Hello.
I have a VBscript that basically is using vulscan.exe to patch servers, and I've then build some additional features into the script to handle various situations in my environment. One of the features is reboot detection/action/tracking, but I'd like to improve that part by detecting if the vulscan process actually installed any patches or not.
How do I in a reliable way (via my VBscript, of course) detect if vulscan installed any patches?
I'm currently checking 2 things, but this unfortunately doesn't cover all scenarios:
- Check for the presence of the HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\WinClient\VulscanReboot key
If an installed patch requires a reboot, then this key will be present along with a list of the patches that requires a reboot - Count the no. of files of a certain extensions (exe, msp, msu, msi and such) in the sdmcache folder before and after running vulscan
If there's a difference then something got downloaded and most likely installed. (Vulnerabilities that can be fixed without downloading a patch are not relevant to this discussion)
Not all patches require a reboot, and in that case the first point won't detect the install if a reboot isn't required, but the second point would. The problem with that logic is that it will fail if a patch for whatever reason fail to install on the first attempt and you then run the script a second time to try installing it again. This time, the patch file is already cached so the no. of files in the sdmcache folder does not change, and if the patch is now installed successfully and doesn't require a reboot, then I won't be able to detect that something got installed.
The only method I can think of is reading the vulscan.log file once the vulscan.exe process terminates and search for the lines "x patches were found to run" and "RunPatches completed. x processed. y installed. z failures.". Is those are present, then something got installed.
Is there an easier way?
Thanks in advance.