Thank you for installing Microsoft Baseline Security Analyzer version 1.1.
How to use the Microsoft Baseline Security Analyzer
What's New in Microsoft Baseline Security Analyzer Version 1.1
System and Language Applicability
Reporting Bugs or Providing Feedback
The graphical user interface version of the tool is run by executing MBSA.exe from the folder in which the tool was installed. The command line version is run by executing mbsacli.exe in a command window (from the folder in which the tool was installed).
The following features have been added in Version 1.1:
Microsoft Baseline Security Analyzer version 1.1 may be run on Windows 2000 or Windows XP computers. It can scan Windows NT 4, Windows 2000, and Windows XP computers. Note: Only local scans can be performed against Windows XP Home Edition and Windows XP Professional computers that use the simple file sharing model. This tool will NOT operate on Windows 95, Windows 98, or Windows Me systems.
Microsoft Baseline Security Analyzer is currently not localized for languages other than English. Localization will be included in a future version of the tool.
The following are the requirements when scanning a local computer:
The following are the requirements for a computer running the tool that is scanning remote machine(s):
The following are the requirements for a computer to be scanned remotely by the tool:
Please see Q303215 for more information on these services.
Users must have local administrative privileges on each computer being scanned, whether a local or remote scan is being performed.
Note: the tool will scan against Windows .Net Server but this operating system is not officially supported in Version 1.1.
XML parsers have shipped in each version of Internet Explorer since IE 5.01. If you are running IE 5.01 or greater, you do not need to install a separate parser.
If you are running an earlier version of Internet Explorer and do not wish to upgrade to IE 5.01 or greater, you may download and install a standalone version of the Microsoft XML parser. MSXML version 3.0 SP2 is available from the following location:
(above URL may have been wrapped for readability)
Additional information on the Microsoft XML parser is available from
If you are running IE 5.01 or greater and the tool is still unable to read or locate the XML file, there is a chance that another application may have "unregistered" the XML parser. To "re-register" the XML parser, please type the following at a command prompt (without the quotes):
'regsvr32 msxml.dll'
The following parts of a scan are optional and can be turned off in the tool user interface prior to scanning a computer:
Note the security update checks performed on the computer use the HFNetChk technology which is automatically installed during setup.
There are two types of scans that can be performed using the MBSA command line interface: MBSA-style scans and HFNetChk-style scans.
The MBSA-style scan will store results, as was done in MBSA V1.0, in individual XML files to later be viewed in the MBSA UI. MBSA-style scans include the full set of available Windows, IIS, SQL, Desktop Application, and security update checks. Note users will have to explicitly use the -baseline, -v, and -nosum switches to perform the same scan as done in the MBSA GUI.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Updates - Skip security update checks
/sus <SUS server> - Check only for security updates approved at the specified SUS server
/s 1 - Suppress security update check notes
/s 2 - Suppress security update check notes and warnings
/nosum - Security update checks will not test file checksums
/o %domain% - %computername% (%date%)
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
The HFNetChk-style scan will check for missing security updates and will display scan results as text in the command line window, as is done in the standalone HFNetChk tool. MBSA V1.1 includes the "/hf" flag which will indicate an HFNetChk scan to the MBSA engine. The HFNetChk switches listed below can be used after the "/hf" flag is specified on the command line. Note users will have to explicitly use the -b, -v, and -nosum switches to perform the same scan as done in the MBSA GUI.
Note: the MBSA-style scan parameters listed above cannot be combined with the /hf flag option.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe /hf" followed by any of the parameters below. For a full description of each parameter, please see KB article Q303215.
-h <hostname> - Scan the named NetBIOS computer name. Default location is the local host. Multiple hosts can be scanned by separating host names with a comma.
-fh <filename> - Scans the NetBIOS computer names specified in the named text file. Specify one computer name on each line in the .txt file, with a 256 name maximum.
-i <xxx.xxx.xxx.xxx> - Scans the named IP address. Multiple IP address can be scanned by separating each entry with a comma.
-fip <filename> - Scans the IP addresses specified in the named text file. Specify one IP address on each line in the .txt file, with a 256 entry maximum.
-r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Specifies IP address range to be scanned.
-d <domainname> - Specifies the domain name to be scanned.
-n - Specifies that all computers on the local network should be scanned. All computers from all domains in Network Neighborhood are scanned.
-sus <SUS filename | SUS server> - Specify a SUS text file or a SUS URL from which to obtain the SUS file. If a file or server is not specified then the engine will try to use the value stored in the local machine registry.
-b - Scans a computer only for those updates that are marked as baseline critical by the Microsoft Security Response Center.
-fq <filename> - Specifies the name of a file that contains Qnumbers to suppress on output. Specify one Qnumber per line. This switch only suppresses the specified item(s) from being displayed in the output; it does not remove the item(s) from consideration during the course of a scan.
-s - Suppresses NOTE and WARNING messages. The default is not to suppress either of these message types. The following options are used with this switch:
(1) Suppresses NOTE messages only.
(2) Suppresses both NOTE and WARNING messages.
-nosum - Specifies to not perform checksum validation for the security update files. You do not need to use this switch under typical circumstances.
-sum - Forces a checksum scan when scanning a non-English language system. Use this switch only if you have a custom XML file with language-specific checksums.
-z - Specifies to not perform registry checks.
-history - Displays updates that have been explicitly installed, explicitly not installed, or both. This switch is not necessary for normal operation; you do not need to use it except under very specific circumstances. The following options are used with this switch:
(1) displays those updates that have been explicitly
installed.
(2) displays those updates that have been explicitly not
installed.
(3) displays those updates that have explicitly been
installed and not installed.
-v - Displays the reason why a test did not work in wrap mode. You can use this switch to display the reason why a security update is considered "not found" or if you receive a NOTE or WARNING message.
-o - Specifies the desired output format. The following options are used with this switch:
(tab) Displays output in tab-delimited format.
(wrap) Displays output in word-wrapped format.
-f <filename> - Specifies the name of a file in which to store the results. You can use the switch in both wrap and tab output.
-t - Displays the number of threads that are used to run the scan. Possible values are 1 to 128, with the default value being 64. This switch can be used to throttle down (or up) the scanner speed.
-u <username> - Specifies the user name to use when scanning a local or remote computer or groups of computers. You must use this switch with the -p (password) switch.
-p <password> - Specifies the password to use when scanning a local or remote computer or groups of computers. You must use this switch with the -u (username) switch. For security purposes, the password is not sent over the network in clear text. Instead, HFNetChk uses the challenge-response mechanism that is built into Windows NT 4.0 and later to secure the authentication process.
-x - Specifies the XML data source that contains the available security update information. The location may be an XML file name, a compressed XML .cab file, or a Uniform Resource Locator (URL). The default file is the Mssecure.cab file from the Microsoft Web site. When this switch is not used, the mssecure.xml file will be downloaded from the Microsoft Web site.
-ver - Checks if you are running the latest available version of HFNetChk.
-trace - Creates a debug log to assist with troubleshooting (hf.log in the local directory). This switch must be the first switch specified in the command line and may be used in conjunction with other switches.
-about - Displays information about HFNetChk.
-? - Displays a menu. You can also call this switch by using the /? syntax. The menu is also displayed any time that you pass incorrect syntax at a command prompt.
Scan reports will be stored on the computer on which the tool is installed under the %userprofile%\SecurityScans folder. An individual security report will be created for each computer scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans created by the tool in this folder.
By default, a security update scan executed from the MBSA GUI or from mbsacli.exe (MBSA-style scan) will scan and report missing updates marked as critical security updates in Windows Update (WU), also referred to as "baseline" critical security updates. When a security update scan is executed from mbsacli.exe using the /hf switch (HFNetChk-style scan), all security-related security updates will be scanned and reported on. A user running an HFNetChk-style scan would have to use the -b option to scan only for WU critical security updates. When the SUS option is chosen, all security updates marked as approved by the SUS Administrator, including updates that have been superseded, will be scanned and reported by MBSA.
The password checks can add a substantial amount of time to a scan, depending on the computer role and number of user accounts on the computer. In addition, attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the computer. Note the tool will reset any account lockout policies detected on the computer so as to not lockout any individual user accounts during the password check. This check is not performed on domain controllers.
If this option is unchecked prior to scanning a computer, both the local Windows and SQL account password checks will not be performed.
The tool checks for vulnerabilities on each instance of SQL Server found on the computer. All individual SQL checks will be performed on each instance.
Version 1.1 of the tool can scan localized builds of the Windows operating system, however this version is not fully supported or tested on non-English builds. Additional languages will be tested and supported in the next release of the tool.
A Microsoft Baseline Security Analyzer newsgroup has been created for users to post questions and obtain information on tool updates, technical questions, and upcoming versions:
News server: Msnews.microsoft.com
Newsgroup: Microsoft.public.security.baseline_analyzer
When reporting bugs to this alias, please include the following information:
Microsoft Baseline Security Analyzer was developed for Microsoft by Shavlik Technologies LLC (http://www.shavlik.com/security).