For this example the security check was run on a machine with a clean Windows 2000 installation that was updated with Service Pack 2 and any applicable updates from the Windows update web site. According to the test it was missing 8 important hotfixes, a good example why these extra steps are necessary to secure your machine.
The first thing to do is downloading each hotfix by clicking on the appropriate link in the URL column. Download all patches and save them on your hard drive in a separate directory. In this example the folder C:\Install\Patches was used.
The next thing to download is a tool that allows a batch of hotfixes to be installed simultaneously, it is called qchain.exe. Download this tool from the Microsoft web site at http://download.microsoft.com/download/win2000platform/Utility/Q296861/NT45/EN-US/Q296861_x86_en.EXE. More information about this tool can be found in the following Microsoft knowledge base article: http://support.microsoft.com/support/kb/articles/q296/8/61.asp
Double-click the downloaded file to install the tool. When asked where to extract it to, extract it into the same folder that you saved the hotfixes in!
If you are running Windows 2000 or XP, you also want to download a tool that allows easy verification afterwards that all hotfixes were installed properly, it is called qfecheck.exe. Download this tool from the Microsoft web site at http://download.microsoft.com/download/win2000platform/Patch/q282784/NT5/EN-US/Q282784_W2K_SP3_x86_en.EXE. More information about this tool can be found in the following Microsoft knowledge base article: http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP
Double-click the downloaded file to install the tool. You’re all set. If you look at the folder in explorer, it should look similar to the picture below.
Now you’re going to write a little batch file. Don’t worry, it is very easy. Copy the following section and paste it into Notepad or any other text editor of your choice.
%PATHTOFIXES%\q299796_w2k_sp3_x86_en.exe -z -m
%PATHTOFIXES%\q276471_w2k_sp3_x86_en.exe -z -m
%PATHTOFIXES%\q285851_w2k_sp3_x86_en.exe -z -m
%PATHTOFIXES%\q285156_w2k_sp3_x86_en.exe -z -m
%PATHTOFIXES%\q296185_w2k_sp3_x86_en.exe -z -m
%PATHTOFIXES%\q299553_w2k_sp3_x86_en.exe -z -m
%PATHTOFIXES%\q302755_w2k_sp3_x86_en.exe -z -m
%PATHTOFIXES%\q298012_w2k_sp3_x86_en.exe -z -m
You will need to modify the third line and change the path to whatever folder on your hard drive you chose to download the patches to. Then you’ll need to edit the 8 lines with the names of the patch files to match the ones you downloaded. The listing above is what was used for this example, but your results will of course be different. The number of lines and file names will be different depending on which and how many hotfixes you have to install.
Tip: Instead of having to type each hotfix file name and possibly make typos, highlight each hotfix file name in Windows Explorer, press the F2 key on your keyboard which makes the name field editable, press Ctrl-C to copy the file name, press the Escape key to quit editing the file name without making any changes, then switch back to Notepad and paste the name into the appropriate spot.
Be careful to modify only the patch folder path and the file names, nothing else. The -z switch at the end of each line means not to reboot after installing the patch (which is the point of this whole exercise – duh!), and the -m switch means quiet mode as in don’t display any annoying messages during each install. Also make sure that qchain.exe is in the last line of this batch file.
Now save this batch file in the same directory where the patches are located. It doesn’t matter what you call it, we suggest patch.bat. To ensure that the file gets saved with the correct extension put quotation marks around the file name in the file name field of the Save As dialog box, e.g. “patch.bat” – this prevents the text editor from appending the default txt extension which would ruin the batch file.
We’re finally getting ready to do the deed. Open a command prompt windows and go to the directory where you saved the patches and the batch file.
Performing the actual installation is pretty anticlimactic. Type patch.bat at the command prompt and press Enter. You’ll see a few file copy dialog boxes flashing by, and eventually be returned to a new command prompt line which indicates that all went well. Now you immediately need to reboot the system!
Once your machine is rebooted, open another command prompt window. If you are running Windows 2000 or XP, and if you installed the hotfix verification tool qfecheck.exe, you can now make sure that everything went as planned. Type qfecheck -v (the ‘v’ stands for verbose) and press Enter. After a few seconds you’ll see the service pack and a list of installed hotfixes.
Alternatively, you can return to the Microsoft Baseline Security Analyzer web site and run the security check again. It should now come up clean and not require any hotfixes.
If you ever want or need to uninstall any of the hotfixes, you can do so by going to Start / Settings / Control Panel / Add/Remove Programs. All hotfixes will be listed here.
Tip: If you have a Zip drive or CD burner, take a few extra minutes to save/burn the entire patch directory for safekeeping. That way you’ll be prepared for when you do your next clean install. After installing the OS and applying the service pack, simply copy the directory back to the hard drive, run the batch file, and reboot.
You have successfully batch-installed the hotfixes for your system. Even though you spent a few extra minutes downloading and installing the qchain tool and creating the batch file, you saved yourself probably an hour or so in reboot time, making this little operation more than worthwhile.
Now that the operating system is fortified, let’s move on to the next level of security: virus protection.