Protecting Your Machines from the WannaCry Malware

By now most of you have surely read about the new WannaCry ransomware malware that has recently been disabling computers and networks all over the planet. Protecting your computers is very easy, but you have to care enough to make sure that you’ve done what needs to be done!

Deploying the WannaCry Patch to Current / Supported Operating Systems

In March Microsoft released a Windows update to fix the file-sharing vulnerability that WannaCry utilizes to install itself in systems. If you have been regularly installing Windows updates on your computers then you should already be safe. Make sure that you have the March updates installed, but also use this time to evaluate your entire patching policy. Do you patch semi-annually or quarterly? It is my opinion that if you are not patching every single month to apply the latest Windows updates, then you are inviting malware into your network. In 2017 if you want to keep your computers and network virus-free, the absolute number one most important and simplest thing that you should be doing is applying Windows updates relatively soon after they are released by Microsoft.

Yes, it’s true that when Microsoft releases updates they can sometimes cause problems or wreak havoc on systems, so we do *not* advocate installing Windows updates on production computers on the same day that they are released. We believe the best option 99% of the time is to wait approximately 1 week after Windows updates are released before you deploy them to all of your systems. However, you *should* deploy them to your test lab on the day they are initially released, or the day after. Then wait a week to see if you have any problems in your lab and to see if any problems are reported by other users across the internet. If any patches are determined to cause problems, do your research to make the determination whether or not you should install the patches or wait for a re-release from Microsoft.

The following links demonstrate how to keep your computers up to date with BatchPatch. You may use any of these tutorials to make sure that you are protected from WannaCry:

The following link demonstrates how to see which updates have already been installed on target systems:

Deploying the WannaCry Patch to Unsupported / Old Operating Systems (Windows XP, Windows 2003, Windows 8)

With regard to WannaCry and older operating systems… up until a couple of days ago no patch existed for unsupported operating systems such as Windows XP, 2003, and 8. If you are still using one of these unsupported operating systems in your company, then you need to seriously consider why that’s the case. At this point in 2017 there is really almost no good reason to still be running one of these OSes, and even if you have a good reason for running one of these OSes in a corporate environment, you should still be looking to move away from them ASAP. If you’re a home user and you never got off of XP or 8, this should be a wake-up call. Your personal computer is just as vulnerable to WannaCry as any corporate machine.

If you are trying to deploy the WannaCry fix to your XP, 2003, or 8 computers, you have two options. You can use BatchPatch to apply the available Windows Updates using one of the methods outlined below in the following tutorials:

Alternatively you may deploy the standalone offline patch installer file to your target computers using the BatchPatch ‘deployment’ feature. The patch for each of the above-mentioned unsupported operating systems is linked off the bottom of this page:

Instructions for deploying standalone exe, msi, msu, and msp files can be found at but don’t forget about the silent /quiet installation parameter! More on that here:

Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Remote Registry Updates with BatchPatch

Pretty much every systems administrator will need, at one point or another, to apply a registry update, remotely, to multiple computers. Today I’m going to show you how that can be accomplished quickly and easily using BatchPatch.

  1. First let’s start by looking at the registry key that we plan to update. In the screenshot below you can see that I have the ‘Enable’ DWORD currently set to a value of 1 for HKLM\SOFTWARE\FileZilla 3\fzshellext
  2. For the sake of this example, let’s modify the value and change it from 1 to 0. Prepare a text file that looks like the one I have posted in the screenshot below. You can also create a file like this by using ‘File > Export’ in the Registry Editor window. Then simply modify the resulting file to fit your requirements. I have saved the file to my desktop as FileZilla.reg
  3. We can now use BatchPatch to deploy the FileZilla.reg file to our desired target computers, which will have the effect of creating and applying the specified registry key and value on computers that do not have the key/value in the first place. For computers that already have the registry key and value, it will update the value to the value that we specified in our .reg file. So in my case I already have the key/value in my registry, but I have a value of 1. Since my FileZilla.reg file has the value as 0, once I have successfully deployed the reg file using BatchPatch, the registry value on my test computer will be changed from 1 to 0.
  4. In BatchPatch highlight the desired target computers, and then select ‘Actions > Deploy > Create/modify’
  5. In the deployment window, create the deployment as I have in the screenshot. All I’ve done is used the … browse button to locate the FileZilla.reg file. No other configuration needs to be made. The ‘command to execute’ will be automatically populated by BatchPatch when the .reg file has been selected.
  6. At this point I can execute the deployment by clicking on the ‘Execute now’ button. I could alternatively save the deployment for later execution by using the >> button, but in this instance I have no need to do that, so I’ll just execute it immediately.
  7. Execution completed almost immediately, and I got a blue Exit Code 0 (SUCCESS) message.
  8. We can confirm, if desired, that the change was successful by using ‘Actions > Get information > Get registry key/value. We simply enter the registry key that we want to view.
  9. We can view the output of the above command to verify that our DWORD value is now 0 instead of the previous value of 1.
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Deploying a Standardized Hosts File to Multiple Computers on a Network

Recently someone asked us how they could use BatchPatch to replace the ‘hosts’ file on all target computers in their network with a customized ‘hosts’ file that had been created by the IT department. BatchPatch can do this very quickly and painlessly.

First, let’s briefly discuss the ‘hosts’ file for those of you who aren’t familiar with it. Essentially it’s just a text file that Windows uses to map host names to IP addresses. The functionality is similar to the primary functionality of DNS, but instead of requiring a full DNS server, it’s literally just a file on your computer. And if you are using a ‘hosts’ file in conjunction with DNS, the entries in your computer’s ‘hosts’ file will actually override any mappings in DNS for the same hosts.

In Windows, the ‘hosts’ file is located in:


The default file has the following contents:

# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#          # source server
#              # x client host
# localhost name resolution is handled within DNS itself.
#       localhost
#	::1             localhost

Perhaps you have a reason to add some custom mappings to all of the computers in your network, like shown in the hosts file below:

# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#          # source server
#              # x client host
# localhost name resolution is handled within DNS itself.
#       localhost
#	::1             localhost

Here is how to deploy your custom hosts file to multiple computers in your network:

  1. Prepare your hosts file and save it to any location on your computer.
  2. In BatchPatch select ‘Actions > Copy file/folder > Create/modify file or folder copy
  3. Select or input your source file’s full path. The destination folder will be:

    Make sure to check the ‘Overwrite’ box so that the hosts file on the target computer will be overwritten with your new/custom hosts file.

  4. Finally click the ‘Execute now’ button to copy the file to the selected target computers.
Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Remotely Manage Windows Updates and Reboots on Your Network

Today we are going back to the basics! The core functionality that BatchPatch offers is the ability to easily manage Windows Updates on multiple remote computers, simultaneously. This means that you can do the following:

  • Check a group of computers to see which updates they have available, and optionally produce a consolidated report of the results.
  • Download and/or install available Windows updates on a group of computers, simultaneously, while managing the entire process from a single console. Optionally and automatically reboot the computers after the updates have been installed.
  • Download and/or install only a subset of the available Windows updates on a group of computers.
  • Check which updates have previously been installed on target computers, and optionally produce a a consolidated report of the results.
  • Hide or unhide updates that are visible at the target computer. Once an update has been hidden, it will no longer appear in the list of available updates until/unless it is subsequently unhidden.
  • Reboot or shutdown target computers with real-time monitoring.
  • Create a queue of multiple actions to execute on targets hosts, such as download updates, install updates, reboot, wait for machine to come back online, download updates, install updates, reboot. You can include your own custom scripts, software installations, file copies, registry additions etc.
  • Create scheduled tasks to execute any action or queue.
  • Setup a task to use Wake on LAN to wake up your computers, download and apply Windows updates, reboot, wait 10 minutes, then shutdown.
  • Notify logged-on users of upcoming events or impending reboots.
  • Check target computers to see if the are waiting to be rebooted in order for update installation processes to be completed, and optionally automatically reboot the computers too.
  • Configure email notifications to keep you apprised of task status for tasks that are scheduled outside of working hours.
  • Monitor which services or which automatic services have not started after updates have been applied and computers have been rebooted. Optionally and automatically start the stopped automatic services.

In addition the core functionality described above, BatchPatch also has additional functionality to help manage remote computers.

  • Deploy third party software to target computers.
  • Deploy .MSI packages as well as .MSP, .MSU, .EXE, and pretty much any type of package available.
  • Deploy registry keys/values
  • Deploy and / or execute scripts remotely such as PowerShell (.PS1), VBScript (.VBS), Batch (.CMD and .BAT)
  • Collect information from target computers such as last bootup time, MAC address, hardware information like CPU specs, computer model, available disk space etc.
  • Copy files and folders.
  • Coordinate tasks that have multiple computers dependencies so that, for example, computers can be updated and rebooted in various sequences, or so that only certain computers in a group are taken offline at a given time.

As always you are encouraged to peruse the tutorials on this site. You might find new ways to do things more easily that you hadn’t previously known about. Don’t hesitate to contact us with any questions, comments, or concerns.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Using the HTML Export Feature to Produce Reports

One of the most common questions we get from customers and non-customers is “how do you produce a report of available updates on numerous computers?” There are two basic ways to accomplish this task. The option that you select depends mostly on how you want the report to look. The first method I’ll demonstrate is the HTML export method, as this posting is titled. The second method will illustrate how to export in grid format, so that you can subsequently import into your favorite spreadsheet application for further manipulation and formatting.

Method 1:

The HTML export method enables you to put the actual BatchPatch grid contents into a format that is viewable on any computer, regardless whether or not BatchPatch is installed.

  1. The first order of business is to get the information that you want to display in the report. If we want to display the list of available updates, then I’ll start by executing ‘check for available updates’ on the hosts in the grid.

  2. When the results of the query return we just need to adjust the grid to show only the information that we want in the HTML export. For the sake of this example I only want to display the host name and the report of updates found, which is displayed in the ‘Remote Agent Log’ column. I have hidden all the other columns by right-clicking on the grid column header and deselecting the appropriate checkboxes. You may alternatively use ‘Tools > Customize visible columns’ to display the same checkbox list of columns.
  3. Now that we have only the columns that we want to appear in the HTML report visible in the grid, we can export the grid to HTML using ‘File > Export grid > Export current grid to HTML’
  4. The resultant HTML file displays the grid at the top, and it’s clickable, so that if you click on a cell in the grid it takes you directly to that cell’s corresponding data location in the HTML file. This makes a very convenient little report that can be displayed on any computer.

Method 2:

In the case of creating a report of available updates or a report of previously installed updates on target hosts, you have a second report option in BatchPatch. ‘Actions > Windows updates > Generate consolidated report of available updates’ and ‘Actions > Windows updates > Generate consolidated report of Windows update history’ will give you the information in a format that can be imported into your favorite spreadsheet application.

  1. For this example we will execute ‘Actions > Windows updates > Generate consolidated report of available updates’
  2. When the report executes it opens a new report viewer window, and the results of each target host query are populated in the new window as soon as they return.
  3. Once the data is displayed in the viewer you can use the ‘Export report’ menu item to export the grid to a delimited file or XML.
  4. Once you have exported the report you can use your preferred spreadsheet application to import it for further manipulation or formatting.
Posted in Blog, General, Tutorials | Tagged , , | Comments closed

Install Windows Updates Only If Sufficient Space Is Detected On Target C: Drive

Today I’m going to demonstrate an ‘advanced’ concept in BatchPatch. We will use a combination of features, including the Job Queue, the Deployment feature, and bit of custom scripting to achieve the desired effect. The goal here is to illustrate how you can use BatchPatch to accomplish something that might not be directly built-in to the software.

The goal:

Instruct BatchPatch to download and install Windows Updates on selected target computers ONLY if the target computers first past a check to see if they have enough disk space on their C drives. ‘Enough’ disk space is any number of megabytes that you choose.


Use the BatchPatch Job Queue to execute the following steps:

  1. Deploy a script to target computers that returns 0 if the amount of available C drive space is above the threshold that we set. If the amount of free space is below our threshold, then return 1.
  2. Use the Job Queue feature ‘Stop queue execution if previous action fails/errors’
  3. Execute ‘Download and install updates + reboot if required’ (or any desired action)

How to do it:

  1. I’ve created a very simple vb script that checks for free space on the C: drive and returns 0 if the number of megabytes free is greater than or equal to 500. If there are fewer than 500 megabytes free on C, then the script returns 1. Of course you can modify the threshold to be any number that you want. The contents of my script are below:
    'Gets the free space on C drive.  If free space is less than specified threshold return 1. Else return 0.  
    'Cocobolo Software LLC April 2017.
    on error resume next
    Dim freeMB
    Const MBCONVERSION = 1048576
    Set objWMIService = GetObject("winmgmts:\\localhost\root\cimv2")
    'Get C drive space
    Set colLogicalDisk = objWMIService.ExecQuery("Select * from Win32_LogicalDisk")
    		For Each objLogicalDisk in colLogicalDisk
    			If objLogicalDisk.DeviceId = "C:" Then					
    				freeMB = objLogicalDisk.freespace/MBCONVERSION
    			End If
    If freeMB < 500 Then
    End If
  2. Save the script. The contents of the script above need to be saved in a text file with a .vbs file extension. For the sake of this example my script is called “DiskCheck.vbs”
  3. Create a deployment. The deployment will be used to copy the vbscript to the target computers, execute it, and retrieve the exit code. To create your deployment select ‘Actions > Deploy > Create / modify.’
  4. Browse to the location of your DiskCheck.vbs file, and then give the deployment a title. Click the ‘>>’ button to save the deployment. The screenshot below shows the configured deployment.
  5. With your deployment created and saved you can now setup your Job Queue. Go to ‘Actions > Job Queue > Create / modify.
  6. Select the desired steps of the queue. The first step executes the deployment that we created earlier. The second step tells BatchPatch to halt the queue if the previous action fails/errors (a script is considered failed/errored if it returns any non-zero value). The third and final step of the script is to execute whatever action is desired such as ‘Download and install updates.’ The screenshot below shows what your queue should look like:
  7. All we have to do now is execute the queue. Click ‘Execute now’ (or alternatively save the queue first and then execute it directly from the BatchPatch Job Queue menu). In the screenshot below you can see that I had less than 500 MB free on the target computer, and so the job queue halted, as desired. If there were 500+ MB available, then the job queue would have executed the final step to download and install updates.
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Removing Windows Updates Remotely from Windows 10 and 2016

In BatchPatch we have a menu item ‘Actions > Windows updates > Uninstall individual update’ that you can use to easily remove a single Windows update from numerous target computers, simultaneously. This command invokes wusa.exe on target computers to uninstall the desired update. We have a tutorial posted for this feature here. The only problem is that beginning with Windows 10 and 2016, this feature no longer works. You can still use it without issue to uninstall updates on older OSes such as Windows 7, Windows 2008, and Windows 2012, but for whatever reason Microsoft removed some of the functionality from wusa.exe on newer operating systems. You can’t use wusa.exe with the /quiet parameter to remove an individual Windows update from Windows 10 or Windows 2016. We agree, this is pretty darn annoying.

In the next release of BatchPatch we will have a new macro that allows you to remove an update from Windows 10 or 2016, but in the meantime if you need to remove an update from one of these newer operating systems, here is what you need to do:

  1. Select the desired hosts in the grid and choose ‘Actions > Execute remote process/command > Create/modify remote command 1’
  2. In the remote process/command window you’ll enter the following command. Replace KB4014329 with the KB ID of the update that you would like to remove.
    cmd.exe /c echo . | powershell.exe -ExecutionPolicy Bypass -command "$SearchUpdates = dism /online /get-packages | findstr 'Package_for'; $updates = $SearchUpdates.replace('Package Identity : ', '') | findstr 'KB4014329'; DISM.exe /Online /Remove-Package /PackageName:$updates /quiet /norestart"

  3. At this point you can either click ‘Apply command to row(s) without executing’ so that you can execute it later. Or you can just click ‘Execute’ which will apply the command to the row(s) and then execute it immediately. Additionally, if you need/want to save this command for future use you can also add it to ‘Actions > Execute remote/process command > Create/modify remote commands.’ Once added there it will appear in the BatchPatch actions menu for future use.

That’s really all there is to it. As mentioned above, we will be adding a macro for this command in the next version of BatchPatch, so that you can more easily execute it by simply providing the KB ID of the update that you want to remove. However, for the time being, this is your best bet for remotely removing an update from numerous computers. Of course there is always the option of going to each computer one by one to remove the update manually, but that’s a pain, especially when dealing with numerous computers.

Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Install Patches with Multiple Automated Reboots

Today I want to take a few minutes to go over one of the core automation options that BatchPatch provides for Windows Updates. Anyone who has ever been responsible for applying Windows Updates across a network of computers has encountered the rather annoying and often frustrating situation where installing updates and then rebooting target computers isn’t enough to complete the task at hand. There are times where installing updates and rebooting simply causes Windows Update to present new, yet to be installed, updates. When you’re dealing with a tight time schedule to get updates installed and computers rebooted and verified back online, this little “gotcha” can really induce a headache. If you are expecting that Microsoft will figure out a way to prevent this scenario from ever occurring in the first place, don’t hold your breath. You’re much better off just figuring out how best to deal with when it happens. That’s where BatchPatch’s automation feature come in handy.

One of the most common uses of BatchPatch is to create a one-click cycle or queue of actions to execute on numerous target computers simultaneously. In this particular case we’ll look at how you can instruct a set of computers to download and install Windows Updates and then reboot with an automatic “lather, rinse, repeat” mode, so that if any new updates are presented by Windows Update after the first reboot, you can make sure that they get installed and the computer is rebooted a second time. You can keep this cycle going as many times as you want, though generally speaking two cycles will cover you. However, including a third cycle won’t hurt anything. If there are no updates left to install, then obviously no updates will get installed.

Using the Job Queue for Update + Reboot Cycles

  1. Create the cycle / queue that you wish to execute on target computers. Select ‘Actions > Job Queue > Create / modify job queue’
  2. Next you’ll create the queue. For my purposes it is sufficient to use a queue like the one shown in the screenshot below. In your case you might want to have something that looks a bit different or repeats the process more than two times.

    Download and install updates + reboot always
    Wait for host to go offline and come back online
    Wait 3 minutes
    Download and install updates + reboot if required

  3. Next you can save the queue by giving it a title and clicking the >> double-arrow button. And now it’s ready to be used on your target computers.
  4. Select the desired hosts and then click ‘Actions > Job queue > Execute saved job queue’ and select the title you gave to the job queue that you created in the previous steps. That’s all there is to it.
Posted in Blog, General, Tutorials | Tagged , , , | Comments closed

Daisy Chaining Multiple Patch and Reboot Steps for Windows Update

BatchPatch provides the IT administrator with a significant amount of flexibility when it comes to stringing together multiple update and reboot steps for a single computer or for numerous remote computers. You are not only limited to Windows Updates. You can also include third party software deployments and/or third party software updates along with your own custom scripts or commands. Additionally, BatchPatch even lets you incorporate multi-step routines that involve a group of computers, so that you can execute one or more actions in any sequence, involving as many computers as you desire. This means, for example, that you can trigger an action to execute on one computer, and when it completes it can trigger an action to execute on 4 other computers simultaneously, and when those 4 other computers all complete they can trigger actions to run on other computers, and so on.

BatchPatch Job Queue

The primary feature that you need to look at if you’re interested in basic multi-step execution that involves either one target computer or multiple target computers executing a simple sequence of steps is the BatchPatch Job Queue. The Job Queue is a straightforward tool to use when you need each computer to run its own steps, with each computer running independently of any other computers. To learn how to use the BatchPatch Job Queue, see this tutorial.

BatchPatch Advanced Multi-Row Queue Sequence

If you are interested in more advanced sequencing that involves multiple computers being linked together in a larger automated sequence that combines actions to be executed in a way that one or more computers actions might be dependent on the actions of another computer or group of computers, then you need to look at the BatchPatch Advanced Multi-Row Queue Sequence. This tool is actually quite powerful with what you can do. The three most common uses we see with the Advanced Multi-Row Queue Sequence are:

1. Virtual machine updating: You can setup a single-click automated routine that will apply Windows Updates to your virtual guests, and then when all virtual guests are updated, the virtual host is triggered to update and reboot.

2. Maintenance start/stop scripts: You can setup a single-click automated routine that will start your ‘Begin Maintenance’ script, then update all computers, then execute your ‘End Maintenance’ script.

3. Ordering updates and reboots for environments where machines have interdependencies: For example if you have a group of computers that together comprise the back-end and front-end for a particular application, you might need to update and reboot these machines in a specific order, with only certain machines being allowed to be offline at any given time.

To learn how to use the BatchPatch Advanced Multi-Row Queue Sequence, see this tutorial.

Posted in Blog, General, Tutorials | Comments closed

BatchPatch Task Scheduler Recurrence Options

Most of you are probably well aware of the fact that Microsoft releases Windows Updates on the second Tuesday of each month. This recurring Tuesday has come to be known in the industry as ‘Patch Tuesday.’ One of the things that has always been annoying to many admins is the fact that while Patch Tuesday is always the second Tuesday of the month, the Wednesday that comes the day after Patch Tuesday is not necessarily always the second Wednesday of the month! For example, if the first day of a given month is a Wednesday, then the Wednesday that comes the day after Patch Tuesday will be the third Wednesday of the month, not the second.

Why does all this matter? Well, in terms of scheduling, it can be a bit tricky. Some companies choose to apply Windows Updates almost immediately after they are released on Patch Tuesday. For some this means that the Wednesday after Patch Tuesday is server maintenance day. For others it means that the Friday or Saturday after Patch Tuesday is server maintenance day. If you are scheduling any portion of your update process to run automatically, you need a good way to define the maintenance window. If you choose to have a recurring schedule that runs on the second Wednesday of every month, you’re going to miss your target in the months where the second Wednesday is not the day that comes after the second Tuesday.

In the most recent release of BatchPatch we added a new recurrence option to the Task Scheduler. So now if you want to schedule your tasks to run on the day after Patch Tuesday, you can do it more easily. For any recurring task you can now define a run time to come X days after a reference time. In the screenshot below you can see that I’ve set recurrence to be ‘Monthly (2nd Tuesday) + 1 days’ which means that no matter how the days fall, my schedule will always run on the day after Patch Tuesday.

Posted in Blog, General, Tutorials | Tagged , , | Comments closed