpdateAgent30-x86.exe /WUForce /quiet /norestart

6. You also need to create a collection for your machines to target an example query could be the following. With this query all active non obsolete clients that doesn’t have WUA 7.2.6001.788 will be listed. Make sure you have not like or like otherwise the version handling won’t work.
   

   select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_WINDOWSUPDATEAGENTVERSION on SMS_G_System_WINDOWSUPDATEAGENTVERSION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_WINDOWSUPDATEAGENTVERSION.Version not like "7.2.6001.788" and SMS_R_System.Client = 1 and SMS_R_System.Obsolete != 1 and SMS_R_System.Active = 1

7. After this you need to create a advertisement to deploy to the collection and follow your deployment in the reports.

References

Http://support.microsoft.com/kb/949104

http://msdn.microsoft.com/en-us/library/aa387285(VS.85).aspx

Find computers without a certain file with a subselect query.

In this case I want to query all system that doesn’t have the vpc32.exe file to identify computer that doesn’t have a Symantec Antivirus installed. The following query is a subselect query. You can easily replace the “exe” file name with the one you need.

select distinct SMS_R_System.Name, SMS_R_System.ADSiteName, SMS_R_System.IPAddresses from  SMS_R_System where SMS_R_System.Name not in (select distinct SMS_R_System.Name from  SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = “vpc32.exe”)

Identifying "spyware" with SMS or Configuration Manager

Some of you might think dont you use an antivirus to do this ? Well yes you might but SMS or Configuration Manager might help with this as well.

This query first came to me through the myITforum mailing list and after that I have added my own modifications to it. There are also some games etc in this list that may be legitimated in your environment. There are may also be some false positives as we are looking for expressions like sniff and loader etc.

NOTE: This is not something to replace spyware protection its just a method to help you identify spyware, as most of us know spyware generates exe files randomly which will give us a hard time but at least this will give you an idea of what you can do to identify spyware or other unwanted software in your environment.

select
all RSYS.Name0 AS ‘Computer’,
RSYS.User_Name0 As ‘Last User ID’,
SF.FileName As ‘File Name’,
SF.FileDescription As ‘File Description’,
SF.FilePath As ‘File Path’,
SF.FileSize As ‘File Size’,
SF.FileVersion As ‘File Version’
from
V_R_SYSTEM RSYS
LEFT OUTER JOIN V_GS_SoftwareFile SF ON RSYS.ResourceID = SF.ResourceID
where
(
SF.FileName IN
(
‘nc.exe’, — Netcat
‘hamachi.exe’, — Hamachi
‘wow.exe’, — Warcraft
‘_DLL.exe’, — Troj_Bagle.AC Trojan
‘ARR.exe’,  — Dial-up Hijacker – high cost toll number
‘asart.exe’, — ?
‘av.exe’,   — W32.Alphx.Word.A Virus
‘BackWeb.exe’,  — Spyware – BackWeb Technologies
‘Bargains.exe’,  — BargainBuddy – Adware/Spyware
‘BELT.exe’,   — Spyware – SearchV.com
‘Bling.exe’,  –  W32.SDBot-OH.Worm
‘BLSS.exe’,  — Spyware – CBlaster Trojan
‘Bootconf.exe’,  — Sypware – Homepage Hijacker
‘BonziBdy.exe’,  — Spyware
‘botzor.exe’,  — W32.ZOTOB.Worm
‘BPC.exe’,  — Spyware – Grokster
‘Bundle.exe’,  — Adware.SAHAgent
‘businessbg0002.exe’,  — Spyware – ?
‘cmesys.exe’,  — Adware.W32.Claria
‘crafty.exe’,   — ?
‘CFD.exe’,  — Spyware – Motive Cleint Foudation
‘csm.exe’,  — W32.ZOTOB.B Worm
‘Datemanager.exe’,  — Pop-Ups via Gator
‘DIVX.exe’,  — MASTAK Virus or NALDEM Trojan
‘DPPS2.exe’,  — Don’t Panic! Pop-up blocker – Spyware
‘DSSagent.exe’,  — Adware – Broderbund – Spyware?
‘eanthology.exe’,   — eAcceleration Software Station – Spyware?
‘EditSRV.exe’,  — Spyware – Email_Update.exe
‘email_Update.exe’,  — StopSign Email Scanner – eAcceleration Software – Spyware?
‘EMSW.exe’,  — Spyware – Alset Inc.
‘Gator.exe’,  — Adware.W32.Claria
‘gmt.exe’,  — Adware.W32.Claria
‘haha.exe’,  — Myet Trojan
‘Hbinst.exe’,  — Spyware – HotBar
‘HBSRV.exe’,  — Spyware – HotBar
‘Hotbar.exe’,  — Spyware – HotBar
‘HXDL.exe’,  — HXDL Spyware – Gator
‘HXIUL.exe’,  — Adware – HelpExpress – Alset Inc.
‘IDHost.exe’,  — Topicks Spyware
‘IEDll.exe’,  — Homepage Hijacker
‘IEDriver.exe’, — Peer-To-Peer File Sharing
‘INFUS.exe’,  — Dial-up Hijacker – high cost toll number
‘InfWin.exe’,  — MSView Parasite
‘INTDEL.exe’,  — Adware – Pop-ups
‘ISTSVC.exe’,  — Spyware – Integrated Search Technologies
‘KeenValue.exe’,  — Spyware – Gator
‘loader.exe’,   — Backdoor.Prorat Virus
‘lol.exe’,  — W32.HLLW.Rackus Virus
‘Lspmonitor.exe’, — Spyware – StopSign
‘mapisvc32.exe’,   — KX Virus
‘MD.exe’,  — System MD Virus
‘MDie.exe’,  — Backdoor.Win32.Rbot.Gen Virus
‘MemoryMeter.exe’,   — Grokster Peer-To-Peer File Sharing Suite
‘MFIN32.exe’,  — Adware – MyFreeInternet Update
‘MMod.exe’,  — Adware.W32.EarnBundleWare
‘MOStat.exe’,  — Spyware – Wurld Media
‘mousebm.exe’,  — W32.ESBot Virus
‘mousemm.exe’,  — W32.ESBot.A Virus
‘MSBB.exe’,   — Adware.W32.BargainBuddy – 180Solutions
‘MSCache.exe’,  — Spyware – Integrated Search Technologies
‘MSCMan.exe’,  — Spyware – Odysseus Marketing
‘msdefr.exe’,  — Spybot Worm
‘MSMACROPROTXZ.exe’,  — Spybot Worm
‘MSMGT.exe’,   — Spyware – Total Velocity
‘MSSVR.exe’,  — Spyware – 2020DownLoader – 2020 Internet Search Toolbar
‘MSUpdater.exe’,   — TrojanDownLoader.Win32.WinShow Trojan
‘MWSOEMON.exe’,  — MyWebSearch Toolbar
‘mwsvm.exe’,   — Adware – Adw.ScanPortAL.A
‘Nail.exe’,  — Trojan.Win32.Stervis.B Trojan
‘nb32ext2.exe’,  — MyDoom.BV worm
‘nbmanager.exe’,   — Spyware – eAnthology
‘netbutler.exe’,   — ?
‘onsrvr.exe’,  — Spyware – OnWebMedia
‘PC32.exe’,  –  Mastak Virus
‘per.exe’,  — Worm.ZOTOB.C Virus
‘PGMonitr.exe’,  — Adware.W32.DelFin
‘PowerScan.exe’,  — Adware.W32.PowerScan
‘PRMVR.exe’,  — Spyware – Adtomi.com
‘pnpsrv.exe’,   — W32.SDBOT.Worm Virus
‘Precisiontime.exe’,  — Adware.W32.ClariaPrecision
‘PrizeSurfer.exe’,– Spyware – PrizeSurfer
‘Prmt.exe’,  — Spyware – OpiStat
‘RAY.exe’,  — Homepage Hijacker
‘RB32.exe’,  –  Adware.W32.RapicBlaster
‘RCSync.exe’,  –  Spyware – PrizeSurfer
‘Run32DLL.exe’,  — Key Recorder – Screen Capture – PAL PC Spy
‘SAHAgent.exe’,  — Adware.W32.CyDoor – CyDoor Desktop Media
‘savenow.exe’,  — Coupons – WhenU.com
‘SBHC.exe’,   — IE Plugin – GIGATech Software
‘ShowBehind.exe’,  — Adware – MicroSmarts Enterprise
‘SLMSS.exe’,   — Spyware – 2nd Thourgh by CPM Media
‘SRNG.exe’,  — Spyware – Search Hijacker
‘STCLoader.exe’,   –  Spyware – 2nd Thourgh by CPM Media
‘SUSP.exe’,  — Spyware – ABetterInternet
‘SVCINIT.exe’,   — Backdoor.Sinit Trojan
‘svnlitup32.exe’,  — Worm.RBOT.CBJ
‘syscpy.exe’,   — Backdoor.Hogle Trojan
‘Systesm32.exe’,  — Spyware – Bling.exe
‘thefourthcoming.exe’,  — ?
‘Trickler.exe’,  — Spyware – Gator GAIN (Gator Advertising and Info Network)
‘TSADBot.exe’,  — Adware
‘TVMD.exe’,   — Spyware
‘TVTMD.exe’,  — Spyware
‘UCMWESKU.exe’, — ?
‘Updates32.exe’,  — Spyware – Bling.exe
‘uptodate.exe’,  — Adware – BrowserPal
‘veloz.exe’,   — StopSign Email Scanner – eAcceleration Software
‘velozsys.exe’,   — StopSign Email Scanner – eAcceleration Software
‘Weather.exe’,  — Adware
‘webcel.exe’,   — eAcceleration Software – Spyware – ?
‘WebDev.exe’,  — ?
‘Win32US.exe’,  — Dial-up Hijacker – high cost toll number
‘WinActive.exe’,  — Homepage Hijacker
‘windrg32.exe’,  — W32.ZOTOB.D Worm
‘WinMain.exe’,  — Trojan.KonDeli
‘WinNet.exe’,  –  Adware/Spyware – CommonName I.E. Search
‘winpnp.exe’,  — W32.SDBOT.Worm
‘WinServN.exe’,  — Adware.W32.PurityScan – ClickSpring LLC
‘WinStart.exe’,  — Homepage Hijacker – iGetNet
‘WinStart001.exe’,  — Adware
‘wintbp.exe’,  — W32.ZOTOB.E Worm
‘wintbpx.exe’,  –  W32.BOZORI.Worm.B
‘WNAD.exe’,  — Spyware – TwistedHumor.com
‘wpa.exe’,  — ESBOT Worm
‘ygpmrgsb.exe’,  — ?
‘zeus.exe’,   — Zeus:Master of Olympus game
‘zmanager.exe’  — Spyware – eAcceleration
)
)
OR
SF.FileDescription like ‘%doom%’ OR — DOOM Game
SF.FileDescription like ‘%GNUTE%’ OR  –  MP3 Resources
SF.FileDescription like ‘%l0pht%’OR   — Password cracker
SF.FileDescription like ‘Lime%’ OR   — Peer-to-Peer file sharing
SF.FileDescription like ‘%nuke%’ OR  — DOOM Game
SF.FileDescription like ‘%orafice%’ OR — Keystroke mapper
SF.FileDescription like ‘%sniff%’ OR — Network sniffer
SF.FileDescription like ‘%unreal%’ OR — Games
SF.FileDescription like ‘%warcraft%’ OR — Games
SF.FileName like ‘%as-101%’ OR
SF.FileName like ‘%babylon%’ OR
SF.FileName like ‘%bearshare%’ OR
SF.FileName like ‘%bindery%’ OR
SF.FileName like ‘%bindin%’ OR
SF.FileName like ‘%bo2k%’ OR
SF.FileName like ‘%chknull%’ OR
SF.FileName like ‘%Cracker%’ OR — Password cracker
SF.FileName like ‘%Craserv%’ OR
SF.FileName like ‘%doom%’ OR — DOOM game
SF.FileName like ‘%EbatesMoeMoney%’ OR — Spyware
SF.FileName like ‘%expolit%’ OR
SF.FileName like ‘gator%’ OR   — Gator Spyware/Adware
SF.FileName like ‘%getadmin%’ OR
SF.FileName like ‘%gnucleus%’ OR
SF.FileName like ‘%GNUTE%’ OR –  MP3 Resources
SF.FileName like ‘%GROK%’ OR
SF.FileName like ‘%hack%’ OR — Password cracker
SF.FileName like ‘%hotbar%’ OR — IE Toolbar – Spyware/Adware
SF.FileName like ‘%kazaa%’ OR   –  Peer-to-Peer file sharing
SF.FileName like ‘keygen%’OR  — Password cracker
SF.FileName like ‘%l0phtcrack%’ OR — Password cracker
SF.FileName like ‘%lc252install%’ OR   — Password cracker
SF.FileName like ‘%LIME%’ OR   — Peer-to-Peer file sharing
SF.FileName like ‘%morpheus%’ OR
SF.FileName like ‘%Napster%’ OR   — Peer-to-Peer file sharing – MP3 Resources
SF.FileName like ‘%nbsvr%’ OR
SF.FileName like ‘%nbtscan%’ OR
SF.FileName like ‘%ndssnoop%’ OR
SF.FileName like ‘%netbusr%’ OR
SF.FileName like ‘%nmapNT%’ OR
SF.FileName like ‘%nuke%’ OR   — DOOM Game
SF.FileName like ‘%nwpcrack%’ OR
SF.FileName like ‘%orafice%’ OR — Keaystroke mapper
SF.FileName like ‘%otglove%’ OR
SF.FileName like ‘%precisiontime%’ OR
SF.FileName like ‘%pwdump%’ OR  — Password cracker
SF.FileName like ‘%quake%’ OR –  DOOM game
SF.FileName like ‘%Retina%’ OR
SF.FileName like ‘%RFPoison%’ OR
SF.FileName like ‘%smbdie%’ OR
SF.FileName like ‘%smurf%’ OR
SF.FileName like ‘%unreal%’ OR
SF.FileName like ‘%XUPITER%’ OR
SF.FileName like ‘POPSRV%’

order by
RSYS.Name0