Win2K Qfecheck Hotfix Verification and Reporting Tool
This week, I have good news for the folks who manage desktop and server configurations. As you know, Microsoft has released more than 200 Windows 2000 post-Service Pack 1 (SP1) bug fixes and hotfixes, many security related. If you have hundreds or even thousands of systems in your enterprise, managing and verifying all these hotfixes is an immense task. Although the Windows File Protection (WFP) feature significantly reduces hotfix mismatches, occasional problems still arise when one update overwrites or replaces a file from a previously installed hotfix.

A few days ago, Microsoft released a new version of the command-line utility qfecheck.exe, which audits and reports on the validity of installed hotfixes. Instead of just reporting the hotfix keys in the registry, the new version performs a thorough audit to ensure that the correct binary files actually exist on the system and that each file has the most current version number. The utility also has a log option that lets you capture the results of the audit in a text file. This option lets you run a script on all your systems to perform the hotfix audit and direct each system’s report to a central network location.

When it runs, qfecheck.exe reads the registry key for each update and checks the version number stored in the registry against the installed file's version number. If the version number in the registry doesn't match the installed file's version number, the utility reports an error. The utility also verifies that the WFP hotfix catalog contains an entry for each file the hotfix installs. If the file is valid according to the hotfix information in the registry but the catalog entry contains different information, Qfecheck reports an error.

You can download and install the 111KB file, which places itself in %systemroot%\system32, in a few seconds. After you install the utility, you must run Qfecheck at a command prompt to initiate the hotfix audit. You can run Qfecheck with three command-line arguments: /l to log the report in a text file, /v for a verbose explanation of the results, and /q for a quiet, less wordy description. By default, Qfecheck writes the report to the current directory and names the output file <computername>.log. You can specify an alternate location (but not the output filename) (e.g., /l: E:\Temp or /l: \\Server\HotfixReports), and you can also pipe the output to the location (and with the filename) of your choice (e.g., Qfecheck /v >E:\temp\VPNserverHotfix.log).

If the Qfecheck report contains the message, "This hotfix should be reinstalled," you've probably installed one or more security updates previously. You can correct the inconsistencies by downloading and installing the updated WFP catalog file. I describe this procedure in the next article, "Do You Need to Update Your Win2K Security Hotfixes?"

I have two additional pieces of good news. First, you can download the English version of the Win2K utility, q282784_w2k_sp3_x86_en.exe, from Microsoft’s Security Update Web site. Second, you can download a version of this tool for Windows 95 called qfechkup.exe. Microsoft article Q282784 contains examples of the Win2K reports about hotfix inconsistencies, and article Q145990 contains a direct download link to the Win95 version.

Do You Need to Update Your Win2K Security Hotfixes?
If you’re reading this sentence, you're most likely also staring at a Qfecheck report telling you that you must reinstall some hotfixes. Here’s an explanation of why and the procedure you must follow to ensure a clean bill of health from Qfecheck. Microsoft always includes the WFP catalog with downloadable hotfixes. The theory is that the catalog prevents the update process from incorrectly overwriting or replacing files. Apparently, Microsoft issued multiple hotfixes, many security-related, with incorrect version numbers in the WFP catalog, but the potential problems are restricted to English-language hotfixes. Microsoft article Q281767 states that when you install multiple post-SP1 hotfixes and at least one catalog has versioning issues, your system might be adversely affected. Quite diplomatic, wouldn’t you say?

Microsoft has eliminated the version number issues by updating two versions of the WFP catalog. The catalog contains updates for 24—count ‘em, 24—security patches, a correction for a performance problem related to heap fragmentation, and a fix for user authentication on Exchange Server after you reset a user’s Win2K password.

One WFP catalog version is for Win2K system running SP1 and the other is for pre-SP1 systems. To clean up your system, you must download and install the appropriate version of You can download the SP1 catalog file, Q281767_W2K_SP2_x86_en.exe, from the Microsoft Web site.

If you run Win2K without SP1 and have installed any security hotfixes, get the updated catalog, Q285083_W2K_SP2_x86_en.exe, from the Microsoft Web site.

The installation procedure for Win2k SP1 systems is straightforward. Simply double-click the download file to install the updated catalog. On pre-SP1 systems, you must reboot after you install the download to activate the new catalog. The new catalog won't install any new hotfixes, but it will correct discrepancies for any hotfixes already on the system. Then, just for grins, run Qfecheck a second time with a different output file name so you can compare the before and after reports. All the "this hotfix needs to be reinstalled" entries in the first report should be replaced by the text "Current on system" in the second.