How to check that a known Windows Vulnerability has been patched?

Question

Is there a way in Windows to check that say Security Bulletin MS**-*** or CVE-****-***** has been patched? e.g. something akin to RedHat's rpm -q --changelog service

Windows 2008 R2 SP1

score 8 · Accepted Answer · answered Nov 24 '11 at 20:49

8

Running SystemInfo against your server (systeminfo /s $SERVER) should also list installed hotfixes.

Hotfix(s): 333 Hotfix(s) Installed.
[161]: IDNMitigationAPIs - Update
[162]: NLSDownlevelMapping - Update
[163]: KB929399
[164]: KB952069_WM9
[165]: KB968816_WM9
[166]: KB973540_WM9L
[167]: KB936782_WMP11

answered Nov 24 '11 at 20:49

that did it. Thanx – frogstarr78 Nov 24 '11 at 23:32
The coolness and simplicity of this cannot be understated. : ) – Mitch Nov 30 '11 at 18:13

score 4 · Answer 2 · answered Nov 30 '11 at 18:07

WMIC can list installed hotfixes:

C:\>wmic qfe get hotfixid, installedon
HotFixID   InstalledOn
KB2605658  11/30/2011
KB2608610  9/1/2011
KB2608612  9/26/2011
KB2614194  9/26/2011
...(more)...

It can also search for a specific hotfix. Here I show two searches - one successful, one unsuccessful:

C:\>wmic qfe where (hotfixid = 'KB2608610') get hotfixid, installedon
HotFixID   InstalledOn
KB2608610  9/1/2011

C:\>wmic qfe where (hotfixid = 'nosuch') get hotfixid, installedon
No Instance(s) Available.

score 3 · Answer 3 · answered Nov 24 '11 at 18:23

3

I run PSinfo -h against the server to show installed hotfixes.

answered Nov 24 '11 at 18:23

Mitch

1,127
11
19

nice, but it doesn't list any hotfixes – frogstarr78 Nov 24 '11 at 18:40
It should look something like this, if I knew anything about formatting this stuff properly. Installed HotFix 2007-11-17 Microsoft .NET Framework 1.1 Hotfix (KB928366) 2008-10-27 Microsoft .NET Framework 1.1 Hotfix (KB947742) 2007-05-25 Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) 2004-07-17 Microsoft Data Access Components KB870669 – Mitch Nov 24 '11 at 18:44
I understand. The link you provided has a pretty good example of the output also. It just doesn't list anything for me. I don't suppose it has anything to do w/ me using SP1? – frogstarr78 Nov 24 '11 at 19:06
I'm not sure, I am seeing some feedback on the SP displaying incorrectly on R2. An alternate solution you might try is a Powershell script that will pull the hotfixes for you. – Mitch Nov 24 '11 at 19:08
Will do. Thanx Mitch – frogstarr78 Nov 24 '11 at 19:33

Glen · Answer 4 · 2011-11-24T23:44:37.380

3

Another alternative if you can't use pstools and find yourself stuck with native Winder tools:

reg query hklm\software\microsoft\windows\currentversion\uninstall /s | findstr "KB[0-9].*" > %TEMP%\Installed.txt & notepad %TEMP%\Installed.txt

edited Nov 24 '11 at 23:44

answered Nov 24 '11 at 20:00

Glen

414
2
8

I like that better. I prefer the cli myself. Although, there still is nothing listed when I run this. – frogstarr78 Nov 24 '11 at 23:30

score 1 · Answer 5 · answered Nov 25 '11 at 03:01

1

Also for checking vulnerabilities on subsystems that you might not know about on the system, the Microsoft Baseline Security Analayzer is a fairly useful tool. It's not always the ones you know about that get you, sometimes there are oddball things installed that aren't scanned or serviced by WSUS or Microsoft Update that can remain unpatched or unmitigated for the life of the system.

answered Nov 25 '11 at 03:01

Fiasco Labs

563
4
10

I'll check it out thanx – frogstarr78 Nov 25 '11 at 20:13

How to check that a known Windows Vulnerability has been patched?

5 Answers5