Command-Line Tool
Instead of the MBSA graphical user interface (GUI) tool, you can use the MBSA
command-line tool to perform local and remote security scans and to display
reports from previous scans. The tool is located in the directory where MBSA 2.1
was installed (by default, %programfiles%\
).
Syntax
To perform a full scan of one or more computers:
MBSACLI [/target {[domain\]computer | IP} | /r IP-IP | /d domain] [/n option[+option...]]
[/o template] [/qp] [/qr] [/qe] [/qt] [/q] [/listfile file] [/wa | /wi]
[/catalog file] [/nvc] [/ia] [/mu] [/nd] [/u username /p password] [/rd directory]
To scan the local computer for updates only, sending the results to standard
output (STDOUT
) in XML:
MBSACLI [/xmlout] [/unicode] [/wa | /wi] [/nd] [/catalog file]
To scan one or more computers for updates only, creating reports that can be displayed by MBSA:
MBSACLI [/target {[domain]\computer | IP} | /r IP-IP | /d domain] [/n OS+IIS+SQL+Password]
[/o template] [/qp] [/qr] [/qe] [/qt] [/q] [/unicode] [/listfile file]
[/wa | /wi] [/catalog file] [/nvc] [/ia] [/mu] [/nd] [/u username /p password] [/rd directory]
To display a report:
MBSACLI [/l] [/ls] [/lr report] [/ld report] [/nvc]
To display a report from a specific directory:
MBSACLI [/l] [/lr report] [/ld report] [/nvc] [/rd directory]
To display usage information:
MBSACLI [/?]
Parameters
You cannot use any of these parameters more than once each time you run the command.
- /target [domain\]computer | IP
- Scans the specified computer. You can identify the computer by using its IP address or its name and, optionally, the domain to which it belongs.
- /r IP-IP
- Scans all the computers that are identified by a range of IP addresses.
- /d domain
- Scans all the computers in the specified domain.
- /n option[+option...]
- Excludes the specified scan types from the scan. You can specify the
following options, separating them with a plus sign (+):
- OS
- Excludes
Windows administrative vulnerability checks - SQL
- Excludes
SQL Server administrative vulnerability checks - IIS
- Excludes
IIS administrative vulnerability checks - Password
- Excludes password vulnerability checks
- /o template
- Specifies the template that MBSA uses when naming the XML output file. You
can use these symbols to represent computer-specific information:
%d%
- Replaced with the name of the computer's domain
%c%
- Replaced with the name of the computer
%t%
- Replaced with the date and time when the scan was performed
%IP%
- Replaced with the computer's IP address
The default file-name template is
%d - :%c% (%t%)
.You can also use the variable names that were supported by previous versions of MBSA:
%domain%
,%computername%
, and%date%
. /qp - Does not display scan progress.
/qr - Does not display the report list.
/qe - Does not display the error list.
/qt - Does not display the text output after scanning a single computer.
/q - Does not display scan progress, the report list, the error list, or text output.
/listfile file- Scans the computers identified in a file. The file argument is the path and name of a text file in ASCII or Unicode format that contains one or more IP addresses or computer names. Each IP address or computer name must appear on a separate line.
/xmlout - Checks the local computer for security updates only, displaying the results
as XML text. To save the report in a file, use command redirection to redirect
standard output (
STDOUT
) to a file, for example,MBSACLI /xmlout > output.xml
.For more information about using this parameter, see Security Updates Scan.
/wa - Scans only for security updates that are approved on the computer's
Update Services server. TheMicrosoft Update web site and the offline catalog are not used. This parameter cannot be used with the/wi
parameter. /wi - Uses only the
Microsoft Update web site or offline catalog for security update information. Updates that are not approved on the computer'sUpdate Services server are displayed as though they were approved. This parameter cannot be used with/wa
parameter. Use this parameter to scan computers whose assignedUpdate Services servers are not available. /catalog file- Specifies the offline catalog containing the security update information to
be used when scanning. The offline catalog must be a
.cab file signed by Microsoft. The default offline catalog isWsusscan.cab , which is downloaded from theMicrosoft Web site. When this parameter is not used,Wsusscan.cab is downloaded from theMicrosoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care. The file argument must specify a file located on the computer performing the scan. /nvc - Prevents MBSA from checking for a newer version of MBSA.
/ia - Installs or updates the required
Windows Update Agent on the computer being scanned. When this parameter is not used, computers that do not have the required version of Automatic Updates will return an error in the report, and computers that do not haveWindows Installer 3.0 or later may receive incomplete results fromMicrosoft Office and other products that requireWindows Installer 3.0 for scanning. /mu - Configures computers to use the
Microsoft Update site on the computer being scanned. /nd - Do not download any files from the
Microsoft Web site when scanning. Use this parameter to prevent the download ofWsusscn2.cab ,Muauth.cab ,WindowsUpdateAgent30-x86.exe andWindowsUpdateAgent30-x64.exe during the scanning process. When this parameter is selected, MBSA will use any previously downloaded copies of the files. If you want, you can download the files yourself and place them inC:\Documents and Settings\username\Local Settings\Application Data\Microsoft\MBSA\2.1\Cache
. This parameter applies only to downloads from theMicrosoft Web site to the scanning computer. Downloads from the scanning computer to the target computer are automatic and cannot be disabled if the corresponding features are used. /u username/p password- Specifies the user name and password to be used when scanning a remote
computer. The
/u
and/p
parameters must be used together and cannot be used when scanning the local computer. The specified user must have administrative privileges on the computer being scanned. For security purposes, the password is not sent over the network in clear text. Instead, MBSA uses theWindows challenge-response mechanism to secure the authentication process. /rd directory- Specifies a local directory path or network share to place a completed scan report. Retrieves the reports from the given directory or network share when used with report options
/l - Lists all available reports.
/ls - Lists reports from the most recent scan.
/lr report- Displays an overview of the specified report.
/ld report- Displays the details of the specified report. When scanning a single
computer, this is the default behavior unless the
/qt
parameter is used. /unicode - Produces the report with Unicode characters. Users running Japanese MBSA or
scanning computers running Japanese
Windows should specify this parameter. /? - Displays usage information for the command-line tool.
Selecting a computer to scan
Use the following parameters to specify the computer to be scanned. If you do not specify one of these parameters on the command line, MBSA scans the local computer, that is, the computer on which it is running.
/target [domain\]computer- Scans the named computer. The domain or workgroup name is optional.
/target nnn.nnn.nnn.nnn- Scans the computer identified by the specified IP address.
/r nnn.nnn.nnn.nnn-nnn.nnn.nnn.nnn- Scans the computers identified by a range of IP addresses.
- /listfile filename
- Scans each computer identified by name or IP address listed in the specified file. Place each computer name or IP address on a separate line in either an ASCII or UNICODE format text file.
/d domain- Scans all computers in the specified domain.
Excluding specific checks
To exclude a specific check from scan, use the /n
parameter with
the keyword for that check. The following are the keywords you can use with the
/n
parameter.
/n IIS - Skips
IIS checks /n OS - Skips
Windows Operating System (OS) checks. This also skips theInternet Explorer andOutlook zone checks and theOffice macro security checks. /n Password - Skips password checks.
/n SQL - Skips
SQL Server /MSDE checks. /n Updates - Skips security update checks.
Specifying parameters for security update checks
The following parameters determine how a security update check is performed and reported.
/wa - Scans only using an assigned
Update Services server. Unapproved updates are not listed. This parameter checks for security updates using only the computer's assignedUpdate Services server. MBSA will not utilize theMicrosoft Update site or the offline catalog when scanning. This parameter cannot be use with the/wi
parameter. If a scanned computer does not have anUpdate Services server assigned, the scan will return an error. Unapproved updates are displayed as an informational result. /wi - Scans only using
Microsoft Update . Updates that are not approved on the target computer's assignedUpdate Services server are shown as though they were approved. This parameter checks for security updates using only theMicrosoft Update site or the offline catalog. It does not use the target computer's assignedUpdate Services server when scanning. This parameter cannot be used with the/wa
parameter. Default is to show unapproved updates as an informational result. /xmlout - Checks the local computer for security updates only, displaying the results as XML text.
/catalog file- Specifies the offline catalog containing the security update information to
be used when scanning. The offline catalog must be a
.cab file signed byMicrosoft . The default offline catalog isWsusscan.cab , which is downloaded from theMicrosoft Web site. When this parameter is not used,Wsusscan.cab is downloaded from theMicrosoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care. /ia - Installs or updates the required
Windows Update Agent on the computer being scanned. When this parameter is not used, computers that do not have the required version of Automatic Updates will return an error in the report, and computers that do not haveWindows Installer 3.0 or later may receive incomplete results fromMicrosoft Office and other products that requireWindows Installer 3.0 for scanning. /mu - Configures computers to use the
Microsoft Update site on the computer being scanned.
Scanning only for security updates
Using /xmlout
specifies that MBSA only checks for security
updates and displays scan results as XML text in the command line window. Only
the MBSA engine (
/catalog
/wa
/wi
/nvc
/nd
/unicode
When using the /xmlout
parameter, you must explicitly redirect
the XML output into a file using standard console redirection. Also, the XML
results must be processed separately from MBSA because they observe a different
format than the full MBSA report files. The benefit of this parameter is to
avoid the full installation package of MBSA 2.1 when only checking for updates
on a single computer. If the minimum system requirements are met, only the
engine files are needed and can be easily copied from another computer having a
full installation present.
Displaying results and details
You can use the MBSA command-line interface to list or display reports produced by previous scans. These report parameters cannot be combined with scanning parameters.
/l - Lists all the reports that are available. If
/rd
is specified reports are listed from the given directory. /ls - Lists the reports from most recent scan.
/lr report- Displays an overview of the named report. If
/rd
is specified report is searched in the given directory. /ld report- Displays details of the named report. Unless the
/qt
parameter is used, this is the default behavior whenever MBSA scans a single computer. If/rd
is specified report is searched in the given directory.
Return to Contents
예) D:\MBSA> mbsacli /target 172.16.**.*** /u administrator /p ******** /wi /catalog mbsa.cab
출처 : MBSA Help
'Brain Trainning > DataBase' 카테고리의 다른 글
MSSQL Job(작업) 결과 조회 쿼리 (0) | 2010.08.25 |
---|---|
Backup 용 Script (0) | 2010.08.24 |
MBSA Offline Scan file (0) | 2010.08.22 |
Understanding How Restore and Recovery of Backups Work in SQL Server 2008 R2 (0) | 2010.08.19 |
Understanding How Restore and Recovery of Backups Work in SQL Server 2005 (0) | 2010.08.19 |