There are a few command-line tools that can help you identify problems, query for information, or speed up the detection update process. The following is a list of these tools:
■ WSUS Client Diagnostics Tool (ClientDiag.exe) Downloadable from Microsoft's Web site.
■ Wuauclt.exe Part of the Windows source code after an AU client is installed.
■ Gpudate.exe and Secedit.exe Gpupdate.exe is part of Windows XP and Windows Server 2003 source code. Secedit.exe is built into Windows 2000 source code.
■ Gpresult.exe and RSoP.msc Gpresult.exe is part of the Windows 2000 Resource Kit, Supplement 1, and RSoP (RSoP.msc) is part of Windows XP and Windows Server 2003 source code.
■ Regsvr32.exe Part of all Windows source code.
■ Srvinfo.exe and Uptime.exe Part of the Windows 2000 and 2003 Resource Kits.
■ Reg.exe Part of the source code in Windows XP and Windows Server 2003, and part of the Windows 2000 Resource Kit, Supplement 1.
The WSUS Client Diagnostic Tool is a simple utility that provides the status of your AU client, its configuration, and its ability to connect to your WSUS server. The ClientDiag.exe utility has only one command-line parameter, which is used to dump the results to the ClientDiag.log log file in addition to displaying it on the screen.To run the diagnostic tool this way, type ClientDiag.exe /t. (A successful run of the utility is shown in Figure 7.27.) The WSUS server location in the registry was changed to show you what might happen if there is a problem resolving or contacting your WSUS server by name (see Figure 7.28).
Figure 7.27 Showing a Successful ClientDiag Output
o\] Command Prompt clicntdiag
WSUS Client Diagnostics Tool
Checking Machine State
Checking for admin eights to vim tool
Background Intelligent Transfer Service is not running.
This version is WSUS 2.0
PASS PASS PASS PASS
All Option is 4: Scheduled Install
Option is froii Policy settings
Checking Proxy Configuration
Checking for uinhttp local machine Proxy settings . . . Uinhttp local nachine access type
(Direct Connection) Winhttp local nachine Proxy.
Winhttp local nachine ProxyBypass
Checking User IE Proxy settings
(Jeer IE Proxy
User IE ProxyByPass
User IE AutoConfig URL Proxy
User IE AutoDetect flutoDetect not in use
NOME NONE PASS HONE NONE NONE
tlseMuSeruer is enabled
Connection to server
SelfUpdate folder is present
PASS PASS PASS
Press Enter to Complete.
Figure 7.28 Showing a ClientDiag Error
Command Piompl - dientdiag
USDS Client Diagnostics Tool
Checking Machine State
Checking for adnirt rights to turn tool PASS
Automatic Updates Service is running. PASS
Background Intelligent Transfer Service is not running. PASS
Uuaueng.dll version 188.8.131.529 PASS
This version is USUS 2.8
Checking AU Settings
AU Option is 4: Scheduled Install PASS
Option is from Policy settings
Checking Proxy Configuration
Checking for uinhttp local nachine Proxy settings . . . PASS Uinhttp local machine access type (Direct Connection}
Win http local machine Proxy NONE
W in http local machine ProxyBypass NONE
Checking User IE Proxy settings PASS
User IE Proxy NONE
User IE ProxyByPass NONE
User IE AutoConfig URL Proxy NONE
User IE AutoDetect AutoDctcct not in use
Checking Connection to WSUS/SUS Server UUServer = http://bogus WUStatusServer = http://«sus UseWuServer is enabled PASS
UerifyMJSerwerURLO failed with hr=0x800?2ee? The server- nane or address could not be resolued
Press Enter to Complete^
The ClientDiag.exe utility can be downloaded from Microsoft.com/downloads or from the official home of WSUS at http://www.microsoft.com/windowsserversystem/updateservices.
By default, Group Policy is set to update clients every 90 minutes with a random offset. If you want to speed this up because you need to push out WSUS client configuration changes quicker, consider using the following commands to force a client policy update. To revisit commands that were run earlier, you can use both gpudate.exe and secedit.exe to force your clients to pull new Group Policy settings.
For Windows XP and Windows Server 2000 machines, run the following command:
gpupdate /target:computer /force
For Windows 2000 machines, issue the following command:
secedit /refreshpolicy machine_policy /enforce
To force a client detection update from your WSUS server, type the following built-in AU client command:
When setting up large server environments, you usually end up with a very complex OU and Group Policy configuration. When different groups of servers have different downtime schedules, the development server clients need different WSUS client settings, productions servers, and so on. Consequently, you may find yourself with some GPO conflict.To show the final set of policies for your WSUS clients, and depending on the client version, you can use one of the following tools. Gpresult.exe is a command-line utility with switch options that print out all of the policies that the machine has applied or denied. Following is the syntax for this command:
usage: gpresult [/V] [/S] [/C | /U] [/?] /V Verbose mode
/S Super verbose mode
/C Computer settings only
/U User settings only
Use the /C switch when troubleshooting GPO issues with your WSUS settings, to speed up the computation output.
Windows XP and Windows Server 2003 have a much richer graphical tool for displaying the RSoP Microsoft Management Console (MMC) snap-in console, which can be accessed by typing Start | Run | rsop.msc (see Figure 7.29).
Figure 7.29 Showing the Results of a WSUS Client's RSoP
Iff Resultant Set of Policy m
File Action View Favorites Window Help
I 1 Console Root
0-Jf administrator onWINDOWSXP - RSc H -jjp Computer Configuration S-di Software Settings S-di Windows Settings El- LJ Administrative Templates B LJ Windows Components Windows Update B-jjP User Configuration S-LJ Software Settings lil-Pl Windows Settings ^
Configure Automatic Updates Enabled
^jf Specify intranet Microsoft update service location Enabled
^ Reschedule Automatic Updates scheduled installations Enabled
No auto-restart for scheduled Automatic Updates installations Enabled
§1 Automatic Updates detection frequency Enabled
Allow Automatic Updates immediate installation Enabled
\ Extended Standard /
WSUS for Workstations Common WSUS Settings WSUS for Workstations WSUS for Workstations Common WSUS Settings Common WSUS Settings
The snap-in looks like you are looking at the Group Policy Editor; however, only a subset of the components are displayed. The snap-in only shows what has been configured on the machine based on the policies pushed down to it. Where gpresult.exe is good for only showing polices that a client machine receives, the RSoP snap-in shows both of the settings that a client receives and the policy where the settings were obtained.
The following is a list of some miscellaneous commands that can be used for WSUS client troubleshooting and the day-to-day maintenance of a WSUS environment.
Regsvr32.exe is a Windows dynamic link library (DLL) registration utility. If your WSUS client does not seem to be functioning correctly, try unregistering and reregistering your AU client DLL file by running the following from a command-line window:
regsvr32.exe /u wuauclt.dll regsvr32.exe /r wuauclt.exe
Srvinfo.exe and uptime.exe are two resource kit utilities that allow you to obtain system uptime from a remote command prompt. This is good for quickly checking whether a system that you expect to reboot after a patch update has in fact rebooted, and how long it has been up since its reboot. The following is the syntax for both commands:
srvinfo.exe \\remoteclient uptime remoteclient
Notice that the uptime.exe utility does not require a prepending \\ like srvinfo.exe does. Lastly, command utility reg.exe has been shown to be a very handy utility for querying remote registry keys. It can also be used in a massive batch file to quickly enumerate and audit an existing WSUS client environment for re-verification that all of the clients are set up correctly.
Was this article helpful?