HFNetChk

HFNetChk is a command-line tool that enables an administrator to check the patch status of all the machines in a network from a central location. The tool does this by referring to an XML database that’s constantly updated by Microsoft.

HFNetChk can be run on Windows NT 4.0 or Windows 2000 systems, and will scan either the local system or remote ones for patches available for the following products:

  • Windows NT 4.0
  • Windows 2000
  • All system services, including Internet Information Server 4.0 and 5.0
  • SQL Server 7.0 and 2000 (including Microsoft Data Engine)
  • Internet Explorer 5.01 and later

The HFNetChk tool uses an Extensible Markup Language (XML) file that contains information about which hotfixes are available for each product. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including: files in each hotfix package and their file versions and checksums, registry keys that were applied by the hotfix installation package, information about which patches supersede which other patches, related Microsoft Knowledge Base article numbers, and much more.
When you run the HFNetChk tool for the first time from a command line (without any switches), the tool must obtain a copy of this XML file so that the tool can find the hotfixes that are available for each product. The XML file is available on the Microsoft Download Center Web site in compressed form. The file is a digitally signed .cab file. HFNetChk downloads the .cab file, verifies the signature, and then decompresses the .cab file to your local computer. Note that a .cab file is a compressed file that is similar to a .zip file.
Download the Latest Mssecure.cablink out ico
After the .cab file is decompressed, HFNetChk scans your computer (or the selected computers) to determine the operating system, service packs, and programs that you are running. HFNetChk then parses the XML file and identifies security patches that are available for your combination of installed software. Patches that are available for your computer but are not currently installed on your computer are displayed as “Patch NOT Found” in the resulting output. In the default configuration, HFNetChk output displays only those patches that are necessary to bring your computer up to date. HFNetChk recognizes roll-up packages and does not display those patches that are superseded by later patches.
HFNetChk first examines the computer to determine if the registry key that is associated with the patch exists. If the registry key does not exist, the patch is considered not installed. If the registry key does exist, HFNetChk searches for the related files on the computer and compares the file version and checksum from the XML file to the file version and checksum of the files on the computer. If any of the file tests are not successful, the hotfix is listed as “Patch NOT Found”.
HFNetChk was developed for Microsoft by Shalvik Technologies LLC (http://www.shavlik.com/). More information about Shalvik, including a GUI version and an advanced command-line version of HFNetChk, is available on the http://www.shavlik.com/nshc.htm Web site.
The following are the requirements for a computer that is running HFNetChk:

  • Windows NT 4.0, Windows 2000, or Microsoft Windows XP. HFNetChk does not operate on Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows Millennium Edition (Me).
  • Internet Explorer 5.01 or greater or an XML parser (Microsoft XML Parser 3.0 Service Pack 2 Release) is required for the tool to function correctly. XML parsers are included in Internet Explorer 5.01 and later. If you are running Internet Explorer 5.01 or greater, you do not need to install a separate parser. If you are running an earlier version of Internet Explorer and you do not want to upgrade to Internet Explorer 5.01 or greater, you may download and install a stand-alone version of the Microsoft XML Core Services 4.0 SP2.

To run HFNetChk:

  1. Download the Nshc33.exe file.
  2. Double-click the Nshc33.exe file that you downloaded, and then follow the installation instructions.
  3. Read the End-user License Agreement (EULA).
  4. At a command prompt, locate the folder that you created.
  5. Type hfnetchk -v -z -s 1, and then press Enter.
  6. The tool will connect to Microsoft’s website and download the XML file that contains information about which hotfixes are available for each product.

hfnetchk1 small


hfnetchk small

  1. A report is generated:

hfnetchk2 small
Download Microsoft HFNetChk 3.3 (released January 17, 2001) (250kb)link out ico
Download Shalvik HFNetChk 3.86 (released November 20, 2002) (600kb)link out ico

Update on the HFNetChk tool and usage:

HFNetChk is also available through the MBSA V1.2.1 command line interface, mbsacli.exe /hf.
The HFNetChk tool that you execute by using the mbsacli /hf command, is a command-line tool that you can use to assess a computer or selected group of computers for the absence of security patches. You can use HFNetChk to assess the patch status for the Windows NT 4.0 and Windows 2000 operating systems, as well as hotfixes for IIS 4.0, IIS 5.0, SQL Server 7.0, SQL Server 2000 (including MSDE), Exchange Server 5.5, Exchange Server 2000, Windows Media Player, and Internet Explorer 5.01 or later.
The HFNetChk tool uses an Extensible Markup Language (XML) file that contains information about which hotfixes are available for each product. The XML file contains the security bulletin name and title, and detailed data about product-specific security hotfixes, including the following items (and much more):

  • Files in each HotFix package and their file versions and checksums.
  • Registry keys that the HotFix installation package applies.
  • Information about which patches replace other patches.
  • Related Microsoft Knowledge Base article numbers.

When you run the HFNetChk tool for the first time from a command line (without any switches), the tool must obtain a copy of this XML file so that the tool can find the hotfixes that are available for each product. The XML file is available on the Microsoft Download Center Web site in compressed form. The file is a digitally signed .cab file. HFNetChk downloads the .cab file, verifies the signature, and then decompresses the .cab file to your local computer. Note that a .cab file is a compressed file that is similar to a .zip file. If the CAB file is not downloaded, HFNetChk tries to download an uncompressed copy of this file from Microsoft.
After the .cab file is decompressed, HFNetChk scans your computer (or the selected computers) to determine the operating system, service packs, and programs that you are running. HFNetChk then parses the XML file and identifies security patches that are available for your combination of installed software. Patches that are available for your computer but are not currently installed on your computer are displayed as “Patch NOT Found” in the resulting output. In the default configuration, HFNetChk output displays only those patches that are necessary to bring your computer up to date. HFNetChk recognizes roll-up packages and does not display those patches that are superseded by later patches.

  1. Download MBSA v1.2.1 HERE (1.6mb)link out ico
  2. Double-click the MBSA file that you downloaded, and then follow the installation instructions.
  3. Read the End-user License Agreement (EULA).
  4. At a command prompt, locate the folder that the installation created.
  5. Type mbsacli.exe /hf -v -z -s 1, and then press ENTER.

Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available – 303215 (Syntax, usage, details and more)link out ico
Frequently Asked Questions for Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool – 305385 link out ico
Download Shalvik HFNetChk 3.86link out ico
MBSA Whitepaperlink out ico
Microsoft XML parserlink out ico