• Qchain: If you’ve decided to install a batch of the more than 230 Windows 2000 post-Service Pack 2 (SP2) hotfixes and the usual plethora of security hotfixes, you have your work cut out for you. Hotfixes often update the same executable or DLL with different versions, so you must reboot after you apply each fix to ensure that the OS installs the most recent version of the common file. When you restart the system, the OS replaces existing files with the version that the hotfix specifies.
  • If you install two hotfixes without rebooting between installations, the first hotfix might replace a DLL with a more recent version, and the second hotfix might then replace that DLL with an older version. When you reboot, the OS replaces the first hotfix's more recent version of the DLL with the second hotfix's older version. As a result, your system will have outdated files, which can adversely affect system performance and reliability. Also, when you need to install five or six updates, whether OS bug fixes or security patches, you need to take a system down for as long as it takes to install each update and reboot after each update.

    You can expedite the process by using the new command-line utility qchain.exe to perform one update that installs multiple updates and security hotfixes. You can run qchain.exe with one command-line argument that specifies the name of the text-based log file where you want the utility to record the files that it replaces (e.g., qchain.exe c:\temp\hotfx.log). On Windows NT 4.0 systems, Qchain installs multiple updates in one operation. You can download qchain.exe from the Microsoft Web site.

    In one directory, collect all the hotfixes and security updates that you want to install. To install multiple updates interactively, start each update with the –z switch to disable the automatic reboot that usually occurs after the installation finishes. After you install all the updates, run qchain.exe and reboot the system. Qchain examines all the files that each update replaces and ensures that the OS installs the most recent version of any OS components that are common to more than one update.

    You can invoke this utility from a script to make the multiple-update procedure even easier. Place qchain.exe and all the updates you want to install in the directory (e.g., C:\Hotfixes). If you’re running multiple updates from a script, use the hotfix.exe command-line switch –m to disable interactive feedback from each update:

@echo off
setlocal
set location =c:\hotfixes
%location%\Q299553_w2k_sp3_x86.exe -z –m      (a Telnet security rollup)
%location%\Q296185_w2k_sp3_x86.exe -z –m      (an Index Service security hotfix)
%location%\qchain.exe
  • Qfecheck: The Qfecheck utility audits the hotfixes you install on a system, including those you install using a multiple-update operation. Instead of simply reporting the hotfix keys in the registry, the latest version performs a thorough audit to ensure that the correct binary files actually exist on the system and that each file has the most current version number. This utility has a log option that lets you capture the results of the audit in a text file. This option lets you run a script on all your systems to perform the hotfix audit and direct each system’s report to a central network location.
  • When you run Qfecheck, it reads the registry key for each update and checks the version number stored in the registry against the installed file's version number. If the version number in the registry doesn't match the installed file's version number, the utility reports an error. The utility also verifies that the Windows File Protection (WFP) hotfix catalog contains an entry for each file that the hotfix installs. If the file is valid according to the hotfix information in the registry but the catalog entry contains different information, Qfecheck reports an error.

    After you install the utility, you must run Qfecheck from a command prompt to initiate the audit. The tool accepts three command-line arguments: /l instructs Qfecheck to log the report in a text file, /v returns a verbose explanation of the results, and /q returns a "quiet" (i.e., less wordy) description. By default, Qfecheck writes the report to the current directory and names the output file .log. You can specify an alternate location (e.g., Qfecheck /l: E:\Temp) but not the output filename. You can also pipe the output to the location (and with the filename) of your choice (e.g., Qfecheck /v >E:\temp\VPNserverHotfix.log).

    Download the English version of qfecheck.exe, q282784_w2k_sp3_x86_en.exe, from Microsoft’s Security Update page. See my February 6 column for a more complete description of how Qfecheck works and for additional Microsoft Support Online references.