patching servers remotely problem

HydroSqueegee

Golden Member
Oct 27, 2005
1,709
2
71
I have a script that installs updates on remote servers. It has worked well with 2003, but fails on Server 2008. The error in the setup log says "Windows update could not be installed because of error 2147942405 "Access is Denied." Command line: wusa c:\temp\windows6.1-KB....
The VBS is run from my PC through an admin command prompt.

If I run the exact same command while logged into the server (with the same admin account), it works fine. The script copies the update to the remote server, installs and deletes the file. I've tried to lower the security settings on the server, but that didn't help.

Is there a setting you can change to allow updates to be installed remotely?

Code:
Connecting to SERVERNAME...
6.1.7600
Copying installation file
Process created.
Command line: WUSA c:\temp\Windows6.1-KB2562937-x64.msu /quiet /norestart
Process ID: 5116
[B]No proccesses with ID 5116 are running[/B]
Installation successful.

Deleting file

Done!

the "No proccesses with ID 5116 are running" line is how i know it failed and the setup log will show access denied. the install is not successful.
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
Sounds like a UAC/Privilege Escalation problem.

I haven't had a need to script installs on remote servers like this, and I haven't used a WUSA command line, so that's about the best info I can give you. Can you specify RunAs Administrator to get your privileges escalated?
 

HydroSqueegee

Golden Member
Oct 27, 2005
1,709
2
71
Sounds like a UAC/Privilege Escalation problem.

I haven't had a need to script installs on remote servers like this, and I haven't used a WUSA command line, so that's about the best info I can give you. Can you specify RunAs Administrator to get your privileges escalated?

i thought it was a UAC problem too. i killed all the UAC options in secpol i could find, but the problem persists. the comand line on my local PC is RusAs Administrator with my admin account that has admin rights on the servers. Ive been looking at trying to put something in the script that specifically launches the Win32 process with admin credentials, but im no programmer, so progress is slow.
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
Do you mind posting the vbs that you're using? There's lots of programmers and sys admins here that have scripting experience.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
The first question would be why aren't you using tools made just for this like WSUS and Windows Update?
 

HydroSqueegee

Golden Member
Oct 27, 2005
1,709
2
71
The first question would be why aren't you using tools made just for this like WSUS and Windows Update?

because this is the government and nothing can be that easy. We cant use windows update and WSUS is controlled by another team and its easier for us to just use a script than deal with them.

the WSUS guys only push down patches mandated from one source, the main source for all patches here. However there is another source that deems other patches need to be installed as well for security reasons. these sources do not talk or interact with eachother but we have to report compliance to both...

see my problem here...
 
Last edited:

HydroSqueegee

Golden Member
Oct 27, 2005
1,709
2
71
Do you mind posting the vbs that you're using? There's lots of programmers and sys admins here that have scripting experience.

sho nuff.

Code:
on error resume Next
'
const W2k3_Patch = "WindowsServer2003.WindowsXP-KB2562937-x64-ENU.exe"
const W2k8_Patch = "Windows6.1-KB2562937-x64.msu"
const LocalPatch = "c:\temp\"

Dim strcommand


If right(ucase(wscript.FullName),11)="WSCRIPT.EXE" Then
    wscript.echo "ERROR: You must run this script using cscript, for example 'cscript " & wscript.scriptname & "'."
    wscript.quit 0
end If


' ipFile = wscript.arguments(0)
ipFile = "C:\Temp\comps.txt"



set ofs = createobject("scripting.filesystemobject")


' Verify that ipfile is accessible.
set oipFile = ofs.opentextfile(ipFile, 1, false) 
	if (Err.Number <> 0) Then
    wscript.echo "Cannot open " & ipFile
    wscript.quit
	end If


' Make sure to end with a \ character.
if right(LocalPatch, 1) <> "\" Then
    LocalPatch = LocalPatch & "\"
end If



'Note that cim_datafile does not support UNC paths 'so everything must be handled through mapped drives.
if left(LocalPatch, 2) = "\\" Then
    wscript.echo "<pathToExecutable> cannot be a UNC path, please map a drive locally"
    wscript.quit
end If



exeW2k8 = ofs.getfile(LocalPatch + W2k8_Patch).name
exeW2k3 = ofs.getfile(LocalPatch + W2k3_Patch).name



' Verify that the patches are accessible.
if ((len(exeW2k8) = 0) OR (len(exeW2k3) = 0)) Then
    wscript.echo "Cannot find patch files."
    wscript.echo "Please verify that the <LocalPatch> folder contains all of these files:" & vbCrLf & "      " & W2k8_Patch & vbCrLf & "      " & W2k3_Patch
    wscript.quit
end If



set osvcLocal = getobject("winmgmts:root\cimv2")

'The error-handling code is below the function that may throw one - execute it.
' on error resume next

while not oipFile.atEndOfStream
    ip = oipFile.ReadLine()
    wscript.echo vbCrLf & "Connecting to " & ip & "..."
    Err.Clear
    set osvcRemote = GetObject("winmgmts:\\" & ip & "\root\cimv2")

    if (Err.Number <> 0) Then
        wscript.echo "Failed to connect to " & ip & "."
    Else
        exeCorrectPatch = detectOSPatch(osvcRemote)
            
        If (exeCorrectPatch <> "") Then
            

            WScript.Echo "Copying installation file"
            Ret = ofs.CopyFile(LocalPatch & exeCorrectPatch, "\\" & ip &"\C$\Temp\", True)

            if (ret <> 0 and ret <> 10) Then
                ' Failure detected and failure was not "file already exists."

                wscript.echo "Failed copy to " & ip & " - error: " & ret
				WScript.Sleep 5000
            Else
                strComputer = ip              
                Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

                ' Create The patch installation process
                Set objProcess = objWMIService.Get("Win32_Process")
                intReturn = objProcess.Create(strCommand, "c:\temp", Null, intProcessID)

                If intReturn <> 0 Then
                    Wscript.Echo "Process could not be created." & vbNewLine & "Command line: " & strCommand & vbNewLine & "Return value: " & intReturn
					wscript.quit                    
                Else
                    Wscript.Echo "Process created." & vbNewLine & "Command line: " & strCommand & vbNewLine & "Process ID: " & intProcessID
                    Do
                        WScript.Sleep 5000
                        blnCheckProcess = CheckProcess(intProcessID)
                    Loop While blnCheckProcess = False

                End If

                wscript.echo "Installation successful."
                WScript.Echo 
                WScript.Echo "Deleting file"

                Ret = ofs.DeleteFile("\\" & ip & "\C$\Temp\" & exeCorrectPatch, True)
                
           end if     'Create process succeeded.

        end if     'Copy succeeded.


        'onet.removenetworkdrive "z:", true

    end if      ' The script knows which patch to install.

    'end if
' Do the next IP address, then the next IP address... 
Wend


oipFile.close()




WScript.Echo vbCrLf & "Done!" & vbCrLf


Function detectOSPatch(osvcRemote)
    set oOSInfo = osvcRemote.InstancesOf("Win32_OperatingSystem")
    'Only one instance is ever returned (the currently active OS), even though the following is a foreach.
    for each objOperatingSystem in oOSInfo

        WScript.Echo objoperatingsystem.version
        if (objOperatingSystem.OSType <> 18) Then

            ' Make sure that this computer is Windows NT-based.
            wscript.echo ip & " is not a Windows XP, Windows 2000, or Windows 2003 Server computer."

        Else
            if (objOperatingSystem.Version = "5.2.3790") Then
                ' Windows Server 2003.

                if (objOperatingSystem.ServicePackMajorVersion = 0) or (objOperatingSystem.ServicePackMajorVersion = 2) Or (objOperatingSystem.ServicePackMajorVersion = 3) then
                    strCommand = "c:\temp\" & exeW2k3 & " /quiet /norestart"
                    systemType = exeW2k3
                end If


            ElseIf (objOperatingSystem.Version = "6.1.7600") or (objOperatingSystem.Version = "6.1.7601") Then
                                                                                
                ' Windows 2008R2.
                if (objOperatingSystem.ServicePackMajorVersion = 0) or (objOperatingSystem.ServicePackMajorVersion = 1) then
                    strcommand = "WUSA c:\temp\" & exeW2k8 & " /quiet /norestart"
                    systemType = exeW2k8
                end If

            end If


            if (systemType = "") Then 

                'This was a Windows NT-based computer, but not with a valid service pack.
                wscript.echo "Could not patch " & ip & " - unhandled OS version: " & objOperatingSystem.Caption & " SP" & objOperatingSystem.ServicePackMajorVersion & "("& objOperatingSystem.Version & ")"
            end If

          end If

     Next

     detectOSPatch = systemType

end Function


Function CheckProcess(P_intProcessID)

    CheckProcess = False
                
    Set colProcesses = objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessID = '" & P_intProcessID & "' ")
                
    If colProcesses.Count = 0 Then
        WScript.Echo "No proccesses with ID " & P_intProcessID & " are running"
        CheckProcess = True
    Else
        For Each objProcess in colProcesses
            WScript.Echo objProcess.ProcessID & ": " & objProcess.CommandLine
        Next
    End If

End Function 'CheckProcess
' Win32_Process.Create Return Codes

' Value Description 

'   0   Successful Completion' 
' 
'   2   Access Denied
' 
'   3   Insufficient Privilege
' 
'   8   Unknown failure
' 
'   9   Path Not Found
' 
'   21  Invalid Parameter
 

FSfromTX

Junior Member
Nov 2, 2011
3
0
0
I have a very similar script and have the exact same problem. I've been really banging my head against the Windows 2008 (and Windows 7) wall. I hope someone knows the answer.
 

rasczak

Lifer
Jan 29, 2005
10,437
23
81
because this is the government and nothing can be that easy. We cant use windows update and WSUS is controlled by another team and its easier for us to just use a script than deal with them.

the WSUS guys only push down patches mandated from one source, the main source for all patches here. However there is another source that deems other patches need to be installed as well for security reasons. these sources do not talk or interact with eachother but we have to report compliance to both...

see my problem here...

Could you request the WSUS guys approve the patches you require to comply with both sources?
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
A local administrator:cmd runs in the computer accounts level. Do a run as using a domain admins account to launch the cmd.exe and run the script that way.
 

FSfromTX

Junior Member
Nov 2, 2011
3
0
0
Hi All,

I appreciate all those who are offering assistance.
I'm running the script as a domain admin on my local machine, and I suspect Hydrosqueegee is as well. So the remotely executed patch is launched with those same credentials. Since we're running the patches on remote computers, using the runas can be problematic, as you can't interact with the command once you've launched it. Also, other commands work, it just seems WUSA is locked down more.
 

dphantom

Diamond Member
Jan 14, 2005
4,763
327
126
Windows 2008/Win 7 handle remote access/administration differently than previous OS's. Powershell is now the recommended method. You may also try to set the "allow remote administration exception" group policy under gpedit.msc | computer configuration\administrative templates\network\network connections\standard profile\windows firewall, and set the appropriate IP range
 

FSfromTX

Junior Member
Nov 2, 2011
3
0
0
hi dphantom (and all),

Unfortunately, that didn't help. I still get "access denied" and error code 2147942405.