MBSACLI Location
The Mbsacli.exe file is located in the \Program Files\Microsoft Security Baseline Analyzer 2\ folder when MBSA is installed. You need to specify this path when executing MBSACLI.
Just as MBSA must be run with administrative permissions, MBSACLI also needs administrative permissions. When running the command from the command prompt, launch it with administrative permissions by right-clicking Command Prompt and selecting Run as Administrator.
As a simple way to see MBSACLI in action, you can execute the following command:
"C:\Program files\Microsoft Baseline Security Analyzer 2\mbsacli" i ↵
/target localhost
Note Even though the previous code is shown on two lines it should be entered on a single line.
Since the path and command contain spaces, they must be enclosed in quotes. The /target switch is used to identify the computer to check. Localhost is resolved to the computer from where it's run using the host fi le (located at C:\Windows\System32\Drivers\etc\).
Note The /target switch is useful when running MBSACLI against a remote computer However, it can be omitted If MBSACLI is run without the /target switch, MBSACLI will run on the local computer.
Some of the common switches used with MBSACLI are shown in Table below. As with any command-prompt tool, you can redirect the output to a text fi le using the redirect symbol (>). For example, the following command runs the same report as shown in the previous command but redirects it to a text file named mbsacli.txt.
"C:\Program files\Microsoft Baseline Security Analyzer 2\mbsacli" ↵
/target localhost > mbsacli.txt
Note Even though the previous code is shown on two lines it should be entered on a single line.
MBSACLI switches
Switch | Description |
/target | Use this to identify the target computer where MBSACLI will run.
You can specify the target as a hostname or an IP address.Mbsacli /target 192.168.1.10 |
/r | Use this to specify a range of IP addresses Both the beginning IP
address and the ending IP address are specified.Mbsacli /r 192.168.1.10-192.168.1.20 |
/listfile | You can create a file with a list of computers or a list of IP addresses and then direct MBSACLI to run the command against all the computers
in the list. The following command assumes a file named computers.txt exists in the current directory.Mbsacli /listfile computers.txt |
/d | Use this to specify the domain name in which to run MBSACLI against all computers in the domain. The domain name needs to
be expressed as a NETBIOS name (single name).Mbsacli /d |
/n | You can use the /n option to exclude specific tests Valid options are OS, SQL, IIS, Updates, and Password. You can exclude more than one
option by adding the + with no spaces. The following command will run the check on the local system and exclude the SQL and IIS checks.Mbsacli /target localhost /n SQL+IIS |
/nd | This switch can be used to tell MBSACLI to not download any updates from the Internet It will just use the current version of the cabinet files |
/wa | This specifies that only results that have been approved on the WSUS server should be checked. Append this switch to commands that scan the domain or a range of IP addresses. |
/wi | This specifies that all updates should be checked even if not approved by the WSUS server. Append this switch to commands that scan the domain or a range of IP addresses. |
/u | You can specify a specific user name to use to perform the scan. |
/p | When specifying a user name, you must also provide a password with the /p switch. |
/catalog filename | You can specify the location of the wsusscn2.cab file using the catalog
switch. This is useful if you've downloaded the cabinet file and stored it in a central location (such as a share on a server) and mapped the share.Mbsacli /catalog z:\wsusscn2.cab |
/nvc | The no-version-check switch will prevent MBSA from checking to see if
a newer version is available. It is often used with the /catalog switch.Mbsacli /catalog z:wsusscn2.cab /nvc |
/ia | This switch will update any prerequisite Windows Update Agent
components during a scan and is also often used with the /catalog switch.Mbsacli /catalog z:wsusscn2.cab /nvc /ia |
/l | This shows a list of reports available on this system. The output list includes Computer Name, IP Address, Assessment, and Report
Name columns. The Report Name column can be used to identify report names that are needed for other list switches such as the /lr and /ld switches.Mbsacli /l |
/ls | This shows a list of reports available from the most recent scan.Mbsacli /ls |
/lr | This displays an overview of a specific report. The report name must be used and can be determined with the /l switch.Mbsacli /lr reportName |
/ld | This displays a detailed output from a specific report. The report
name must be used and can be determined with the /l switch.Mbsacli /ld reportName |
Microsoft has created a free download that includes several sample scripts you can use to accelerate your learning and use of the MBSACLI The current version is called mbsa2samples.exe and can be located on Microsoft's download site (www.microsoft.com/downloads) by searching for "MBSA scripts " Just be aware that any script that references the wsusscan.cab file needs to be modified to use the wsusscn2.cab file (or the wsusscn2.cab file needs to be renamed as wsusscan.cab) The older wsusscan.cab file has not been updated since March 2007.
In this tutorial:
- Windows 7 and Other software Up to Date
- Understanding Windows Live
- Updates versus upgrades
- Why updates are important
- Windows Update
- Windows Update: The essentials
- Types of Updates
- Completing an Update
- Configuring automatic Updating
- Windows Update Applet and Functions
- Manually Install Updates Using Windows Update
- Action Center
- Updates Do Not Install Properly
- Other Windows Update Settings
- Configuring Windows 7 Update to Use a Proxy Server
- Can't Find Hidden Update
- Viewing and Changing Installed Updates
- Can't Uninstall Current Update
- Upgrade Windows Anytime
- Understanding Windows Server Update Services
- Windows Update Policies
- Updating Drivers
- Using Device Manager to Update Drivers
- Windows Update Driver Settings
- Windows 7 Service Packs
- Basic Service Pack Information
- Installation of Service Packs
- Installing and Removing Software
- Installation via CD or DVD
- Problem Installing from Disc
- Installation via Downloaded Program
- Viewing and Changing Programs
- Uninstalling Software
- Compatibility Issues in 64-Bit Version
- Upgrade Issues with 64-Bit Windows 7
- Other Program Compatibility Issues
- Side-by-Side Installs and Virtual Registries
- Removing Updates from Windows 7
- Thwarting Exploits with DEP
- Microsoft Baseline Security Analyzer
- Picking Computers to Scan
- Vulnerability Checks
- Installing MBSA
- Running the MBSA
- Running the MBSACLI
- MBSACLI Location
- Running in an Isolated Environment
- Using Windows Server Update Services
- WSUS Updates
- WSUS Requirements
- Installing, Configuring, and Using WSUS
- Adding the Application Server and Web Server (IIS) Roles
- Installing the Report Viewer
- Installing WSUS
- Configuring Group Policy Settings for WSUS
- Creating a GPO to Configure Clients to Use WSUS
- Verifying That Clients Are Using GPO Settings for WSUS
- Verifying That Clients Are Using GPO Settings with GPResult
- Creating Computer Groups on WSUS
- Approving Updates in WSUS
- Viewing WSUS Reports