Command Line Tools

Last Updated on Tue, 24 Apr 2018 | Windows Server Update

There are a few command-line tools that can help you identify problems, query for information, or
speed up the detection update process. The following is a list of these tools:

■ WSUS Client Diagnostics Tool (ClientDiag.exe) Downloadable from Microsoft's Web site.

■ Wuauclt.exe Part of the Windows source code after an AU client is installed.

■ Gpudate.exe and Secedit.exe Gpupdate.exe is part of Windows XP and Windows Server 2003 source
code. Secedit.exe is built into Windows 2000 source code.

■ Gpresult.exe and RSoP.msc Gpresult.exe is part of the Windows 2000 Resource Kit, Supplement 1,
and RSoP (RSoP.msc) is part of Windows XP and Windows Server 2003 source code.

■ Regsvr32.exe Part of all Windows source code.

■ Srvinfo.exe and Uptime.exe Part of the Windows 2000 and 2003 Resource Kits.

■ Reg.exe Part of the source code in Windows XP and Windows Server 2003, and part of the Windows
2000 Resource Kit, Supplement 1.

WSUS Client Diagnostic Tool

The WSUS Client Diagnostic Tool is a simple utility that provides the status of your AU client, its
configuration, and its ability to connect to your WSUS server. The ClientDiag.exe utility has only one
command-line parameter, which is used to dump the results to the ClientDiag.log log file in addition to
displaying it on the screen.To run the diagnostic tool this way, type ClientDiag.exe /t. (A successful
run of the utility is shown in Figure 7.27.) The WSUS server location in the registry was changed to
show you what might happen if there is a problem resolving or contacting your WSUS server by name
(see Figure 7.28).

Figure 7.27 Showing a Successful ClientDiag Output

o\] Command Prompt clicntdiag B0E

C:\>clientdiag -

WSUS Client Diagnostics Tool

Checking Machine State All Option is 4:

Checking for admin eights to vim tool PASS PASS PASS Scheduled Install
PASS
PASS Option is froii Policy
Background Intelligent Transfer Service is not
running. settings
This version is WSUS 2.0

Checking Proxy Configuration

Checking for uinhttp local machine Proxy settings . .

. Uinhttp local nachine access type

(Direct Connection) Winhttp local nachine Proxy.

PASS
Winhttp local nachine ProxyBypass
NOME NONE PASS
Checking User IE Proxy settings
HONE NONE NONE
(Jeer IE Proxy

User IE ProxyByPass

User IE AutoConfig URL Proxy

User IE AutoDetect flutoDetect not in use

Checking Connection to USUS/SUS Server

WUServer = http://usus WUStatusServer =
http://wsus

tlseMuSeruer is enabled PASS PASS PASS

Connection to server

SelfUpdate folder is present

Press Enter to Complete. jd

Figure 7.28 Showing a ClientDiag Error

Command Piompl - dientdiag

C:\>clientdiag

USDS Client Diagnostics Tool

Checking Machine State

Checking for adnirt rights to turn tool PASS

Automatic Updates Service is running. PASS

Background Intelligent Transfer Service is not running. PASS

Uuaueng.dll version 5.8.0.2469 PASS

This version is USUS 2.8

Checking AU Settings

AU Option is 4: Scheduled Install PASS

Option is from Policy settings

Checking Proxy Configuration

Checking for uinhttp local nachine Proxy settings . . . PASS Uinhttp local machine access type (Direct
Connection}

Win http local machine Proxy NONE

W in http local machine ProxyBypass NONE

Checking User IE Proxy settings PASS

User IE Proxy NONE

User IE ProxyByPass NONE

User IE AutoConfig URL Proxy NONE

User IE AutoDetect AutoDctcct not in use

Checking Connection to WSUS/SUS Server UUServer = http://bogus WUStatusServer = http://«sus

UseWuServer is enabled PASS

UerifyMJSerwerURLO failed with hr=0x800?2ee? The server- nane or address could not be resolued

Press Enter to Complete^

The ClientDiag.exe utility can be downloaded from Microsoft.com/downloads or from the official home
of WSUS at http://www.microsoft.com/windowsserversystem/updateservices.
Speeding Up Group Policy and Client Detection

By default, Group Policy is set to update clients every 90 minutes with a random offset. If you want to
speed this up because you need to push out WSUS client configuration changes quicker, consider
using the following commands to force a client policy update. To revisit commands that were run
earlier, you can use both gpudate.exe and secedit.exe to force your clients to pull new Group Policy
settings.

For Windows XP and Windows Server 2000 machines, run the following command:

gpupdate /target:computer /force

For Windows 2000 machines, issue the following command:

secedit /refreshpolicy machine_policy /enforce

To force a client detection update from your WSUS server, type the following built-in AU client
command:
Wuauclt.exe /detectnow

Troubleshooting Group Policy Conflicts

When setting up large server environments, you usually end up with a very complex OU and Group
Policy configuration. When different groups of servers have different downtime schedules, the
development server clients need different WSUS client settings, productions servers, and so on.
Consequently, you may find yourself with some GPO conflict.To show the final set of policies for your
WSUS clients, and depending on the client version, you can use one of the following tools.
Gpresult.exe is a command-line utility with switch options that print out all of the policies that the
machine has applied or denied. Following is the syntax for this command:

usage: gpresult [/V] [/S] [/C | /U] [/?] /V Verbose mode

/S Super verbose mode

/C Computer settings only

/U User settings only

Use the /C switch when troubleshooting GPO issues with your WSUS settings, to speed up the
computation output.

Windows XP and Windows Server 2003 have a much richer graphical tool for displaying the RSoP
Microsoft Management Console (MMC) snap-in console, which can be accessed by typing Start | Run |
rsop.msc (see Figure 7.29).

Figure 7.29 Showing the Results of a WSUS Client's RSoP

Iff Resultant Set of Policy m

File Action View Favorites Window Help

I 1 Console Root

0-Jf administrator onWINDOWSXP - RSc H -jjp Computer Configuration S-di Software Settings S-di
Windows Settings El- LJ Administrative Templates B LJ Windows Components Windows Update B-jjP
User Configuration S-LJ Software Settings lil-Pl Windows Settings ^

Setting

State

GPO Name

Configure Automatic Updates Enabled

^jf Specify intranet Microsoft update service location Enabled

^ Reschedule Automatic Updates scheduled installations Enabled

No auto-restart for scheduled Automatic Updates installations Enabled

§1 Automatic Updates detection frequency Enabled

Allow Automatic Updates immediate installation Enabled

\ Extended Standard /

WSUS for Workstations Common WSUS Settings WSUS for Workstations WSUS for Workstations
Common WSUS Settings Common WSUS Settings

The snap-in looks like you are looking at the Group Policy Editor; however, only a subset of the
components are displayed. The snap-in only shows what has been configured on the machine based
on the policies pushed down to it. Where gpresult.exe is good for only showing polices that a client
machine receives, the RSoP snap-in shows both of the settings that a client receives and the policy
where the settings were obtained.

Miscellaneous Useful Commands

The following is a list of some miscellaneous commands that can be used for WSUS client
troubleshooting and the day-to-day maintenance of a WSUS environment.

Regsvr32.exe is a Windows dynamic link library (DLL) registration utility. If your WSUS client does not
seem to be functioning correctly, try unregistering and reregistering your AU client DLL file by running
the following from a command-line window:

regsvr32.exe /u wuauclt.dll regsvr32.exe /r wuauclt.exe

Srvinfo.exe and uptime.exe are two resource kit utilities that allow you to obtain system uptime from
a remote command prompt. This is good for quickly checking whether a system that you expect to
reboot after a patch update has in fact rebooted, and how long it has been up since its reboot. The
following is the syntax for both commands:

srvinfo.exe \\remoteclient uptime remoteclient

Notice that the uptime.exe utility does not require a prepending \\ like srvinfo.exe does. Lastly,
command utility reg.exe has been shown to be a very handy utility for querying remote registry keys.
It can also be used in a massive batch file to quickly enumerate and audit an existing WSUS client
environment for re-verification that all of the clients are set up correctly.