Use powershell script to download windows patches monthly

原創 LarryIsTaken 2022-07-04 13:30

My company concerns security, request us to deploy the newest patches on our servers in time, even we have firewall/encryption internally.

Welcome email to: [email protected]

With the number of servers increasing, there must be some servers can't be patched as expected, probably caused by SCCM/WSUS or incorrect configuration on server, plus 3rd party patch scanning software and presures from security team, support team like me have to patch missing patches one by one. This makes me have to paste the MS number in google, and find the correct KB, then download and install, turns out it's a mess.

To make life easier, I did the script to automatic download patches from MS with scheduled time, the script will grab contents from MS RSS and get MS numbers and links, it will loop MS links and grabs KBs, and download patches to local path.

Security RSS: https://technet.microsoft.com/en-us/security/rss/bulletin

Workflow: Get contents of RSS -> grab MS numbers and links -> Enum MS links and grab KBs -> filter out some KB -> grab KB details link -> grab KB download links -> Download

Step by step to analysis the script,

 

$Url = 'https://technet.microsoft.com/en-us/security/rss/bulletin'
$ExcludeProducts = 'lync|Itanium|for mac'
$IncludeProducts = 'server'

$ExcludePatches = '-IA64|Windows6\.0|-RT-|ServiceBusServer'

$PatchStoreTo = '.\'

some variables defined,

$Url is the link of RSS;

$ExcludeProducts when get the contents of MS link, use regular expression to filter out unwanted product, for me is lync and patches for Itanium cpu;

$IncludeProducts after product filter, i want to filter again for KBs for "server";

$ExcludePatches is another filter, when final get patch link, I don't want patches for Itanium (Why? because some KB doesn't have enough details, so this filter added);

$PatchStoreTo is a path to store patches.

 

$WebClient = New-Object System.Net.WebClient
$WebClient.Encoding = [System.Text.Encoding]::UTF8

Create the webclient object and set the encoding

 

do
{
    $RSSContent = $WebClient.DownloadString($Url)
}
while(
    $(if(!$?)
    {
        Write-Host 'Failed to get RSS' -ForegroundColor Red
        Start-Sleep -Seconds 600
        $true
    })
)

Get the contents of RSS, if failed, will report with red words and sleep 10 minutes to do again.

 

([xml]$RSSContent).rss.channel.Item | Sort-Object link | %{...}

Convert RSS contents to XML type, then can easily retrieve data.

 

    $MSRC_URL = $_.link
    Write-Host "Processing: [$MSRC_URL]" -ForegroundColor Yellow
    $MSRC = ([regex]::Match($MSRC_URL, '(?i)MS\d+-\d+$')).Value
    Write-Host "MS number: [$MSRC]" -ForegroundColor Green
    if(!(Test-Path -LiteralPath "$PatchStoreTo\$MSRC"))
    {
        do
        {
            New-Item -Path "$PatchStoreTo\$MSRC" -ItemType Directory | Out-Null
        }
        while(
            $(if(!$?)
            {
                Write-Host 'Failed to create MSRC folder' -ForegroundColor Red
                Start-Sleep 300
                $true
            })
        )
    }

MS link stores in $MSRC_URL, and output to screen as color yellow, then use regular expression to grab MS number and stored in $MSRC, after that create a folder named as MS number to store patches.

 

    Write-Host "Trying to capture KBs from MSRC URL" -ForegroundColor Yellow
    do
    {
        $MSContent = $null
        $MSContent = $WebClient.DownloadString($MSRC_URL)
    }
    while(
        $(if(!$?)
        {
            Write-Host 'Failed to capture MSRC content' -ForegroundColor Red
            Start-Sleep 300
            $true
        })
    )

Above codes is to grab MS link contents and store in $MSContent.

MS link is like https://technet.microsoft.com/en-us/library/security/MS14-063, MS contents are the source codes behind the web page.

 

[regex]::Matches($MSContent, '(?i)<tr>[\s\S]+?<a href="(http://www.microsoft.com/downloads/details.aspx\?FamilyID=[\w\-]+?)">[\s\S]+?\((\d{7})\)') | %{...}

The code is to grab KB information, like KB number, and KB link.

It will match contents like below screenshot, all characters in the grah will be matched by the regular expression pattern.

 

        Write-Host "KB: [$($_.Groups[2].Value)]" -NoNewline -ForegroundColor Green
        if($_.Value -imatch $ExcludeProducts)
        {
            Write-Host "   --- Excluded: [$($Matches[0])]" -ForegroundColor Red
        }
        else
        {
            if($_.Value -notmatch $IncludeProducts)
            {
                Write-Host "   --- Excluded: Not match [$IncludeProducts]" -ForegroundColor Red
                return
            }
            $KBNumber = "KB$($_.Groups[2].Value)"
       Write-Host "`nDownload URL: [$($_.Groups[1].Value)]" -ForegroundColor Gray

Above code excludes the KBs matched product names in $excludeProducts, and left KB filtered again by $IncludeProducts, final passed KBs store in $KBNumber.

 

            do
            {
                $KBContent = $null
                $KBContent = $WebClient.DownloadString($_.Groups[1].Value)
            }while(
                $(if(!$?)
                {
                    Write-Host 'Failed to capture KB content' -ForegroundColor Red
                    Start-Sleep 300
                    $true
                })
            )

Above code get contents from KB link and stores in $KBContent,

KB link looks like this in $MSContent: http://www.microsoft.com/downloads/details.aspx?familyid=8a59fc6d-cbad-4905-842b-e5aa1fc6fedf

Access KB link will automatic redirect to:http://www.microsoft.com/en-us/download/details.aspx?id=44400

Surely this is a automation behavior of web server, I don't need to do anything in the script. Anyway the KB link page doesn't contain patch link, it just ask for confimation on languages and provide us some KB details, you can find screenshot followed.

As followed, I need to analysis KB contents, and find the page called "confirmation.aspx". Actually I can see it when I move my cursor on the "Download" button.

 

            $KBConfirm = ([regex]::Match($KBContent, '(?i)href="(confirmation.aspx\?id=\d+)"')).Groups[1].Value
            $KBConfirm = "http://www.microsoft.com/en-us/download/$KBConfirm"
            Write-Host "KB confirm URL: [$KBConfirm]" -ForegroundColor Gray
            do
            {
                $KBContent = $null
                $KBContent = $WebClient.DownloadString($KBConfirm)
            }while(
                $(if(!$?)
                {
                    Write-Host 'Failed to capture KB download content' -ForegroundColor Red
                    Start-Sleep 300
                    $true
                })
            )

Codes used to grab "confirmation.aspx" page link from KB contents, you may find the "id" behind "confirmation.aspx" is the same like "details.aspx" of KB link, but just for safey, I choose to grab "confirmation.aspx" page from KB content.

 

            $KBLinks = @()
            $KBLinks = [regex]::Matches($KBContent, '(?i)<a href="(http://download.microsoft.com/download/.+?)".+?>Click here</span>') | %{
                $_.Groups[1].Value
            }
            $KBLinks = @($KBLinks | Sort-Object -Unique)
            Write-Host "The KB contains updates: [$($KBLinks.Count)]" -ForegroundColor Green

After I get the contents of "confirmation.aspx", I use regular expression to match patch links and do a unique sort for final results, now $KBLinks contains all patches belong to that KB.

Followed screenshot is the "confirmation.aspx", it contains all patches download link, I used regular expression again to grab those links.

 

            $KBLinks | %{
                $FileName = $null
                $FileName = $_.Split('/')[-1]
                if($FileName -imatch $ExcludePatches)
                {
                    Write-Host "Patch excluded: [$($Matches[0])]" -ForegroundColor Red
                    return
                }

Now I have patch links in hand, the job left is download, but I do another filter before the downloading, as i mentioned previously, sometimes KB contents don't have enough information, so in here I use another filter to remove patches i don't want by patch names.

 

                if(Test-Path -Path $FilePath)
                {
                    Write-Host 'File already exists, skip!' -ForegroundColor Gray
                }
                else
                {
                    do
                    {
                        $WebClient.DownloadFile($_, $FilePath)
                    }while(
                        $(if(!$?)
                        {
                            Write-Host 'Download file failed!' -ForegroundColor Red
                            Start-Sleep -Seconds 300
                            $true
                        })
                    )
                }

Real download codes here, if patch already exists, script will skip it.

 

Last, one screenshot when script running, and full script followed.

Full script here,

$Url = 'https://technet.microsoft.com/en-us/security/rss/bulletin'
$ExcludeProducts = 'lync|Itanium|for mac'
$IncludeProducts = 'server'

$ExcludePatches = '-IA64|Windows6\.0|-RT-|ServiceBusServer'

$PatchStoreTo = '.\'

$WebClient = New-Object System.Net.WebClient
$WebClient.Encoding = [System.Text.Encoding]::UTF8

do
{
    $RSSContent = $WebClient.DownloadString($Url)
}
while(
    $(if(!$?)
    {
        Write-Host 'Failed to get RSS' -ForegroundColor Red
        Start-Sleep -Seconds 600
        $true
    })
)

([xml]$RSSContent).rss.channel.Item | Sort-Object link | %{
    $MSRC_URL = $_.link
    Write-Host "Processing: [$MSRC_URL]" -ForegroundColor Yellow
    $MSRC = ([regex]::Match($MSRC_URL, '(?i)MS\d+-\d+$')).Value
    Write-Host "MS number: [$MSRC]" -ForegroundColor Green
    if(!(Test-Path -LiteralPath "$PatchStoreTo\$MSRC"))
    {
        do
        {
            New-Item -Path "$PatchStoreTo\$MSRC" -ItemType Directory | Out-Null
        }
        while(
            $(if(!$?)
            {
                Write-Host 'Failed to create MSRC folder' -ForegroundColor Red
                Start-Sleep 300
                $true
            })
        )
    }
    Write-Host "Trying to capture KBs from MSRC URL" -ForegroundColor Yellow
    do
    {
        $MSContent = $null
        $MSContent = $WebClient.DownloadString($MSRC_URL)
    }
    while(
        $(if(!$?)
        {
            Write-Host 'Failed to capture MSRC content' -ForegroundColor Red
            Start-Sleep 300
            $true
        })
    )
    
    [regex]::Matches($MSContent, '(?i)<tr>[\s\S]+?<a href="(https?://www.microsoft.com/downloads/details.aspx\?FamilyID=[\w\-]+?)">[\s\S]*?(\d{7})') | %{
        Write-Host "KB: [$($_.Groups[2].Value)]" -NoNewline -ForegroundColor Green
        if($_.Value -imatch $ExcludeProducts)
        {
            Write-Host "   --- Excluded: [$($Matches[0])]" -ForegroundColor Red
        }
        else
        {
            if($_.Value -notmatch $IncludeProducts)
            {
                Write-Host "   --- Excluded: Not match [$IncludeProducts]" -ForegroundColor Red
                return
            }
            $KBNumber = "KB$($_.Groups[2].Value)"
            Write-Host "`nDownload URL: [$($_.Groups[1].Value)]" -ForegroundColor Gray
<#
            if(!(Test-Path -Path "$MSRC\$KBNumber"))
            {
                do
                {
                    New-Item -Name "$MSRC\$KBNumber" -ItemType Directory | Out-Null
                }
                while(
                    $(if(!$?)
                    {
                        Write-Host 'Failed to create KB folder' -ForegroundColor Red
                        Start-Sleep 300
                        $true
                    })
                )
            }
#>
            do
            {
                $KBContent = $null
                $KBContent = $WebClient.DownloadString($_.Groups[1].Value)
            }while(
                $(if(!$?)
                {
                    Write-Host 'Failed to capture KB content' -ForegroundColor Red
                    Start-Sleep 300
                    $true
                })
            )

            $KBConfirm = ([regex]::Match($KBContent, '(?i)href="(confirmation.aspx\?id=\d+)"')).Groups[1].Value
            $KBConfirm = "http://www.microsoft.com/en-us/download/$KBConfirm"
            Write-Host "KB confirm URL: [$KBConfirm]" -ForegroundColor Gray
            do
            {
                $KBContent = $null
                $KBContent = $WebClient.DownloadString($KBConfirm)
            }while(
                $(if(!$?)
                {
                    Write-Host 'Failed to capture KB download content' -ForegroundColor Red
                    Start-Sleep 300
                    $true
                })
            )

            $KBLinks = @()
            $KBLinks = [regex]::Matches($KBContent, '(?i)<a href="(http://download.microsoft.com/download/.+?)".+?>Click here</span>') | %{
                $_.Groups[1].Value
            }
            $KBLinks = @($KBLinks | Sort-Object -Unique)
            Write-Host "The KB contains updates: [$($KBLinks.Count)]" -ForegroundColor Green
            $KBLinks | %{
                $FileName = $null
                $FileName = $_.Split('/')[-1]
                if($FileName -imatch $ExcludePatches)
                {
                    Write-Host "Patch excluded: [$($Matches[0])]" -ForegroundColor Red
                    return
                }
                $FilePath = $null
                $FilePath = "$MSRC\$FileName"
                Write-Host "Going to download file: [$FilePath]" -ForegroundColor Gray
                $FilePath = "$PatchStoreTo\$FilePath"
                if(Test-Path -Path $FilePath)
                {
                    Write-Host 'File already exists, skip!' -ForegroundColor Gray
                }
                else
                {
                    do
                    {
                        $WebClient.DownloadFile($_, $FilePath)
                    }while(
                        $(if(!$?)
                        {
                            Write-Host 'Download file failed!' -ForegroundColor Red
                            Start-Sleep -Seconds 300
                            $true
                        })
                    )
                }
            }
        }
    }
}

 

PS, about the proxy, WebClient class will use proxy settings on IE automatically, if want download patches via proxy, set IE to the right settings.

2015-03-02:Updated the regular expression for KB number capture, support for https link and fix capture for enclose.

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

《期貨-市場技術分析》讀書筆記

第二本技術分析書籍,《期貨-市場分析技術》: 書中的很多內容,如趨勢、趨勢線、阻力、支撐等,也象《日本蠟燭圖》一樣,沒有邏輯推理過程,沒有數據驗證。但是我認可其確實有一定的心理暗示作用。因爲我在聽很多技術分析大 V 的視頻時,他們中的大部

BloodyAngel 2024-04-29 14:32:19

《日本蠟燭圖》讀書筆記 & 技術分析回測

最近想做一些現金流的策略,所以決定把技術分析研究得更加深入一些。朋友推薦了幾本書:《日本蠟燭圖》、《期貨市場技術分析》、《纏論》,我想挨個把它們看完,同步也嘗試做一些量化技術策略。 日本蠟燭圖 下面這本書就是上面所說的第一本: 其實,我是

BloodyAngel 2024-04-29 14:32:19

pytest lastfailed原理

相信很多使用pytest的,都知道pytest有運行上次失敗用例的參數,如下: --lf, --last-failed rerun only the tests that failed at the last run (or all

Believer007 2024-04-29 14:24:29

一個開源輕量級的C#代碼格式化工具(支持VS和VS Code)

前言 C#代碼格式化工具除了ReSharper和CodeMaid,還有一款由.NET開源、免費(MIT License)、輕量級的C#語言代碼格式化工具:CSharpier。 工具介紹 CSharpier是一款開源、免費、輕量級的C#語言代

追逐時光 2024-04-29 14:22:08

頂級 Javaer 都在用的 20 個類庫,真香!

優秀且經驗豐富的Java開發人員的特徵之一是對API的廣泛瞭解,包括JDK和第三方庫。 我花了很多時間來學習API,尤其是在閱讀了Effective Java 3rd Edition之後 ,Joshua Bloch建議在Java 3rd E

Java技術棧 2024-04-29 14:21:48

Linux內核之SPI協議

SPI(Serial Peripheral Interface,串行外設接口)是一種同步串行的行業標準,但是並沒有像I2C那樣有標準文檔,它還有主從、可片選的特性。 圖源自Serial Peripheral Interface-wikip

藍天上的雲℡ 2024-04-29 14:21:38

mongodb處理json數據很好

mysql只適合處理簡單的一級數據表 複雜嵌套的json用mongodb mongodb實現: 插入: //切記數字不要帶引號,帶引號就字符串了,就無法比較大小了. //每一個對象都用{}包起來.這樣查詢時候方便多了.雖然插入寫起

張博的博客 2024-04-29 14:20:08

【Nano Framework ESP32篇】使用 LCD 屏幕

在開始主題之前,先介紹一個刷固件工具。這個工具在 idf 中是集成的,不過,樂鑫也單獨發佈了這個工具—— esptool。下載鏈接:Releases · espressif/esptool · GitHub。這貨是用 Python 寫的,只

東邪獨孤 2024-04-29 14:16:57

雙token+redis(token無感刷新)

爲什麼要使用雙token+redis呢?單token+redis+自動續期不行嗎? 單token+redis的缺點: 可能會出現用戶正在操作的時候,token過期了,讓用戶重新登錄的情況。 單token+redis+自動續期的缺點: 單to

uper超人 2024-04-29 14:15:37

cookie,session,token的區別

cookie,session,token它們本質上不是同一個東西。但是都跟維持狀態信息有關係。 什麼是狀態信息呢? 我來用一個登錄來個大家講解。 如果我們登錄以後,希望後續的所有的頁面都維持登錄的狀態,那我們就需要用剛剛講到的cookie,

uper超人 2024-04-29 14:15:37

Asp .Net Core 系列:國際化多語言配置

目錄概述術語本地化器IStringLocalizer在服務類中使用本地化IStringLocalizerFactoryIHtmlLocalizerIViewLocalizer資源文件區域性回退配置 CultureProvider內置的 Re

IT技術派 2024-04-29 14:14:57

編譯原理PL0語法分析實驗1

編譯原理PL0語法分析實驗1 1,待分析的簡單語言的詞法相同點:都是分析種別碼不同點:詞法分析器分析的是字符串中的單詞的種別碼(單詞)語法分析器分析的是字符串的文法是否正確(句子)待分析的簡單語言的語法 BNF:(1)<程序>::=begi

孤獨的貓 2024-04-29 14:13:26

google瀏覽器插件開發

項目結構 在開發Chrome插件時,以下幾個文件的作用如下: manifest.json:這是Chrome插件的清單文件,用於配置插件的基本信息、權限、頁面跳轉等。其中包括插件的名稱、版本號、圖標、後臺腳本、瀏覽器動作等信息。 ba

張佔嶺 2024-04-29 14:12:46

element表單中選擇 el-date-picker 選擇後沒反應

折騰一早上沒有用直到百度到了 https://blog.csdn.net/KeepReal666/article/details/134471038 解決辦法:直接加上@input="$forceUpdate()"即可。

York 2024-04-29 14:09:56

什麼是SQL 語句中相關子查詢與非相關子查詢

1.什麼是SQL子查詢 要理解相關子查詢和非相關子查詢,我們得首先理解什麼是子查詢,子查詢是指在一個查詢語句中嵌套的另一個查詢語句。 子查詢可以嵌套在其他查詢語句中,如 SELECT、INSERT、UPDATE、DELETE 等,它作爲一個

魯邊 2024-04-29 14:06:35