noquest banner



Remote update Java

Websites sometimes requires Java to run correctly, so nowadays Java is widely used. Unfortunately evil websites also use Java and it's vulnerabilities to install virus, malware and all kind of trojans.

Java trojan
Java trojans in action

The only way to keep the system safe is to update Java regularly. There are two simple ways to do it, get to the Java website, download and install the new version, or click on the system tray Java icon and accept to install the new update.
The question is, what to do when you are a system administrator with some computers at your charge?

Business users never want to click on any updates, they don't want to break anything and it's a waste of time for the sysadmin to go computer by computer in order to download and install lastest Java version.

In this article we are going to silently deploy latest Java version in all our domain network easily and without GPO and domain directives, just .bat scripts.

This is not the usual way to do it, may be it's more like the hacker way, instead of the standard sysadmin procedure, but sometimes the line between hacker and sysadmin is quite slim.

batman .bat script logo
.bat scripts are powerful


The books say that to deploy a software across a domain network, we must get a .msi file, configure a GPO, apply it to users and it will run on the next boot.
But why do we must wait until tomorrow or tell users to reboot now?
We want to do it right now!







Steps

First step, download latest Java version and install on a single computer as usual.

When writing this article, there are two Java versions, 6 and 7.
We prefer to download the Windows Offline package.

Java 6 can be downloaded at:
http://www.java.com/en/download/manual_v6.jsp
Java 7 can be downloaded at:
http://www.java.com/en/download/manual.jsp

Java version 7 will be ok, but if for some kind of compatibility we prefer version 6 it's ok too. We downloaded version 7 Update 9 for this article.

Install it, obliviously with a user with admin rights, and then go to folder:
On Windows 7:
c:\users\YOURUSERNAMEHERE\appdata\locallow\sun\java\jre1.7.0_09
On Windows XP:
c:\documents and settings\YOURUSERNAMEHERE\application data\sun\java\jre1.7.0_09

Copy all the files in that folder and paste them to:
c:\update\bin-java
We need also to create a new subfolder under the new created updates folder to put all the batch files that we are going to build
c:\update\bats-java

For the remote updates we need the psexec.exe file that can be downloaded from microsoft from:
http://live.sysinternals.com/psexec.exe
Copy psexec.exe to c:\update

Also we need to share the c:\update folder for all the users be able to read it, also remember the computer name that we will need later on.

Now go into c:\update\bats-java and create some text files:
The main script is this:

UPDATELIST.BAT

@rem Updates all the computer names listed in the file: LIST.TXT
@set list=\\%~p0list.txt
@set batchupdate=\\%~p0update.bat
for /f %%a in (%list%) do call %batchupdate% %%a

Now the script called by updatelist.bat to do the work:

UPDATE.BAT

@set thepcname=%1%
@set thesharedfolder=\\COMPUTERNAMEGOESHERE\SHAREDUPDATEFOLDERHERE
@set theadminname=DOMAINNAMEGOESHERE\administrator
@%thesharedfolder%\psexec -u  %theadminname% -p ADMINPASSWORDGOESHERE \\%thepcname% cmd /c %thesharedfolder%\bats-java\java.bat %thesharedfolder% %thepcname%


Now the script to install the package:

JAVA.BAT

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
@set thepath=%1%
@set thename=%2%
@set thepathandfile="%thepath%\bin-java\jre1.7.0_09.msi"
@set thepathandlog="%thepath%\bats-java\log-%thename%.txt"
msiexec /i %thepathandfile% /qn REBOOT=ReallySuppress /log %thepathandlog%

Now the list of PC names we are going to update:

LIST.TXT

computername1goeshere
computername2goeshere
computername3goeshere


Be carefull because file update.bat contains the administrator password, this is not safe, we do know, also file java.bat refers to the jre1.7.0_09.msi file, that is different depending on the java version, we must change it according to our downloaded file.

To run the script, it's important to login as administrator and then run (Win + R) the command like this:

\\computername\update\bats-java\updatelist.bat

Do not run it from c:\update\bats-java , that's because of the way paths are implemented in the script.
A log file for every computer listed will be created in the bats-java folder so we can check for installation errors.

All the computers that we are going to update must be in the list.txt file and turned on. It will not reboot or request for it and users may be working while the update is in progress.
Windows XP and Windows 7 have been tested with this script.
Some antivirus detects psexec.exe as a harmful application, it's not, but we may need to temporally disable it.

The script files can be downloaded from here, self-extracting file:
http://noquest.com/network/remote-update-java/update.exe
Remember to download psexec.exe into the same folder c:\update

Sundial
Don't waste your time, do it now and do it fast

Quick steps for the impatient:


Install java on a computer and copy the files we need.
Download update.exe, run it and extract to c:\
Now we have a folder c:\update
Share that folder
Download psexec.exe and save it in c:\update
Edit with notepad the files:
c:\update\bats-java\list.txt to include the computer names to update.
c:\update\bats-java\update.bat to change the computer name, shared folder, domain name, administrator password.
c:\update\bats-java\java.bat to change the .msi file name depending on the downloaded version.
Run cmd.exe
Run \\computername\update\bats-java\updatelist.bat
Check the log files on \\computername\update\bats-java\log-*.txt

This is only an example to update software on multiple computers remotely, this is for Java but can be applied  with minor changes to other programs.
Is there a faster way to do it, and to do it right now no reboot waiting?



January 2013.

Use main page comments for questions.


Tweet
Copyright NoQuest.com Contact NoQuest.com