CDROM-Guide forums

Go Back   CDROM-Guide forums > Main Forums > Open to All Computer Related Topics > Computer Networking & Security
FAQ Calendar Mark Forums Read
Open   CSec   Data   DevDrv   CoOp   Audio   CDRW   CDG   VCD   DVD   HD DVD   Mac   VGB   PS2   DC   Xbox  

Thread Tools Display Modes
Old Aug 19, 2005, 04:08 PM
fititwright fititwright is offline
Join Date: Aug 2005
Posts: 4
Default Mbsa help

sponsored links
I need help figuring out how to batch a job with Microsoft Baseline Security ****yzer. What I'm trying to do is create a batch file that will scan about 30 servers and produce a html report if possiable. Or even a batch file that looks for a text file that has a list of severs to scan.

Thanks in advance....

Old Aug 21, 2005, 05:05 PM
fititwright fititwright is offline
Join Date: Aug 2005
Posts: 4

Here are my options but I cant seem to get it right...

To perform a full scan of one or more computers:

MBSACLI [/target {[domain\]computer | IP} | /r IP-IP | /d domain] [/n option[+option...]]
[/o template] [/qp] [/qr] [/qe] [/qt] [/q][/listfile file] [/wa | /wi]
[/catalog file] [/nvc] [/nai] [/nm] [/nd] [/u username /p password] To scan the local computer for updates only, sending the results to standard output (STDOUT) in XML:

MBSACLI [/xmlout] [/unicode] [/wa | /wi] [/nd] [/catalog file] To scan one or more computers for updates only, creating reports that can be displayed by MBSA:

MBSACLI [/target {[domain]\computer | IP} | /r IP-IP | /d domain] [/n OS+IIS+SQL+Password]
[/o template] [/qp] [/qr] [/qe] [/qt] [/q] [/unicode][/listfile file]
[/wa | /wi] [/catalog file] [/nvc] [/nai] [/nm] [/nd] [/u username /p password] To display a report:

MBSACLI [/l] [/ls] [/lr report] [/ld report] [/nvc] To display usage information:

MBSACLI [/?]Parameters
You cannot use any of these parameters more than once each time you run the command.

/target [domain\]computer | IP
Scans the specified computer. You can identify the computer by using its IP address or its name and, optionally, the domain to which it belongs.
/r IP-IP
Scans all the computers that are identified by a range of IP addresses.
/d domain
Scans all the computers in the specified domain.
/n option[+option...]
Excludes the specified scan types from the scan. You can specify the following options, separating them with a plus sign (+):
Excludes Windows administrative vulnerability checks
Excludes SQL Server administrative vulnerability checks
Excludes IIS administrative vulnerability checks
Excludes password vulnerability checks
/o template
Specifies the template that MBSA uses when naming the XML output file. You can use these symbols to represent computer-specific information:
Replaced with the name of the computer's domain
Replaced with the name of the computer
Replaced with the date and time when the scan was performed
Replaced with the computer's IP address
The default file-name template is %d - :%c% (%t%).

You can also use the variable names that were supported by previous versions of MBSA: %domain%, %computername%, and %date%.

Does not display scan progress.
Does not display the report list.
Does not display the error list.
Does not display the text output after scanning a single computer.
Does not display scan progress, the report list, the error list, or text output.
/listfile file
Scans the computers identified in a file. The file argument is the path and name of a text file in ASCII or Unicode format that contains one or more IP addresses or computer names. Each IP address or computer name must appear on a separate line.
Checks the local computer for security updates only, displaying the results as XML text. To save the report in a file, use command redirection to redirect standard output (STDOUT) to a file, for example, mbsacli /xmlout > output.xml.
For more information about using this parameter, see Security Updates Scan.

Scans only for security updates that are approved on the computer's Update Services server. The Microsoft Update web site and the offline catalog are not used. This parameter cannot be used with the /wi parameter.
Uses only the Microsoft Update web site or offline catalog for security update information. Updates that are not approved on the computer's Update Services server are displayed as though they were approved. This parameter cannot be used with /wa parameter. Use this parameter to scan computers whose assigned Update Services servers are not available.
/catalog file
Specifies the offline catalog containing the security update information to be used when scanning. The offline catalog must be a .cab file signed by Microsoft. The default offline catalog is, which is downloaded from the Microsoft Web site. When this parameter is not used, is downloaded from the Microsoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care. The file argument must specify a file located on the computer performing the scan.
Prevents MBSA from checking for a newer version of MBSA.
Prevents MBSA from installing or updating the Windows Update Agent on the computer being scanned. When this parameter is used, computers that do not have the required version of Automatic Updates will return an error in the report, and computers that do not have Windows Installer 3.0 or later may receive incomplete results from Microsoft Office and other products that require Windows Installer 3.0 for scanning.
Scans computers by using an offline catalog instead of the Windows Update site. Depending on the size of the offline catalog and network load, using this parameter may cause MBSA to take more time to or more network bandwidth.
Do not download any files from the Microsoft Web site when scanning. Use this parameter to prevent the download of,, WindowsUpdateAgent20-x86.exe and WindowsUpdateAgent20-x64.exe during the scanning process. When this parameter is selected, MBSA will use any previously downloaded copies of the files. If you want, you can download the files yourself and place them in C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache. This parameter applies only to downloads from the Microsoft Web site to the scanning computer. Downloads from the scanning computer to the target computer are automatic and cannot be disabled if the corresponding features are used.
/u username /p password
Specifies the user name and password to be used when scanning a remote computer. The /u and /p parameters must be used together and cannot be used when scanning the local computer. The specified user must have administrative privileges on the computer being scanned. For security purposes, the password is not sent over the network in clear text. Instead, MBSA uses the Windows challenge-response mechanism to secure the authentication process.
Lists all available reports.
Lists reports from the most recent scan.
/lr report
Displays an overview of the specified report.
/ld report
Displays the details of the specified report. When scanning a single computer, this is the default behavior unless the /qt parameter is used.
Produces the report with Unicode characters. Users running Japanese MBSA or scanning computers running Japanese Windows should specify this parameter.
Displays usage information for the command-line tool.
Selecting a computer to scan
Use the following parameters to specify the computer to be scanned. If you do not specify one of these parameters on the command line, MBSA scans the local computer, that is, the computer on which it is running.

/target [domain\]computer
Scans the named computer. The domain or workgroup name is optional.
/target nnn.nnn.nnn.nnn
Scans the computer identified by the specified IP address.
/r nnn.nnn.nnn.nnn-nnn.nnn.nnn.nnn
Scans the computers identified by a range of IP addresses.
/listfile filename
Scans each computer identified by name or IP address listed in the specified file. Place each computer name or IP address on a separate line in either an ASCII or UNICODE format text file.
/d domain
Scans all computers in the specified domain.
Excluding specific checks
To exclude a specific check from scan, use the /n parameter with the keyword for that check. The following are the keywords you can use with the /n parameter.

/n IIS
Skips IIS checks
/n OS
Skips Windows Operating System (OS) checks. This also skips the Internet Explorer and Outlook zone checks and the Office macro security checks.
/n Password
Skips password checks.
/n SQL
Skips SQL Server/MSDE checks.
/n Updates
Skips security update checks.


C:\Program Files\Microsoft Baseline Security ****yzer 2\mbsacli.exe /listfile c:
\mbsadata\ken.txt /wi /o mbsaresults.xml /n password
Old Oct 08, 2005, 02:26 PM
teilo teilo is offline
Join Date: Oct 2005
Location: cardiff
Posts: 1
Post Mbsa - Alternative script

This way works and it uses the .js scripts in the mbsasamples.exe download from the microsoft site.This will create the individual xml scans as if run through must install the mbsasamples.exe first.

cd to the dir containing the .js files & run batchscan from the command line as:

cscript BatchScan.js /c listfile.txt (listfile contains your hostnames/IP's etc)
this will output to the securityscans folder in your profile....
see this link for details:


Worked for me anyway hope this helps

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT -5. The time now is 04:09 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright © 1996-2009 All rights reserved