Last patch date of windows os

written by AAttree

Hello Guys,

We’re in need to fetch last patched date of windows OS (flavors are: 2000/2003/2008/7/XP). For example, if a system was patched on 01 Dec 2013 last then it should return this date. This is a compliance requirement.

We all know WMI is not a 100% accurate way to do it though across multiple platforms it seems to be a very convenient way. Primarily on Win2008/7 platform where MS has hidden patch installation details to be inquired directly from registry (yes, we can up to some level but information like ‘InstalledOn’ etc. can’t be). I’ve made a relevance using WMI that utilizes class ‘win32_quickfixengineering’. This query is not returning correct results:

a. on Win2008/7 platform, property ‘InstalledOn’ returns date/time in some hexadecimal values which needs to converted to normal human readable date/time. I tried to find a way to do it, but the solution seems to be coming up in a very complex way utilizing PowerShell etc.

b. This code is breaking where value doesn’t exist.

Please suggest a solution to get this data especially #a. The code that i’ve written is:

following text of last “;;;” of concatenation “;;;” of (unique values of (parenthesized parts 1 of matches (regex “|(\d?\d/\d\d/\d\d\d\d)”) of it) of (((string value of item 0 of it) as string|"") & “||” & ((string value of item 1 of it) as string|"") & “||” & ((string value of item 2 of it) as string|"") & “||” & ((string value of item 3 of it) as string|"")) of (items 0 whose (string value of it starts with “KB”) of it, items 1 whose (it as string = regex “.\d/\d\d/\d\d\d\d.”) of it, item 2 of it, item 3 of it) of ((property “HotFixID” of it, property “InstalledOn” of it, property “Description” of it, property “InstalledBy” of it, property “InstallDate” of it) of select objects “* from win32_quickfixengineering” of wmi))

Thanks,

Anuj

written by AAttree

Hello Folks,

Really appreciate if someone replies on it.

Thanks,

Anuj

written by jgstew

WU Last Successful Install Time:

(if exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install" of it) whose (exists value "LastSuccessTime" of it) then ( value "LastSuccessTime" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install" of it as string) else "<none>") of native registry

This is how you convert time in seconds from Epoch to real date/time using relevance: (this eval will give you the date Windows was installed)

(value "InstallDate" of key "HKLM\Software\Microsoft\Windows NT\CurrentVersion" of native registry) as string as integer * second + "01 Jan 1970 00:00:00" as local time

The 2nd example might be usable if the “InstalledOn” you are talking about for Win7+ is seconds from Epoch. You just need to convert it to a decimal from hexadecimal then “* second + “01 Jan 1970 00:00:00” as local time”

written by AAttree

Hello
jgstew
,

Thank you for your reply. Really appreciate.

It took time here for a reply on my query and in between i was on off. I came up with a trickeier way to fetch last write time of registry to assess ‘Last Patched Date’ on Win2008/Win7 platforms:

q: preceding texts of last " " of preceding texts of last " " of (it as string) of (maximum of last write times of keys whose (name of it contains “.KB” or name of it contains “_KB” or name of it starts with “KB”) of keys( “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall”;“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages”;“HKEY_LOCAL_MACHINE \Software\Microsoft\WindowsNT\CurrentVersion\Hotfix”) of (registry; native registry))

It is not 100% accurate however gives sufficient results.

Thanks,

Anuj

written by jgstew

That’s useful, I like the idea of reading the max write time of all of the KB keys.

I think this is another useful data point to go along with “WU Last Successful Install Time”

Can you submit this relevance to:
http://bigfix.me/
I’d like to add this to my WSUS analysis and give you proper credit.

My WSUS analysis:
http://bigfix.me/analysis/details/69