Windows 7 / Getting Started

MBSACLI Location

The Mbsacli.exe file is located in the \Program Files\Microsoft Security Baseline Analyzer 2\ folder when MBSA is installed. You need to specify this path when executing MBSACLI.

Just as MBSA must be run with administrative permissions, MBSACLI also needs administrative permissions. When running the command from the command prompt, launch it with administrative permissions by right-clicking Command Prompt and selecting Run as Administrator.

As a simple way to see MBSACLI in action, you can execute the following command:

"C:\Program files\Microsoft Baseline Security Analyzer 2\mbsacli" i ↵
/target localhost

Note Even though the previous code is shown on two lines it should be entered on a single line.

Since the path and command contain spaces, they must be enclosed in quotes. The /target switch is used to identify the computer to check. Localhost is resolved to the computer from where it's run using the host fi le (located at C:\Windows\System32\Drivers\etc\).

Note The /target switch is useful when running MBSACLI against a remote computer However, it can be omitted If MBSACLI is run without the /target switch, MBSACLI will run on the local computer.

Some of the common switches used with MBSACLI are shown in Table below. As with any command-prompt tool, you can redirect the output to a text fi le using the redirect symbol (>). For example, the following command runs the same report as shown in the previous command but redirects it to a text file named mbsacli.txt.

"C:\Program files\Microsoft Baseline Security Analyzer 2\mbsacli" ↵
/target localhost > mbsacli.txt

Note Even though the previous code is shown on two lines it should be entered on a single line.

MBSACLI switches

SwitchDescription
/targetUse this to identify the target computer where MBSACLI will run. You can specify the target as a hostname or an IP address.
Mbsacli /target 192.168.1.10
/rUse this to specify a range of IP addresses Both the beginning IP address and the ending IP address are specified.
Mbsacli /r 192.168.1.10-192.168.1.20
/listfileYou can create a file with a list of computers or a list of IP addresses and then direct MBSACLI to run the command against all the computers in the list. The following command assumes a file named computers.txt exists in the current directory.
Mbsacli /listfile computers.txt
/dUse this to specify the domain name in which to run MBSACLI against all computers in the domain. The domain name needs to be expressed as a NETBIOS name (single name).
Mbsacli /d
/nYou can use the /n option to exclude specific tests Valid options are OS, SQL, IIS, Updates, and Password. You can exclude more than one option by adding the + with no spaces. The following command will run the check on the local system and exclude the SQL and IIS checks.
Mbsacli /target localhost /n SQL+IIS
/ndThis switch can be used to tell MBSACLI to not download any updates from the Internet It will just use the current version of the cabinet files
/waThis specifies that only results that have been approved on the WSUS server should be checked. Append this switch to commands that scan the domain or a range of IP addresses.
/wiThis specifies that all updates should be checked even if not approved by the WSUS server. Append this switch to commands that scan the domain or a range of IP addresses.
/uYou can specify a specific user name to use to perform the scan.
/pWhen specifying a user name, you must also provide a password with the /p switch.
/catalog filenameYou can specify the location of the wsusscn2.cab file using the catalog switch. This is useful if you've downloaded the cabinet file and stored it in a central location (such as a share on a server) and mapped the share.
Mbsacli /catalog z:\wsusscn2.cab
/nvcThe no-version-check switch will prevent MBSA from checking to see if a newer version is available. It is often used with the /catalog switch.
Mbsacli /catalog z:wsusscn2.cab /nvc
/iaThis switch will update any prerequisite Windows Update Agent components during a scan and is also often used with the /catalog switch.
Mbsacli /catalog z:wsusscn2.cab /nvc /ia
/lThis shows a list of reports available on this system. The output list includes Computer Name, IP Address, Assessment, and Report Name columns. The Report Name column can be used to identify report names that are needed for other list switches such as the /lr and /ld switches.
Mbsacli /l
/lsThis shows a list of reports available from the most recent scan.
Mbsacli /ls
/lrThis displays an overview of a specific report. The report name must be used and can be determined with the /l switch.
Mbsacli /lr reportName
/ldThis displays a detailed output from a specific report. The report name must be used and can be determined with the /l switch.
Mbsacli /ld reportName

Microsoft has created a free download that includes several sample scripts you can use to accelerate your learning and use of the MBSACLI The current version is called mbsa2samples.exe and can be located on Microsoft's download site (www.microsoft.com/downloads) by searching for "MBSA scripts " Just be aware that any script that references the wsusscan.cab file needs to be modified to use the wsusscn2.cab file (or the wsusscn2.cab file needs to be renamed as wsusscan.cab) The older wsusscan.cab file has not been updated since March 2007.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 and Other software Up to Date
  2. Understanding Windows Live
  3. Updates versus upgrades
  4. Why updates are important
  5. Windows Update
  6. Windows Update: The essentials
  7. Types of Updates
  8. Completing an Update
  9. Configuring automatic Updating
  10. Windows Update Applet and Functions
  11. Manually Install Updates Using Windows Update
  12. Action Center
  13. Updates Do Not Install Properly
  14. Other Windows Update Settings
  15. Configuring Windows 7 Update to Use a Proxy Server
  16. Can't Find Hidden Update
  17. Viewing and Changing Installed Updates
  18. Can't Uninstall Current Update
  19. Upgrade Windows Anytime
  20. Understanding Windows Server Update Services
  21. Windows Update Policies
  22. Updating Drivers
  23. Using Device Manager to Update Drivers
  24. Windows Update Driver Settings
  25. Windows 7 Service Packs
  26. Basic Service Pack Information
  27. Installation of Service Packs
  28. Installing and Removing Software
  29. Installation via CD or DVD
  30. Problem Installing from Disc
  31. Installation via Downloaded Program
  32. Viewing and Changing Programs
  33. Uninstalling Software
  34. Compatibility Issues in 64-Bit Version
  35. Upgrade Issues with 64-Bit Windows 7
  36. Other Program Compatibility Issues
  37. Side-by-Side Installs and Virtual Registries
  38. Removing Updates from Windows 7
  39. Thwarting Exploits with DEP
  40. Microsoft Baseline Security Analyzer
  41. Picking Computers to Scan
  42. Vulnerability Checks
  43. Installing MBSA
  44. Running the MBSA
  45. Running the MBSACLI
  46. MBSACLI Location
  47. Running in an Isolated Environment
  48. Using Windows Server Update Services
  49. WSUS Updates
  50. WSUS Requirements
  51. Installing, Configuring, and Using WSUS
  52. Adding the Application Server and Web Server (IIS) Roles
  53. Installing the Report Viewer
  54. Installing WSUS
  55. Configuring Group Policy Settings for WSUS
  56. Creating a GPO to Configure Clients to Use WSUS
  57. Verifying That Clients Are Using GPO Settings for WSUS
  58. Verifying That Clients Are Using GPO Settings with GPResult
  59. Creating Computer Groups on WSUS
  60. Approving Updates in WSUS
  61. Viewing WSUS Reports