Windows Secrets Newsletter • Issue 79 • 2006-07-20 • Circulation: over 400,000

By Brian Livingston

I announced in the July 13 newsletter that Shavlik Technologies, a well-known patch-management vendor, had released a free and capable replacement for Microsoft’s Windows Update (WU) service.

The Shavlik program, known as NetChk Protect, is free for up to one year, can remotely update 1 to 10 PCs from a single PC on a network, and supports far more programs than Microsoft’s offering does.

Many Windows users now mistrust WU because Microsoft uses it to install marketing nagware such as the controversial Windows Genuine Advantage (WGA), as I explained on June 15.

Unfortunately, Shavlik’s products have historically appealed primarily to large enterprises, not small businesses or home users. As a result of an old policy, Shavlik’s download page has been refusing to deliver license keys by e-mail to registrants who use addresses at Internet service providers, such as Hotmail.com, Comcast.net, and others.

This policy was originally designed to limit downloads only to Shavlik’s target market — system administrators who use e-mail addresses with “corporate-sounding” domain names.

Once Shavlik had released a free-trial product designed for only 1 to 10 users, however, the company was squarely targeting the SOHO market (small office/home office). The e-mail address restriction should have been removed.

Shavlik officials have told me that the company’s barrier to ISP-based e-mail addresses will be gone from the company’s site by this Friday evening. They’ve also provided me with technical tips to aid NetChk Protect users who run Windows XP Home, which requires different handling than XP Pro and other versions of Windows.

I’ll briefly describe these points for you below.

Any e-mail address should work by July 22

I downloaded and tested the free-trial version of NetChk Protect last month. In that process, I used an e-mail address from a free e-mail service named Mailshell.com to register the software and receive a license key. Nothing at the Shavlik site mentioned that ISP-based addresses were being prevented from registering, so I didn’t realize that this enterprise-oriented policy was in place.

In telephone interviews with three different Shavlik executives prior to my July 13 article, no one mentioned any restriction on e-mail addresses. This lapse probably occurred because the policy was established long ago and had been forgotten. The policy never impeded the company’s target audience of large corporations, so it may never have come up as an issue. I very much regret that this restriction inconvenienced any of my readers. More than 200 subscribers e-mailed me to complain.

Shavlik CTO Richard Greenwood, chief security architect Eric Schultze, and public relations spokeswoman Jill Teut assured me in separate personal calls yesterday that the restriction would be gone no later than Friday evening, July 21. Each executive told me Shavlik’s Web maintenance is outsourced to a firm that requires two days to make any changes. Any readers who tried and failed to download NetChk Protect last week should try again this weekend or on Monday.

Shavlik requires you to enter a valid e-mail address where the license key for NetChk Protect can be sent. The registration form also requests postal and other information, but I found that any bogus data can be entered into these fields, if you don’t wish to divulge it. Since registering a month ago using my anonymous Mailshell.com address, I’ve received only one marketing message. This level of contact seems reasonable to me in return for 12 months’ free use of Shavlik’s software.

XP Home, Media Center require local install

For the past 13 years, Shavlik has specialized in providing update-management software for large companies with hundreds or thousands of PCs to update. These enterprises’ workstations almost always run Windows XP Professional, not XP Home. The Pro version, among other features, has networking support that allows the PCs to authenticate to domain servers.

XP Home lacks these networking capabilities. This means NetChk Pro can be installed on an XP Home machine, can scan the machine for needed patches, and can install the patches — but patches cannot be deployed to an XP Home machine from any other machine.

If NetChk Pro is installed on an XP Home machine, that machine can scan and deploy patches to other networked machines that are running XP Pro, XP Tablet, Windows 2000 Pro or Server, and NT 4.0 Workstation or Server with SP3 or higher. But no machine running NetChk Protect can remotely deploy patches to computers running XP Home. (Shavlik says XP Media Center Edition is untested, so let’s assume that remote deployment of patches to MCE fails, too.)

To work around this, you can simply install an instance of NetChk Pro on each XP Home machine and each MCE machine that you wish to update with patches. Here are the steps to take:

Step 1. When you download and install the 1-year free-trial version of NetChk Protect, copy the resulting .exe setup program to a USB drive or burn it to a writable CD.

Step 2. Insert the USD drive or CD into each XP Home or MCE PC and install NetChk Protect locally. Use the local instance of NetChk Protect to scan each machine and install any patches that may be needed. Important: If you use a personal firewall, such as ZoneAlarm, you must instruct it to let NetChk Protect connect to the Internet. This includes downloading and installing the necessary patches from Microsoft.com and the sites of the other supported applications.

Step 3. NetChk Protect allows you to use the same license key to install the software on up to two PCs. If you have more than two machines running XP Home or MCE, it’s easy to get additional keys. According to Shavlik’s Schultze, you can simply go through the download-and-registration process again, using the same e-mail address that you entered the first time. A new license key that will support installation on two additional machines will be e-mailed to you. Each of the resulting installations of NetChk Protect can scan and deploy patches to up to 9 other machines.

Step 4. Windows XP machines that are not logged on to a domain server — in other words, PCs that are using peer-to-peer networking — use a service called Simple File Sharing. Because this limits all remote connections to restrictive Guest status, the service must be turned off in order for NetChk Protect to remotely scan an XP machine. To do this, open Windows Explorer (not Internet Explorer), then click Tools, Folder Options, View. Scroll to the bottom of the advanced options, then deselect Use simple file sharing (recommended). This service can be reenabled after NetChk Protect has scanned and deployed patches to the affected PC.

More details about the above steps can be found in two Shavlik Knowledge Base articles that I describe below.

Better documentation now available

The orientation of NetChk Protect to big-business admins can frustrate Windows users who are accustomed to utilities that just work out of the box. Fortunately, two Shavlik Knowledge Base articles have now been posted that explain the “gotchas” tripping up many readers.

• The prerequisites for installing NetChk Protect on a PC are explained in SKB 3499.

• The requirements for scanning and deploying patches to systems remotely are explained in SKB 3500.

• A single document that links to both of the above documents is SKB 3498.

I urge everyone who has had any problems whatsoever with NetChk Protect to read the Knowledge Base articles linked to above.

NetChk Protect is still cheerfully working for me on my small-office, 5-user network. It scans and deploys patches to my scrum of Windows Server 2003 and XP Pro machines just fine.

But, as I explained in my July 13 tutorial, NetChk Protect is a program that assumes an administrative level of user expertise. My tutorial eases the learning curve but doesn’t eliminate it. Until Shavlik comes out with a simple, wizard-based Web portal that automates the update process (which is promised by this October), its downloadable software has quirks that can baffle SOHO users.

I don’t believe this indicates any ill will on the part of Shavlik developers. An enterprise-level product has simply been made available for free — with its rough edges on full display — as a reaction to the widespread distrust of Microsoft’s Windows Update. I’m hopeful that Shavlik can simplify its user interface and improve its customer-support services in the near future. My thanks to every reader who brought NetChk Protect’s install and deployment gotchas to my attention.

To download the 1-year free version of NetChk Protect, visit Shavlik’s NetChk Protect page.

MS fixes July 11 patch issues

Microsoft corrected on July 17 some serious problems that have been reported with MS06-034 (917537), a security bulletin it originally released on July 11. The patch is intended to close a hole in the Redmond company’s IIS (Internet Information Services). Affected systems are Windows XP, 2000, and 2003.

Three distinct problems afflict MS06-034, according to Windows Secrets contributing editor Susan Bradley:

Problem 1. XP machines that didn’t have a full installation of IIS kept being reoffered the patch over and over again. The detection logic of Automatic Updates, Windows Update, Microsoft Update, and Windows Software Update Services (WSUS) has now been adjusted to work correctly with machines that do have IIS but don’t have a file named asp.dll.

Problem 2. On Windows Server 2003 SP1 machines, the asp.dll file might be in use when the MS06-034 patch was being installed. If so, the patch would fail to copy over the needed DLL. In other words, hotpatching detection was not working. This has reportedly been corrected.

Problem 3. One more issue may still be unresolved as of today. If you have an antivirus (AV) program installed on the server, some but not all servers keep a file in use that does not allow the patch to install. You can work around this by doing a selective startup. Disable the AV from the boot-up process, which enables the patch to install, then reenable AV and reboot.

For more information on the workarounds, and to install MS06-034, see Microsoft Knowledge Base article 917537.

News updates have no paid version

Today’s e-mail message is a news update. Our next regular issue will be published according to our usual twice-a-month schedule on Jan. 27.

News updates don’t include our usual columnists or other sections. A news update also has no paid version. The same short message goes out to both our free and our paid subscribers.

We’ll provide more information about the NetChk Protect situation, further problems with Microsoft patches, and much more in the paid version of our next regular newsletter on July 27.

Make sure you receive the paid version for the next 12 months by upgrading now. No set fee is required — we allow anyone to upgrade by making any financial contribution of whatever amount it’s worth to you. The best information is always in the paid version of the newsletter, and we want you to have it. How to upgrade