How do I generate a list of windows patches and the date they were installed on a windows 2000 server?

Question

How do I generate a list of windows patches and the date they were installed on a windows 2000 server? This is for compliance reports for auditors.

Answer 1

Option 1
Get psinfo from http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx

Run psinfo -h to get the list of hotfixes

Option 2
Another method that doesn't require 3rd party software using wmic; just type: wmic qfe from the command line. The default output gives really long lines, so you might be better off redirecting to a file and viewing it in your favourite text editor.

Variations on a theme include:

• wmic qfe list full
• wmic qfe get HotfixID,ServicePackInEffect,InstallDate,InstalledBy,InstalledOn
• wmic qfe where "HotfixID = 'KB973687'"
• wmic qfe where "HotfixID = 'KB973687'" get HotfixID, InstallDate, InstalledBy, InstalledOn
• wmic qfe where "HotfixID = 'KB973687'" list full
• wmic /node:myserver qfe list full

Option 3
Use Powershell to do the same thing. This is simply:

• Local: get-wmiobject -class win32_quickfixengineering
• Remote: get-wmiobject -class win32_quickfixengineering -computername mysever

Again, this can take filters, for example:

• get-wmiobject -class win32_quickfixengineering -filter "HotfixID = 'KB979683'"

...or as it's Powershell, just pipe through where-object.

Option 4
It looks like recent versions of Windows don't use QFE in the same way. If it looks like you have an incomplete list, then you can try this instead:

$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$Searcher.Search("IsInstalled=1").Updates | ft -a Date,Title

(source for this brief script: an answer on Superuser for Why are “get-hotfix” and “wmic qfe list” in Powershell missing installed updates?).

Answer 2

Check out the "Microsoft Baseline Security Analyzer". I believe it is the tool that you are looking for. See http://www.microsoft.com/mbsa and the associated Wikipedia article.

"Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems."

Answer 3

Quick and Dirty method: Browse the hidden folders in C:\Windows - the $NTUninstallKBxxxxxx refer to the KB Article that discusses the patch. The date on the folder is when it was installed.

Answer 4

The

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3

keys contain subkeys in the registry that have the details you need.

On my box , sample dump looks thus: Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB915865 Class Name: Last Write Time: 8/17/2009 - 9:01 PM Value 0 Name: Description Type: REG_SZ Data: Hotfix for Windows XP (KB915865)

Value 1 Name: InstalledDate Type: REG_SZ Data: 8/17/2009

Value 2 Name: InstalledBy Type: REG_SZ Data: Aviral

Value 3 Name: UninstallCommand Type: REG_SZ Data: C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe

Value 4 Name: Type Type: REG_SZ Data: Update

or "WTF-y" (www.thedailywtf.com) solution:

Use the commandline program , "systeminfo". It outputs a "hotfixes" section ... when you pass it the "\FO CSV" option , it outputs data as a CSV file ... then it should be fairly easy to parse out...