Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
B A S I C PAT C H M A N A G E M E N T F O R B A S I C
S O F T W A R E
NOW FEATURING THE
LATEST VERSION
Francis Beaumier
IT...
ORGANIZATIONAL BACKGROUND
• Part of Brown County
• Use of county’s Technology Services department
• Getting new software i...
STARTING POINTS
• Computers already left on weekly for Windows updates
• Windows Task Scheduler
• Public computers can tal...
CLIENTS.PS1
$URL = "http://www.example.org/updates/Updater.ps1"
$Output = "C:UpdaterUpdater.ps1"
#Download the Updater.ps1...
$sourceFolder = "172.17.101.210updates$"
$targetFolder = "c:updates"
$sourceItem = Get-ChildItem -Path $sourceFolder
$targ...
UPDATER.PS1
$source="http://www.example.org/updates/" #web server address
$targetFolder="c:updates" #local file destinatio...
UPDATER.PS1 (CONTINUED)
Set-Location $targetFolder
foreach ($item in $differentitems) {
#Copy the items that are different...
INDEX.PHP
<?
// set time zone so that date modified is accurate
date_default_timezone_set('America/Chicago');
$updateList ...
INDEX.PHP OUTPUT
GOOD TO GO UPDATES
• Adobe Acrobat Reader patches
• Flash
• Shockwave
SERVER INSTALLATION
1. Make a folder with Updater.ps1, index.php, and the
updates that you want.
2. Make sure
your server
...
CLIENT INSTALLATION
1. Set power settings
2. Create Updater and Updates folders in C:
3. Allow PowerShell to run unsigned ...
SCHEDULING THE
UPDATER
1
2
3
4
SCHEDULING
THE UPDATER II
SCHEDULING THE UPDATER III
MSI HACKING WITH ORCA: SKYPE
• Skype MSI: http://www.skype.com/go/getskype-msi
• Orca: https://www.microsoft.com/en-
us/do...
MSI HACKING WITH ORCA:
ADOBE ACROBAT READER
• Change ECULA_ACCEPT to YES in the Property table.
ADVANCED MSI HACKING WITH ORCA:
JAVA (* THERE’S AN EASIER WAY)
• Get the .exe from the vendor. Run it but do not click
thr...
ADVANCED MSI HACKING WITH ORCA:
JAVA II
• The changes on
the previous slide
will get you going.
The rest of these
instruct...
ADVANCED MSI HACKING WITH ORCA:
JAVA III
• Add an entry for each version of Java you wish to uninstall in
the Upgrade tabl...
HOW DO I TRACK DOWN A JAVA
UPGRADE CODE?
• If you have the MSI, open it in Orca
• Otherwise, if you have a machine with it...
ADVANCED MSI HACKING WITH ORCA:
JAVA IV
• Go to the property table and
add/change the following:
• JAVAUPDATE=0
• AUTOUPDA...
SO YOU NEED SOME MSIs?
• Make them!
• Be leery of packing software…
Firefox.ver
Firefox.mm
ROLL YOUR OWN MSI WITH MAKEMSI:
FIREFOX .
• MAKEMSI: dennisbareis.com
• Standard Firefox installer
...
BROWN COUNTY LIBRARY FIREFOX
#define COMPANY_AUTO_UNINSTALL_VIA_UPGRADE_TABLE N ;;nothing to
uninst
#define COMPANY_WANT_T...
BROWN COUNTY LIBRARY FIREFOX II
; install firefox
<$WrapInstall EXE="Firefox Setup 47.0.1.exe" Args='-ms' SeqI="<-
Install...
<$VbsCa Binary="ADRC.vbs">
<$VbsCaEntry "ADRC">
DoIt()
<$/VbsCaEntry>
<?NewLine><?NewLine>
sub DoIt()
Dim wshNetwork, fso
...
BROWN COUNTY LIBRARY FIREFOX IV
#(
<$VbsCaSetup Binary="ADRC.vbs" Entry="ADRC" Seq="InstallFinalize-"
CONDITION=^<$CONDITI...
AIR
• Problem: AdobeAirInstaller.exe uses an MSI internally,
so wrapping it in an MSI won’t work
• My solution: AutoIT: ht...
BATCH FILE EXAMPLE: INSTALLING
WIRELESS PROFILES
#include ..francis.mmh
; files to install
#(
<$DirectoryTree Dir="c:users...
#include "OpenMsi.MMH"
<$Msi "outJava.msi" template="Java.msi">
<$Table "CustomAction">
<$Row @Where="Action='installexe'"...
MORE POSSIBILITIES
• Different update branches
• Error checking / hashes
• Reporting
BROWN COUNTY LIBRARY’S SOFTWARE
UPDATE LIBRARY
• Adobe Air
• Adobe Flash (Active X)
• Adobe Flash (Plug-in
• Adobe Reader
...
DEMO/QUESTIONS
Upcoming SlideShare
Loading in …5
×

Now Featuring the Latest Version!: Basic Patch Management for Basic Software

249 views

Published on

Presented by Francis Beaumier, IT Specialist, Brown County Library, at WiLSWorld 2016 on August 2nd, 2016.

Our public computer setup is fairly typical: Windows computers kept off of the private network and thus disconnected from any central management. We runfreezing software to keep the machines at a known state and keep software updates off because they wouldn’t stick anyway. Fast forward a few months and Firefox, Flash, and Java are all several versions out of date. And the customers are starting to notice: Facebook requires a newer version of Flash for the new selfie cam feature, Java refuses to run code on an assessment site because it knows it’s outdated, and Gmail kindly points out that the version of Firefox in use is now no longer supported. Learn how we put an end to this madness by creating a simple patch management system built on PowerShell, PHP, MAKEMSI, Orca, and a little bit of AutoIt, VB, and Batch file scripting. You will see how we progressed from sharing four updates to seven machines to serving half a GB of updates (including Acrobat Reader, Adobe Air, Firefox, Flash, Java, Paint.NET, Shockwave, Skype and more) in six different update “channels” county-wide, all on a $0 budget. All of our source code will be made available to you and discussed in enough detail during the presentation that you’ll be able to get up and running quickly at your own library. We’ll discuss our approach to dealing with small hard drives and fickle Internet connections. You’ll learn some of our missteps along the way. You’ll get to know our current system’s quirks and limitations. Finally, I’ll discuss some techniques and workarounds for getting even the most stubborn patches installed.

Published in: Education
  • Be the first to comment

  • Be the first to like this

Now Featuring the Latest Version!: Basic Patch Management for Basic Software

  1. 1. B A S I C PAT C H M A N A G E M E N T F O R B A S I C S O F T W A R E NOW FEATURING THE LATEST VERSION Francis Beaumier IT Specialist Brown County Library 515 Pine Street Green Bay, WI 54301 Phone: 920-448-5863 beaumier_fj@co.brown.wi.us
  2. 2. ORGANIZATIONAL BACKGROUND • Part of Brown County • Use of county’s Technology Services department • Getting new software is a process • Public computers • Windows machines on a physically separate and all wireless network • No central management • Freezing software • …. No updates besides Microsoft ones
  3. 3. STARTING POINTS • Computers already left on weekly for Windows updates • Windows Task Scheduler • Public computers can talk to other public computers • MSIs can be installed silently • Compare-Object cmdlet • Windows 7 computers all come with a version of Powershell • Web server available
  4. 4. CLIENTS.PS1 $URL = "http://www.example.org/updates/Updater.ps1" $Output = "C:UpdaterUpdater.ps1" #Download the Updater.ps1 file (New-Object System.Net.WebClient).DownloadFile($URL,$Output); #Call the downloaded script Powershell.exe -File $Output
  5. 5. $sourceFolder = "172.17.101.210updates$" $targetFolder = "c:updates" $sourceItem = Get-ChildItem -Path $sourceFolder $targetItem = Get-ChildItem -Path $targetFolder #if *Item is empty, provide empty array to make Compare-Object work. If (-not $sourceItem) {$sourceItem = @()} if (-not $targetItem) {$targetItem = @()} $differentitems = Compare-Object $sourceItem $targetItem -Property Name, LastWriteTime, Length | where { $_.SideIndicator -eq "<=" } #Copy the items that are different to the client PC Set-Location $sourceFolder $differentitems | foreach {Copy-Item -Destination $targetFolder -Path $_.Name} #Start the installation Pocess of each UpdatePackage that was copied Set-Location $targetFolder $differentitems | foreach { Start-Process -FilePath $_.Name -ArgumentList "/q" -Wait } #Reboot the computer after the installs are complete Restart-Computer ORIGINAL UPDATER.PS1
  6. 6. UPDATER.PS1 $source="http://www.example.org/updates/" #web server address $targetFolder="c:updates" #local file destination $webClient = New-Object System.Net.WebClient $updates = $webClient.DownloadString($source).Split("`n") # Web server listing -> object -> array $sourceItem= @() foreach ($update in $updates) { $file,$mod = $update.Split(","); $sourceItem += New-Object –TypeName PSObject –Prop @{'Name'=$file; 'LastWriteTime'= Get-Date $mod }; } $targetItem = Get-ChildItem -Path $targetFolder #if targetItem is empty, provide empty array to make Compare-Object work. if (-not $targetItem) {$targetItem = @()} $differentitems = Compare-Object $sourceItem $targetItem -Property Name, LastWriteTime | where { $_.SideIndicator -eq "<=" }
  7. 7. UPDATER.PS1 (CONTINUED) Set-Location $targetFolder foreach ($item in $differentitems) { #Copy the items that are different to the client PC $webClient.DownloadFile($source+$item.Name, $targetFolder+$item.Name) #Start the installation Pocess of the UpdatePackage that was copied Start-Process -FilePath $item.Name -ArgumentList "/q /norestart" -Wait #Change the date modified to match what the server says so that the #compare works on the next run (Get-Item ($targetFolder+$item.Name)).LastWriteTime= $item.LastWriteTime }
  8. 8. INDEX.PHP <? // set time zone so that date modified is accurate date_default_timezone_set('America/Chicago'); $updateList = array_diff(scandir('.'), array('..', '.', 'index.php', 'error_log', 'Updater.ps1')); foreach ($updateList as $file ) { $out .= rawurlencode($file) . ',' . date('Y-m-d G:i:s',filemtime ($file)) . "n"; } print rtrim($out, "n") ?>
  9. 9. INDEX.PHP OUTPUT
  10. 10. GOOD TO GO UPDATES • Adobe Acrobat Reader patches • Flash • Shockwave
  11. 11. SERVER INSTALLATION 1. Make a folder with Updater.ps1, index.php, and the updates that you want. 2. Make sure your server has PHP, is configured to serve that folder and use index.php as your directory index.
  12. 12. CLIENT INSTALLATION 1. Set power settings 2. Create Updater and Updates folders in C: 3. Allow PowerShell to run unsigned scripts: set-executionpolicy bypass 4. Copy Clients.ps1 to the Updater folder 5. Create a scheduled task to run the Updater during your maintenance window.
  13. 13. SCHEDULING THE UPDATER 1 2 3 4
  14. 14. SCHEDULING THE UPDATER II
  15. 15. SCHEDULING THE UPDATER III
  16. 16. MSI HACKING WITH ORCA: SKYPE • Skype MSI: http://www.skype.com/go/getskype-msi • Orca: https://www.microsoft.com/en- us/download/details.aspx?id=3138 • In the Property table, • change ProductCode to something new. • change InstallUpdatesEn abled to #0
  17. 17. MSI HACKING WITH ORCA: ADOBE ACROBAT READER • Change ECULA_ACCEPT to YES in the Property table.
  18. 18. ADVANCED MSI HACKING WITH ORCA: JAVA (* THERE’S AN EASIER WAY) • Get the .exe from the vendor. Run it but do not click through the wizard. • Retrieve the MSI from %userprofile%appdataLocalLowOracleJavajre1.8.0_x x (where xx is the update number) • Make the following edits in Orca: • In the CustomAction table, change the Type of installexe to 3090. This adjusts the permissions requested by the installer.
  19. 19. ADVANCED MSI HACKING WITH ORCA: JAVA II • The changes on the previous slide will get you going. The rest of these instructions take care of removing previous versions. • Make the following edits in Orca: • In the InstallExecuteSequence table, change the condition for FindRelatedProducts and RemoveExistingProducts to 1=1. This forces those two actions to run.
  20. 20. ADVANCED MSI HACKING WITH ORCA: JAVA III • Add an entry for each version of Java you wish to uninstall in the Upgrade table: • UpgadeCode: you’ll need the one for your Java version • VersionMin – 0.0.0.0 (any version ≥ 0 ) • VersionMax – leave blank to use only VersionMin as criteria • Language – blank = any • Attributes – a set of flags. 256 seems to work for me • Remove – ALL means all  • ActionProperty – a variable of your choice – must be unique and must be added to the SecureCustomProperties variable in the Property table. I chose FRANCIS1
  21. 21. HOW DO I TRACK DOWN A JAVA UPGRADE CODE? • If you have the MSI, open it in Orca • Otherwise, if you have a machine with it installed: • Go to C:WindowsInstaller • Right click the column headings and add Authors • Find the .msi authored by Oracle • Open it in Orca • Go to the Property table, and you’ll find the UpgradeCode property.
  22. 22. ADVANCED MSI HACKING WITH ORCA: JAVA IV • Go to the property table and add/change the following: • JAVAUPDATE=0 • AUTOUPDATECHECK=0 • JU=0 • In SecureCustomProperties, add your custom variables from part III
  23. 23. SO YOU NEED SOME MSIs? • Make them! • Be leery of packing software…
  24. 24. Firefox.ver Firefox.mm ROLL YOUR OWN MSI WITH MAKEMSI: FIREFOX . • MAKEMSI: dennisbareis.com • Standard Firefox installer ; ProductName = Firefox ; DESCRIPTION = Install Firefox ; Installed = WINDOWS_ALL VERSION : 47.0.1 DATE : 19 Nov 2015 CHANGES : nothing #define COMPANY_WANT_TO_INSTALL_DOCUMENTATION N ;; no docs #include "ME.MMH" ;; required files ; install firefox <$WrapInstall EXE="Firefox Setup 47.0.1.exe" Args='-ms' SeqI="<- InstallFinalize"> ; dummy component - the MSI needs to have something to install <$Component "dummy" Create="Y" Directory_="<$AnyDir>"> <$/Component> ; filter validation errors <$MsiValFilter "ICE71">
  25. 25. BROWN COUNTY LIBRARY FIREFOX #define COMPANY_AUTO_UNINSTALL_VIA_UPGRADE_TABLE N ;;nothing to uninst #define COMPANY_WANT_TO_INSTALL_DOCUMENTATION N ;; no docs #define COMPANY_REINSTALLMODE ;; leave blank to avoid validation issue #define UISAMPLE_DISABLE_COMPLETELY Y ;; disable MSI UI customizations #define DBG_ALL N #include "ME.MMH" ;; required files ; do not register this installer in Add/Remove Programs <$Table "InstallExecuteSequence"> <$RowsDelete WHERE="Action = 'PublishComponents'"> <$RowsDelete WHERE="Action = 'PublishFeatures'"> <$RowsDelete WHERE="Action = 'PublishProduct'"> <$RowsDelete WHERE="Action = 'RegisterProduct'"> <$RowsDelete WHERE="Action = 'RegisterUser'"> <$/Table> ; fast install <$Table "Property"> <$Row Property="MSIFASTINSTALL" Value="3"> <$/Table>
  26. 26. BROWN COUNTY LIBRARY FIREFOX II ; install firefox <$WrapInstall EXE="Firefox Setup 47.0.1.exe" Args='-ms' SeqI="<- InstallFinalize"> ; install BCL settings #( <$DirectoryTree Key="INSTALLDIR" Dir="c:program filesMozilla Firefox" CHANGE="" PrimaryFolder="Y"> #) <$Files "filesmoz*" DestDir="INSTALLDIR"> #( <$DirectoryTree Dir="c:program filesMozilla Firefoxbrowser" Key="INSTALLDIR2" CHANGE="" PrimaryFolder="Y"> #) <$Files "filesoverride.ini" DestDir="INSTALLDIR2"> #( <$DirectoryTree Dir="c:program filesMozilla Firefoxdefaultspref" Key="INSTALLDIR3" CHANGE="" PrimaryFolder="Y"> #) <$Files "fileslocal-settings.js" DestDir="INSTALLDIR3">
  27. 27. <$VbsCa Binary="ADRC.vbs"> <$VbsCaEntry "ADRC"> DoIt() <$/VbsCaEntry> <?NewLine><?NewLine> sub DoIt() Dim wshNetwork, fso Set wshNetwork = CaMkObject("WScript.Network") If InStr(wshNetwork.ComputerName,"ADRC") > 0 Then Set fso = CaMkObject("Scripting.FileSystemObject") If fso.FileExists("C:Program Files (x86)Mozilla Firefoxmozilla.cfg") Then fso.DeleteFile("C:Program Files (x86)Mozilla Firefoxmozilla.cfg") fso.MoveFile "mozilla-adrc.cfg","mozilla.cfg" ' will need full path Else fso.DeleteFile("C:Program FilesMozilla Firefoxmozilla.cfg") fso.MoveFile "mozilla-adrc.cfg","mozilla.cfg" ' will need full path End If set fso = Nothing End If set wshNetwork = Nothing end sub <$/VbsCa> BCLFIREFOXIII
  28. 28. BROWN COUNTY LIBRARY FIREFOX IV #( <$VbsCaSetup Binary="ADRC.vbs" Entry="ADRC" Seq="InstallFinalize-" CONDITION=^<$CONDITION_EXCEPT_UNINSTALL>^ Type="IMMEDIATE"> #) ; ignore validation errors <$MsiValFilter "ICE82">
  29. 29. AIR • Problem: AdobeAirInstaller.exe uses an MSI internally, so wrapping it in an MSI won’t work • My solution: AutoIT: https://www.autoitscript.com #RequireAdmin #NoTrayIcon #include <MsgBoxConstants.au3> ;MsgBox($MB_SYSTEMMODAL, "", "copying file") FileInstall ( ".AdobeAirInstaller.exe", "c:windowstemp", 1) ;MsgBox($MB_SYSTEMMODAL, "", "installing air") RunWait('c:windowstempAdobeAirInstaller.exe -silent' _ & ' –eulaAccepted', "", @SW_HIDE) ;MsgBox($MB_SYSTEMMODAL, "", "deleting air") FileDelete ( "c:windowstempAdobeAirInstaller.exe" )
  30. 30. BATCH FILE EXAMPLE: INSTALLING WIRELESS PROFILES #include ..francis.mmh ; files to install #( <$DirectoryTree Dir="c:userslibadmindesktopwifi-profiles" Key="INSTALLDIR" CHANGE="" PrimaryFolder="Y"> #) <$Files "wifi-profiles*.*" DestDir="INSTALLDIR"> ; script to run after installation <$VbsCa Binary="Postflight.vbs"> <$VbsCaEntry "Postflight"> dim WshShell : Set WshShell = CaMkObject("WScript.Shell") WshShell.Run "C:userslibadmindesktopwifi-profilesimport.bat", , TRUE set WshShell = Nothing <$/VbsCaEntry> <$/VbsCa> #( <$VbsCaSetup Binary="Postflight.vbs" Entry="Postflight" Seq="InstallFinalize- " CONDITION="" Type="IMMEDIATE">
  31. 31. #include "OpenMsi.MMH" <$Msi "outJava.msi" template="Java.msi"> <$Table "CustomAction"> <$Row @Where="Action='installexe'" Type="3090"> <$/Table> <$Table "InstallExecuteSequence"> <$Row@Where="Action='FindRelatedProducts'orAction='RemoveExistingProducts'"Condition="1=1"> <$/Table> <$Table "Upgrade"> <$RowUpgradeCode="{57BDA5C6-443C-4D65-B233-282393218045}"VersionMin="0.0.0.0"Attributes="256" <$/Table> <$Table "Property"> <$Row@Where="Property='SecureCustomProperties'"@SelfRef="{*}" *Value=^"FRANCIS1;"&{*}^> <$Row Property="JAVAUPDATE" Value="0"> <$Row Property="AUTOUPDATECHECK" Value="0"> <$Row Property="JU" Value="0"> <$/Table> <$/Msi> <$MsiValFilter "ICE03|ICE61" Re="Y"> ; filter validation errors JAVA THE MAKEMSI WAY
  32. 32. MORE POSSIBILITIES • Different update branches • Error checking / hashes • Reporting
  33. 33. BROWN COUNTY LIBRARY’S SOFTWARE UPDATE LIBRARY • Adobe Air • Adobe Flash (Active X) • Adobe Flash (Plug-in • Adobe Reader • Adobe Shockwave • Arduino • Google Earth • HP Universal Print Driver • Kyocera KX Print Driver • Mozilla Firefox • Oracle Java • Netloan (our PC reservation software) • Paint.NET • Skype • WebEx Player
  34. 34. DEMO/QUESTIONS

×