WannaCry Vulnerability: Custom Analysis created to detect for Vulnerability referenced in MS17-010

Since the outbreak of the WannaCry ransomware, Microsoft has indicated that MS17-010 is the security patches that fixes this vulnerability. However, due to Microsoft’s patch supersedence rule and the nature of their new servicing model aka. Monthly Rollup and Security Only patches, it has been difficult for users to decide whether their devices have been patched.

I created the following custom Analysis aiming to detect whether the vulnerability has been patched, by querying the file version of the ‘srv.sys’ file, which was updated in MS17-010 patches.

Hope these Analysis can serve as a reference.

If you are wondering whether your computers have been patched, or is trying to patch for MS17-010 but is not able to find relevant Fixlets from BigFix, give these a try.

Do share feedbacks here, whether this helps with your situation or if you are seeing any false results.


The above analysis says few of my servers are vulnerable but analysis from this post says server are fine.

Confused :confounded:

What are the file versions you are getting? You may want to do a MBSA scan on one of the servers to confirm.

1 Like

I also see a handful of computers running a lower version of srv.sys. To put in in perspective its less than 0.1% of my estate so I’m happy. Question is, is it the srv.sys file that can be compromised ?
I need to dig a little further to understand how a machine that has been patched and rebooted could still have an older srv.sys

Anyone else ?

1 Like

Thanks @nicksberger for sharing your data!

These analysis serve as a reference, as they have not been extensively tested to cover all cases. Would appreciate your further feedback if you can confirm whether these 0.1% is false report, and (if possible) what exactly is causing this so I can probably enhance the analysis.

I chose srv.sys because it’s the file updated in all MS17-010 fixes.


I think you need to update the relevance because according to MS we should be good with this version 6.0.6002.19743 of the file. Please correct me if am wrong.

The file version 6.0 seems to be for Vista. Are you seeing this on a Win7?

I get the Win7 file version 6.1.7601.23689 from https://support.microsoft.com/en-us/help/4012212/march-2007-security-only-quality-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1

Winodws 2008 Servers

Windows Server 2008 shouldn’t get relevant. The analysis is targeting Win7 and Windows Server 2008 R2.

alright understood, I did make changes to your applicability relevance maybe I should update the property relevance as well with the right version. Sorry for the confusion!

Added Analysis for Windows Server 2008 and Windows Vista. Kindly share feedback here if you encounter any issue using them.


@BaiYunfei, your analyses for identifying download srv.sys is helpful. Thank you.