In association with heise online

Compiling a service pack

Unpack the zip archive onto a hard drive with sufficient space for all the Microsoft updates that will be downloaded, and that can also accommodate the ISO images created from them. Downloading updates for all three supported English operating systems and creating a DVD image from it can amount to almost 3 gigabytes.

The download script is best used on a PC with a fast internet connection and complete with all patches. It draws several hundred megabytes off the net during the first working pass, although it will not then need to reacquire that data once the package is updated after a later Patch Tuesday.

When unpacking the archive, mind that its directory structure is preserved. Subdirectories into which the script sorts the update packets and ISO images are predefined within the scripts.

Once unpacked, no other preparation is required before using the download script under Windows XP. It retrieves not only the updates from the internet, but also a few additional tools required by the installation script on the target system. These originate from Microsoft, which is why for licensing reasons we cannot deliver them ourselves.

If you wish to use the download script on Windows 2000 or Server 2003, then you still need to copy a working version of the command line tool reg.exe into the client\bin subdirectory. You can find reg.exe on the Windows 2000 installation CD under \support\tools in the archive. The version of reg.exe included in Server 2003 is not suitable for the update package, since it does not function with other operating systems. You can extract the suitable reg.exe from the Windows\system32 directory of an existing copy of XP.

The download script downloads the complete Microsoft update catalogue, which contains significantly more update packets than are needed to patch a freshly installed system but only the necessary ones are then installed. For Windows 2000, it draws around 400 MBytes per selected language from the internet; for Windows XP, 600 MBytes each; and for Windows Server 2003, around 700 MBytes. Included in that calculation are 100 MBytes per OS that are identical for all systems -- and which the script does not download repeatedly even if multiple versions are selected. The largest chunks are the respective current Service Packs.

And off you go: double click on DownloadStarterGUI.exe to call up a dialogue box within which you can set which versions of Windows need updates. Restricted user rights are not a problem as long as you have not selected Windows 2000. For the latter, the download script also downloads Internet Explorer 6, which can only be installed with administrator rights - since it remotely controls the GUI of the network installer.

image 1 [328 x 315 Pixel @ 25,9 KB]
The download script retrieves Microsoft's complete update archive for the selected operating system and uses it to create ISO files for removable installation media.

You can prepare a separate ISO image to be placed on CD for each language of each selected operating system. The script can also build a large ISO for DVD use that can update all selected operating systems. If you do not set any checks in the second area, the script skips the image creation procedure. The finished update packet can also be copied onto a USB stick, for example, or prepared for sharing over a local network.

Click on the start button and then sit back and relax. A window opens and you can watch the tools speedily fulfil their tasks. Fully automated, they download additional programs off the net, determine the download URLs, download the selected updates and then finish up by preparing the ISO images.

Once completed without errors, the ready-to-use update packet containing all patches and their installation scripts can be found in the client subdirectory. The ISO images created from them are in the iso folder. These can then be put onto a blank disc using the burning program of your choice; one free tool for this is Deep Burner, for example. Be sure explicitly to select the function for burning from image files - otherwise you could end up simply creating an archive copy of the ISO file on a data CD.

To use other storage media as installation media, simply copy over the contents of the client folder. The individual updates are located there in the wxp (Windows XP), w2k (Windows 2000) and w2k3 (Windows Server 2003) subfolders. Simply omit any specific operating systems that the target medium doesn't need to cover.


Double-click on UpdateStarterGUI.exe to launch the installation of the updates on the target PC, or simply insert a CD or DVD with one of the ISO images recorded on it (it will start from the autoplay function). The installation of the missing components and updates may require several reboots. The "Automatic reboot and recall" option allows the script to shut down the PC on its own where necessary and then resume work following the reboot - this is as easy as it gets.

To do this, it creates a temporary administrator account called "WSUSAdmin", to which it then assigns a random password. The script enters that access data into the registry so that Windows automatically logs in as the temporary administrator following the reboot and calls up the update script fresh. After the completion of the final phase, the script deletes the temporary administrator account again. Caution: if the computer is unattended while the update is running in automated mode, it is possible for someone with access to the PC to create administrator rights for themselves without being noticed.

If you do not activate the "Automatic reboot and recall" option, the script will request you to reboot reboot the PC manually from time to time. You must then also restart the program to allow it to finish its work. Automatic log-in is not activated if you call up the installation script from a network drive - the newly created account would lack the proper connection. The function also cannot be used with a domain controller.

Our testing of this procedure turned up no problems with the automatic log-in. However, should something go wrong, and Windows ends up in an infinite loop of logging into the update account, just apply the following emergency brake: interrupt the installation script with Ctrl-C, launch the CleanupRecall.cmd script and restart the computer.

The update installation is conducted in several phases: following each call, the update script checks which operating system is running and whether the respective current service pack is installed. Where necessary it then installs one and requests a restart. In the next phase, the script ensures that all prerequisites for additional steps are fulfilled. Among the components that it then installs are current versions of the Windows Update Agent, Microsoft Installer, and the Windows Script Host. For Windows 2000 it also installs - if not already present - Internet Explorer 6.

In the final phase, the script determines which security updates are missing from the system and installs them one after another. After the final reboot, Notepad is started automatically to show the log-file that documents which patches were applied by the script. The ctupdate.log file is located in the Windows system directory (C:\Windows for Windows XP and Server 2003, C:\WINNT for Windows 2000). Should the installation of individual updates fail, then the returned error codes are included there as well. Their meanings are explained under [2]. Error 112, for example, signals that the hard drive is full.

image 2 [328 x 191 Pixel @ 16,6 KB]

For Windows 2000 only: at this point you should manually start the installation script one last time as a final check - the Windows Update Engine is for some unfortunate reason unable to recognise any missing updates here the first time through.

If all holes have been plugged, then you can link your PC to the internet with peace of mind. Be sure that the system service for automated updates is activated to allow Windows to install future new security updates on its own.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit