MBSA Command Line Tool

Command-Line Tool

Instead of the MBSA graphical user interface (GUI) tool, you can use the MBSA command-line tool to perform local and remote security scans and to display reports from previous scans. The tool is located in the directory where MBSA 2.1 was installed (by default, %programfiles%\Microsoft Baseline Security Analyzer 2).

Syntax

To perform a full scan of one or more computers:

MBSACLI [/target {[domain\]computer | IP} | /r IP-IP | /d domain] [/n option[+option...]]  
        [/o template] [/qp] [/qr] [/qe] [/qt] [/q] [/listfile file]  [/wa | /wi] 
        [/catalog file] [/nvc] [/ia] [/mu] [/nd] [/u username /p password] [/rd directory] 

To scan the local computer for updates only, sending the results to standard output (STDOUT) in XML:

MBSACLI [/xmlout] [/unicode] [/wa | /wi] [/nd] [/catalog file] 

To scan one or more computers for updates only, creating reports that can be displayed by MBSA:

MBSACLI [/target {[domain]\computer | IP} | /r IP-IP | /d domain] [/n OS+IIS+SQL+Password] 
        [/o template] [/qp] [/qr] [/qe] [/qt] [/q] [/unicode] [/listfile file] 
        [/wa | /wi] [/catalog file] [/nvc] [/ia] [/mu] [/nd] [/u username /p password] [/rd directory] 

To display a report:

MBSACLI [/l] [/ls] [/lr report] [/ld report] [/nvc] 

To display a report from a specific directory:

MBSACLI [/l] [/lr report] [/ld report] [/nvc] [/rd directory] 

To display usage information:

MBSACLI [/?]

Parameters

You cannot use any of these parameters more than once each time you run the command.

/target [domain\]computer | IP

Scans the specified computer. You can identify the computer by using its IP address or its name and, optionally, the domain to which it belongs.

/r IP-IP

Scans all the computers that are identified by a range of IP addresses.

/d domain

Scans all the computers in the specified domain.

/n option[+option...]

Excludes the specified scan types from the scan. You can specify the following options, separating them with a plus sign (+):

OS

Excludes Windows administrative vulnerability checks

SQL

Excludes SQL Server administrative vulnerability checks

IIS

Excludes IIS administrative vulnerability checks

Password

Excludes password vulnerability checks

/o template

Specifies the template that MBSA uses when naming the XML output file. You can use these symbols to represent computer-specific information:

%d%

Replaced with the name of the computer's domain

%c%

Replaced with the name of the computer

%t%

Replaced with the date and time when the scan was performed

%IP%

Replaced with the computer's IP address

The default file-name template is %d - :%c% (%t%).

You can also use the variable names that were supported by previous versions of MBSA: %domain%, %computername%, and %date%.

/qp

Does not display scan progress.

/qr

Does not display the report list.

/qe

Does not display the error list.

/qt

Does not display the text output after scanning a single computer.

/q

Does not display scan progress, the report list, the error list, or text output.

/listfile file

Scans the computers identified in a file. The file argument is the path and name of a text file in ASCII or Unicode format that contains one or more IP addresses or computer names. Each IP address or computer name must appear on a separate line.

/xmlout

Checks the local computer for security updates only, displaying the results as XML text. To save the report in a file, use command redirection to redirect standard output (STDOUT) to a file, for example, MBSACLI /xmlout > output.xml.

For more information about using this parameter, see Security Updates Scan.

/wa

Scans only for security updates that are approved on the computer's Update Services server. The Microsoft Update web site and the offline catalog are not used. This parameter cannot be used with the /wi parameter.

/wi

Uses only the Microsoft Update web site or offline catalog for security update information. Updates that are not approved on the computer's Update Services server are displayed as though they were approved. This parameter cannot be used with /wa parameter. Use this parameter to scan computers whose assigned Update Services servers are not available.

/catalog file

Specifies the offline catalog containing the security update information to be used when scanning. The offline catalog must be a .cab file signed by Microsoft. The default offline catalog is Wsusscan.cab, which is downloaded from the Microsoft Web site. When this parameter is not used, Wsusscan.cab is downloaded from the Microsoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care. The file argument must specify a file located on the computer performing the scan.

/nvc

Prevents MBSA from checking for a newer version of MBSA.

/ia

Installs or updates the required Windows Update Agent on the computer being scanned. When this parameter is not used, computers that do not have the required version of Automatic Updates will return an error in the report, and computers that do not have Windows Installer 3.0 or later may receive incomplete results from Microsoft Office and other products that require Windows Installer 3.0 for scanning.

/mu

Configures computers to use the Microsoft Update site on the computer being scanned.

/nd

Do not download any files from the Microsoft Web site when scanning. Use this parameter to prevent the download of Wsusscn2.cab, Muauth.cab, WindowsUpdateAgent30-x86.exe and WindowsUpdateAgent30-x64.exe during the scanning process. When this parameter is selected, MBSA will use any previously downloaded copies of the files. If you want, you can download the files yourself and place them in C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\MBSA\2.1\Cache. This parameter applies only to downloads from the Microsoft Web site to the scanning computer. Downloads from the scanning computer to the target computer are automatic and cannot be disabled if the corresponding features are used.

/u username /p password

Specifies the user name and password to be used when scanning a remote computer. The /u and /p parameters must be used together and cannot be used when scanning the local computer. The specified user must have administrative privileges on the computer being scanned. For security purposes, the password is not sent over the network in clear text. Instead, MBSA uses the Windows challenge-response mechanism to secure the authentication process.

/rd directory

Specifies a local directory path or network share to place a completed scan report. Retrieves the reports from the given directory or network share when used with report options

/l

Lists all available reports.

/ls

Lists reports from the most recent scan.

/lr report

Displays an overview of the specified report.

/ld report

Displays the details of the specified report. When scanning a single computer, this is the default behavior unless the /qt parameter is used.

/unicode

Produces the report with Unicode characters. Users running Japanese MBSA or scanning computers running Japanese Windows should specify this parameter.

/?

Displays usage information for the command-line tool.

Selecting a computer to scan

Use the following parameters to specify the computer to be scanned. If you do not specify one of these parameters on the command line, MBSA scans the local computer, that is, the computer on which it is running.

/target [domain\]computer

Scans the named computer. The domain or workgroup name is optional.

/target nnn.nnn.nnn.nnn

Scans the computer identified by the specified IP address.

/r nnn.nnn.nnn.nnn-nnn.nnn.nnn.nnn

Scans the computers identified by a range of IP addresses.

/listfile filename

Scans each computer identified by name or IP address listed in the specified file. Place each computer name or IP address on a separate line in either an ASCII or UNICODE format text file.

/d domain

Scans all computers in the specified domain.

Excluding specific checks

To exclude a specific check from scan, use the /n parameter with the keyword for that check. The following are the keywords you can use with the /n parameter.

/n IIS

Skips IIS checks

/n OS

Skips Windows Operating System (OS) checks. This also skips the Internet Explorer and Outlook zone checks and the Office macro security checks.

/n Password

Skips password checks.

/n SQL

Skips SQL Server/MSDE checks.

/n Updates

Skips security update checks.

Specifying parameters for security update checks

The following parameters determine how a security update check is performed and reported.

/wa

Scans only using an assigned Update Services server. Unapproved updates are not listed. This parameter checks for security updates using only the computer's assigned Update Services server. MBSA will not utilize the Microsoft Update site or the offline catalog when scanning. This parameter cannot be use with the /wi parameter. If a scanned computer does not have an Update Services server assigned, the scan will return an error. Unapproved updates are displayed as an informational result.

/wi

Scans only using Microsoft Update. Updates that are not approved on the target computer's assigned Update Services server are shown as though they were approved. This parameter checks for security updates using only the Microsoft Update site or the offline catalog. It does not use the target computer's assigned Update Services server when scanning. This parameter cannot be used with the /wa parameter. Default is to show unapproved updates as an informational result.

/xmlout

Checks the local computer for security updates only, displaying the results as XML text.

/catalog file

Specifies the offline catalog containing the security update information to be used when scanning. The offline catalog must be a .cab file signed by Microsoft. The default offline catalog is Wsusscan.cab, which is downloaded from the Microsoft Web site. When this parameter is not used, Wsusscan.cab is downloaded from the Microsoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care.

/ia

Installs or updates the required Windows Update Agent on the computer being scanned. When this parameter is not used, computers that do not have the required version of Automatic Updates will return an error in the report, and computers that do not have Windows Installer 3.0 or later may receive incomplete results from Microsoft Office and other products that require Windows Installer 3.0 for scanning.

/mu

Configures computers to use the Microsoft Update site on the computer being scanned.

Scanning only for security updates

Using /xmlout specifies that MBSA only checks for security updates and displays scan results as XML text in the command line window. Only the MBSA engine (MBSAcli.exe and Wusscan.dll) files are needed for this type of scanning, and only the parameters listed below can be used with this parameter:

• /catalog
• /wa
• /wi
• /nvc
• /nd
• /unicode

When using the /xmlout parameter, you must explicitly redirect the XML output into a file using standard console redirection. Also, the XML results must be processed separately from MBSA because they observe a different format than the full MBSA report files. The benefit of this parameter is to avoid the full installation package of MBSA 2.1 when only checking for updates on a single computer. If the minimum system requirements are met, only the engine files are needed and can be easily copied from another computer having a full installation present.

Displaying results and details

You can use the MBSA command-line interface to list or display reports produced by previous scans. These report parameters cannot be combined with scanning parameters.

/l

Lists all the reports that are available. If /rd is specified reports are listed from the given directory.

/ls

Lists the reports from most recent scan.

/lr report

Displays an overview of the named report. If /rd is specified report is searched in the given directory.

/ld report

Displays details of the named report. Unless the /qt parameter is used, this is the default behavior whenever MBSA scans a single computer. If /rd is specified report is searched in the given directory.

Return to Contents

예) D:\MBSA> mbsacli /target 172.16.**.*** /u administrator /p ******** /wi /catalog mbsa.cab

출처 : MBSA Help