Windows 7 / Getting Started

MBSACLI

Scanning a large network should be done on a regular basis to find computers that have not been properly updated. However, scanning a large network is a time-consuming process. Although the MBSA console is the most efficient way to scan a network interactively, the MBSACLI command-line tool provides a way to script an analysis. By using scripts, you can schedule scanning to occur automatically, without your intervention. This way, you can have MBSACLI generate a report that you can refer to on demand.

As with the MBSA graphical console, you need administrative access to use MBSACLI to scan a computer. In a domain environment, simply log on to your computer using an account that has sufficient privileges. Otherwise, you can provide credentials at the command line by using the /u and /p parameters. However, you should avoid typing credentials in a script because the script can be compromised, allowing an attacker to gain privileges on remote computers.

Table lists the parameters available in MBSACLI's MBSA mode.

MBSA Mode Parameters in MBSACLI

/target domain\computername | ipaddressScans the host with the specified computer name or IP address.
/r ipaddress1-ipaddress2Specifies an IP address range to be scanned, beginning with ipaddress1 and ending with ipaddress2, inclusive.
/listfile filenameScans hosts specified in a text file.
/d domain_nameScans all computers in a specified domain. Of course, your computer must be able to identify those computers. It uses the same mechanism as Network Neighborhood, so if you can browse computers in Network Neighborhood, this switch will work.
/u username /p passwordScans using the specified user name and password.
/n scansSkips specific scans. You can choose OS, SQL, IIS, Updates, and Password. If you want to suppress multiple scans, separate them with a + sign. For example, to scan only for updates, use the command Mbsacli /n OS+SQL+IIS+Password.
/waShow only updates approved on the WSUS server.
/wiShow all updates, even if they haven't been approved on the WSUS server.
/catalog filenameSpecifies the MBSA detection catalog, Wsusscan.cab. You can download this file from http://go.microsoft.com/fwlink/?LinkId=39043.
/qp, /qe, /qr, /qt, /qDoes not display the scan progress, error list, and report list; the report following a singlecomputer scan; or any of these items, respectively.
/l, /lsLists all available reports or just the reports created in the latest scan, respectively.
/lr "reportname", /ld "reportname"Displays an overview or detailed report summary when given the filename of the report. You do not need to specify the full filename- only the name of the report. For example, the following command shows a report for Computer1: mbsacli /ld "Cohowinery.com - Computer1 (11-11-2003 07-46 AM)"
/nai, nm, ndPrevents MBSACLI from updating the Windows Update features, configuring computers to use the Microsoft Update Web site, or downloading files from the Microsoft Web site, respectively.
/nvcPrevents MBSACLI from checking for a new version of MBSA.
/xmloutProvides XML-based output, which is more difficult to read as a text file but easier to parse programmatically.
/o "template"Uses a different template for the report filename. By default, the name is %domain% - %computername% (%date%). If you put one or more spaces in the template, be sure to enclose it in quotation marks.

When scanning a single computer, MBSACLI outputs information about vulnerabilities directly to the console. To save the output to a file, redirect it using the standard > notation. For example, this command saves the report output to a file named Output.txt.

Mbsacli > output.txt

When scanning multiple computers, MBSACLI displays only the computers scanned and the overall assessment. The details of the scan are stored in an XML report that is saved in your %UserProfile%\SecurityScans\ folder. By default, the filename for each report is set to domain - computername (date).mbsa.

You can view the reports by using the graphical MBSA console, however, by simply starting MBSA and then clicking View Existing Security Reports. MBSA will show the Pick A Security Report To View page, listing all of the available reports. You can also view them from the command line by using the /ld parameter and specifying the report's filename.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Software Updates
  2. Methods for Deploying Updates
  3. Windows Update Client
  4. Windows Server Update Services
  5. System Center Configuration Manager 2007 R2
  6. Manually Installing, Scripting, and Removing Updates
  7. Overview of Windows 7 Update Files
  8. How to Script Update Installations
  9. How to Remove Updates
  10. Deploying Updates to New Computers
  11. Other Reasons to Use a Private Network for New Computers
  12. Managing BITS
  13. BITS Behavior
  14. BITS Group Policy Settings
  15. Configuring the Maximum Bandwidth Served For Peer Client Requests Policy
  16. Managing BITS with Windows PowerShell
  17. Windows Update Group Policy Settings
  18. Configuring Windows Update to Use a Proxy Server
  19. Tools for Auditing Software Updates
  20. The MBSA Console
  21. MBSACLI
  22. Scheduling MBSA
  23. Troubleshooting the Windows Update Client
  24. The Process of Updating Network Software
  25. Assembling the Update Team
  26. Inventorying Software
  27. Creating an Update Process
  28. Discovering Updates
  29. Evaluating Updates
  30. Speeding the Update Process
  31. Retrieving Updates
  32. Testing Updates
  33. Installing Updates
  34. Removing Updates
  35. Auditing Updates
  36. How Microsoft Distributes Updates
  37. Security Updates
  38. Update Rollups
  39. Service Packs
  40. Microsoft Product Life Cycles