Introducing PatchWatcher and DateComparor

0 Likes
over 6 years ago
Disclaimer : I don't pretend to be an engineer, but I managed to make this work for me and this customer, so use at your own risk if it makes your job easier and your end users happier. You accept any liability that comes with implementing this in your environment.

As I indicated in my last post, I was onsite at a customer this week. One of the concerns they brought up was that there isn’t a good way for their end users to see that patches are in process of being deployed, especially with the new ZENworks 11SP3 patch policy feature. To that end I spent a couple of days putting together a cool new tool that can help overcome that limitation. This is means as a temporary solution until we can introduce something in the product. When running PatchWatcher looks something like this:

PatchWatcher

The text that currently says “Waiting 4 seconds…” will be update to tell the user what patch is being applied, specified that patches were not needed, or have a summary indicating the number of patches that were applied.

Basically the way that this tool works is as follows:

  1. When PatchWatcher starts up it looks in HKEY_LOCAL_MACHINE\Software\Novell\ZCM\ PatchWatcher for the following values:



    Value Name

    Type

    Value Data

    Description



    WaitForPAP

    String

    true | false

    When set to “true” this instructs PatchWatcher to only remain running is ‘zac pap’ is currently running on the PC. If set to “false” then PatchWatcher simply checks to see if the registry key is still “false”. 

    The false option is designed to be used in bundles included in the pre- and post- actions for your patch policy, since when patch policies are applied automatically zac pap does not run.

     

    If this value does not exist in the registry, then PatchWatcher defaults to checking for ‘zac pap’ in the process list.



    SleepTime

    DWORD

    Integer value

    When set this instructs PatchWatcher to wait the specified number of seconds for ‘zac pap’ to appear. If ‘zac pap’ is not running within the specified number of seconds then PatchWatcher exits. 

    This value is only used if WaitForPAP=true. If this value does not exist, the default wait time is 10 secs.



    OnTop

    String

    true | false

    When set to true, this forces the PatchWatcher window to always be on top of any Windows so that the user can’t miss it as long as it is running. 

    If not set PatchWatcher does force itself to be the top window.



    DialogName

    String

    Any text

    This replaces the “Patch Progress” title of the PatchWatcher window.



    MessageText

    String

    Any text

    This replaces the text above the status bar.



    LogoPath

    String

    File path

    When set this instructs PatchWatcher to use the specified logo, instead of the Novell logo. This can be a png, jpg, or gif file and must be accessible on the local machine.




     

  • After reading the configuration it either waits for ‘zac pap’ or ‘zac patch-apply-policy’ to appear in the list of running processes or immediately begins watching for patches. If it is configured to wait for ‘zac pap’ to appear and it doesn’t appear within the specified time, then PatchWatcher exits, indicating that the ZENworks Patch Agent didin’t start. If PatchWatcher is configured not to wait for ‘zac pap’ then it immediately begins looking for patches and continues until the WaitForPAP value is deleted or gets set to ‘true’.

  • The system waits for remediate.exe to appear in the Windows process list. When patch policies or remediate bundles apply patches they do so by calling remediate.exe with the name of each patch in a serial fashion. PatchWatcher parses the command line and displays the name of the patch being applied as well as a counter that tells how many patches have been applied.

  • If remediate.exe never runs and ‘zac pap’ exits or the registry key is modified so that PatchWatcher exits without patches being applied, a message is displayed indicating that the machine appears to be fully patched and PatchWatcher exits. This writes a registry value in the PatchWatcher key called LastFullyPatched is set to today’s date.

  • When ‘zac pap’ exits or the WaitForPAP value is deleted or set to true AND remediate.exe has been called at least once, then a message is displayed summarizing the patch process and letting the user know to follow any reboot prompts that may appear.


The second tool that I created this week is a companion tool that simply calculates the time difference between the last time that PatchWatcher observed a last full scan and the current date. It then writes a DWORD value called DaysSinceLastFullyPatched and exits. This is useful for using a registry key comparison system requirement to limit when your ‘zac pap’ bundle runs.

You can now use these tools as you see fit in your environment to provide input and control the time between. For a proof of concept on how this might look, the attached zip file includes an exported bundle definition and content from my 11.3.x server that does the following and can be imported with the 'zman bc' command. I also expect to publish this on my public ZENworks server once it is rebuilt after hardware failure:

  1. Copies the PatchWatcher files.

  • Modifies the registry keys to configure PatchWatcher.

  • Prompts the user if now is a convenient time to apply their patch policy.

  • Launches PatchWatcher as a Dynamic Admin. This is required as zac pap is being run as the SYSTEM user and normal users won’t be able to see the process. It is also critical that you do not wait for PatchWatcher to complete before the next action launchers.

  • Launches ‘zac pap’ as SYSTEM to initiate the patch policy process. PatchWatcher will then display the progress of the patching to the end user.  Make sure to configure this action to wait until zac pap exits.

  • Delay for 10 s to allow PatchWatcher to determine that ‘zac pap’ has exited.

  • Runs the DateComparor tool and updates the registry.


In this bundle each of the actions after the copy and registry configuration, except for the datecomparor action have action level system requirements to make sure that if machine was fully patched within the last 7 days then the user isn’t prompted to check and apply patches.

I hope you find this a useful way to indicate progress to your users. I’m also considering adding additional functionality to log the patches that were applied along with the time stamp when the apply started. When I do I’ll probably also provide a silent mode so that you can log the process without needed to show progress to the user. Feel free to provide other enhancement requests that you might find useful.

 

Labels:

How To-Best Practice
Comment List
Anonymous
  • I imported the bundle. I noticed for the 'Launch Patch Watcher' and 'Start the patch scan' one of the requirements is that the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZCM\PatchWatcher does not exist but is is created by the registry settings action in the beginning so these would never run. Also when I ran the patchwatcher.exe and it is waiting it eventually eats up all my free memory. It has gone up to 5GB at one time.
  • After created a bundle from your XML file, I get error from the action registry edit. "An error occurred while reading the bundle information". It's only the reg edit action that fails to create. I'm new at zman commands so I don't have much to go on at this point, do you have any ideas?
  • The tool provided here was very much helpful & appreciated by the customer. I was part of this visit & I see a good impact toward the ZENworks perspective with other stuff along with these tools.

    This could also be helpful for other customers who would like give more control/activity to end user during patch deployment.
Related Discussions
Recommended