WuInstall HowTo

1. Basic functions

There are three basic switches. Exactly one of them must be specified in order for WuInstall to do something. It makes no sense to specify more than one of those switches (e.g. wuInstall /search /install), because download automatically includes a search and install automatically includes search and download.

1.1. Searching for updates

The simplest command in WuInstall is just searching for updates:

WuInstall /search

It lists all available updates. It either searches on the Windows Update Server in the internet, or, if configured, on your WSUS. It has no impact on your system at all. In this case it just performs a search and lists what was found.

1.2. Downloading updates

You can download updates with WuInstall with

WuInstall /download

It does the same search as WuInstall /search and then downloads the updates, which were found. WuInstall itself does not download anything, but it triggers the Microsoft Windows Update Engine, which downloads the updates.

1.3. Downloading updates to a certain directory

The download option can be extended, in order to also copy the installation packages included in the download to a certain directory (e.g. for manual installation and distribution)

WuInstall /download_to "c:\updates_download"

Does exactly the same as WuInstall /download, but afterwards it copies the contents of the downloaded updates (usually .exe or .msi-files) for example to c:\updates_download, from where they can be installed manually or copied and used for patching other machines.

1.4. Installing updates

To install the updates, you use:

wuInstall /install

It searches the updates, downloads them (if they have not been downloaded by a previous WuInstall /download command already) and then installs them.

2. Selecting updates

With various switches, you can narrow the results of the search for updates and therefore also the updates, which are downloaded and installed. You can use criteria queries, search updates, which match certain names, severities, products or classifications.

 

Tip: In subsequent examples, we only use the /search option to illustrate how to select updates. This option is ideal to test certain switches, because it just lists the updates and has no further impact on the system. Of course, also the /download or /install switch can be used with all following examples.

 

2.1. Specifying criteria

With /criteria you can specify a query string, in order to change the search. The default criteria (when no /criteria is specified) is "IsInstalled=0 and Type='Software'".

 

Tip: For how the query string can be built see MSDN

 

You can, for example search for updates, which are already installed:

wuInstall /search /criteria "IsInstalled=1"

(here, obviously, a /download or /install makes no sense)

Furthermore you can also just select drivers:

wuInstall /search /criteria "IsInstalled=0 and Type='Driver'"

or drivers and software:

wuInstall /search /alltypes

which is equivalent to:

wuInstall /search /criteria "IsInstalled=0"

2.2. Matching specific search strings

With the /match option, you can get all updates with titles matching a specific search string.

 

Tip: You can test the /match option for example with /criteria "IsInstalled=1", because then you (usually) have a very long list of updates in your search.

 

For example, you can search for a specific update:

wuInstall /search /match "KB956844"

only lists the "Security Update for Windows XP (KB956844)"

In the WuInstall Pro Version /match also supports regular expressions, for example find all updates which have the terms “Language” OR “KB93” OR “Live” in their title:

WuInstall /search /match "(Language|KB93|Live)"

2.3. Not Matching specific search strings

In the WuInstall Pro Version, there is, corresponding to the /match-switch also a /nomatch-switch For example, search all updates which do NOT match "SQL" OR "Windows" OR "KB"

WuInstall /search /nomatch "(SQL|Windows|KB)"

/match and /nomatch can, of course, also be used in combination, for example search all updates which match "SQL" OR "Office" but do not Match "KB" or "Microsoft"

WuInstall /search /match "(SQL|Office)" /nomatch "(KB|Microsoft)"

2.4. Search string in files

It is also possible to put search strings in a file. For example, you create a file match.txt with the following search string (separated by a newline):

c:\Data\match.txt

KB93
KB94
KB95
Office
Internet Explorer 8

If you execute

wuInstall /search /matchfile c:\Data\match.txt

Your will get all updates matching KB93, KB94, KB95, Office or Internet Explorer 8.

There is also a /nomatchfile switch, which does the opposite, which excludes updates matching one of the search terms in the file.

wuInstall /search /nomatchfile c:\Data\match.txt

Regular expressions are also possible as search expressions in the files.

2.5. Severity

Each security update has a certain severity. There are five possible severities: 

  •  Critical (C): A security issue whose exploitation could allow the propagation of an Internet worm without user action. 
  •  Important (I): A security issue whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data, or of the integrity or availability of processing resources. 
  •  Moderate (M): Exploitation is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation. 
  •  Low (L): A security issue whose exploitation is extremely difficult, or whose impact is minimal. 
  •  Unknown (U): No information about the severity is available.

The letter in brackets is the code for the /severity - option. Just put the letters together to select multiple severities.

For example, all critical and important updates:

WuInstall /search /severity CI

 

Tip: The severity is only filled for security updates, so it is not really suitable for finding high priority updates, as security updates usually ARE high priority updates. Classification is better for that purpose.

 

2.6. Classification

Each update belongs to one of those classifications: 

  •  Critical Updates (C)  
  •  Security Updates (S) 
  •  Updates (U) 
  •  Update Rollups (R) 
  •  Services Packs (E) 
  •  Feature Packs (F) 
  •  Definition Updates (D)

Just put the letters in the bracket together to select multiple severities. For example, select all security updates, critical updates and updates:

WuInstall /search /classification SCU

 

Tip: High priority updates can best be found with the classification CRS (Critical, Security and Update Rollups), however sometimes also U (Updates) can be high priority. Generally speaking, selecting which updates are high priority and which are not, is up to the administrator. There is no general rule how to automatically match the high priority categorization on the Microsoft Update website.

2.7. Product

Each update belongs to a Microsoft product, for example Office 2003, Windows XP, Visual Studio 2008, Silverlight, ...

The /product switch enables to search by one product.

For example, find all Updates for Visual Studio 2008:

 

Tip: The product name has to match exactly. Therefore just specifying "Visual Studio" here would produce no results.

WuInstall /search /product "Visual Studio 2008"

 

Tip: All update selection options (/match /nomatch /matchfile /nomatchfile /severity /classification /product) can be used in combination with each other!

3. Additional options

There are some additional options with which you can control the behavior WuInstall and the installation of updates. For example rebooting the system, bypassing the wsus or accepting EULAs without user interaction.

3.1. Reboot

The reboot-option just reboots the system n seconds after WuInstall has finished. It can be used together with search, download or install and it can also be used standalone.

For example, reboot in 30 seconds:

WuInstall /reboot 30

If no time interval is specified, 10 seconds is the default delay.

Reboot 10 seconds after the updates have been installed:

WuInstall /install /reboot

 

Tip: The /reboot option reboots the system after executing WuInstall unconditionally after the specified number of seconds. The result of WuInstall has no influence whether if there is a reboot or not.

3.2. Rebootcycle

With this option complete cumulative updating of windows systems becomes possible. That means installing updates, rebooting and installing further updates will be automated. After performing an update and rebooting afterwards, WuInstall starts again before the Windows Logon and executes the same command again, that was done before the reboot. The /rebootcycle option uses the Windows Task Scheduler to restart WuInstall.

 

Tip: You can limit this reboot cycle option to a maximum number of reboots to prevent of getting stuck in an endless loop. Default is 3.

The /rebootcycle option works together with /reboot or /reboot_if_needed.

When the /rebootcycle is used WuInstall outputs in the console:

/rebootcycle is specified, going to run this wuinstall command at most x times again at startup if reboot is triggered

Example usage:

wuInstall /install /logfile_append c:\loginst.txt /reboot_if_needed /rebootcycle 2

This command installs all available software updates. If necessary the system will reboot after an update installation and WuInstall will execute the command until all pending available updates are installed. In this case the numbers of reboots is limited to a maximum of 2 in any case. Also the /logfile_append option is set to have a report about the whole installation process including all reboots.

3.3. Rebootcycles and shutdown when finished

As already mentioned the /rebootcycle option automates reboots between updates. In many cases it might be necessary to shutdown the machine after having all updates done. For example if you want to schedule your windows updates during the night.

Example usage, which installs all available updates and shuts down the system when finished:

WuInstall /install /rebootcycle /shutdown

3.4. Bypassing the WSUS

If you have a WSUS, but want to go for the Windows Update Site instead of WSUS for some reason, you can use the option /bypass_wsus to bypass the WSUS server for the time WuInstall is executed.

For example, bypass wsus and install update KB956844 from the Windows Update Site:

WuInstall /install /bypass_wsus /match "KB956844"

After execution of WuInstall, WSUS is re-activated for your system. This option automatically executes the Sc stop wuauserv and Sc start wuauserv commands in order for the bypass to take effect.

 

Tip: If WuInstall fails for some reason or is aborted before it finishes, the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, Value UseWuServer is still set to 0. You have to set it to 1 manually, in order to tell your system to use WSUS again.

 

3.5. Selecting another WSUS

Quite the opposite of the bypass_wsus option is the /use_wsus option. If you want to choose another WSUS, or if you have no WSUS configured at the machine and want to get updates from a certain WSUS, the use_wsus option can force WuInstall to use a certain WSUS

For example, install your updates from the server wsus2 instead of wsus1:

WuInstall /install /use_wsus http://wsus2

WuInstall writes something like this:

You are using WSUS Server http://wsus1
use_wsus specified ....  WUServer and WUStatusServer successfully set to http://wsus2

After execution of WuInstall, the initial state is restored (e.g. wsus1 is re-activated or WSUS is switched off again if it was off)

use_wsus specified, reactivating  WUServer http://wsus1,  WUStatusServer http://wsus1 ... successful!

 

Tip: If WuInstall fails for some reason, or is aborted before it finishes, the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWuServer, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer

have to be reset manually to the initial state.

3.6. Accepting EULAs

Some updates require the user to accept an EULA in order to install. To automate this, the /autoaccepteula option automatically accepts all EULAs for updates which require this, without any user interaction or interruption.

Example:

WuInstall /install /autoaccepteula