Windows patches and install dates

system · October 16, 2013, 10:14pm

(imported topic written by jpeppers91)

I need some help here. I had a property that would tell me the install date of of windows patches. This was only good for 32bit machines. Since the increase with x64 bit machines this property is becoming less efficient. I’ve since tried to use wmic and write it out to a text file but Bigfix writes it in some weird format that can’t be read. I’m out of ideas. Anyone else can think of something to get this info for both 32 and 64 bit machines?

Here is what I was using before for the past 6 years but this is no longer feasible.

(
if

(
exists

value

“DisplayName”

of

it

AND

(length

of

(value

“DisplayName”

of

it

as

string)

0
)

AND

(
number of

substrings

" "

of

(value

“DisplayName”

of

it

as

string)

<

(length

of

(value

“DisplayName”

of

it

as

string))))

then

(value

“DisplayName”

of

it

as

string

&

(
if

(
exists

value

“Installdate”

of

it
)

then

(
" - "

&

value

“Installdate”

of

it

as

string)

else

(
“”
)))

else

(name

of

it

&

(
if

(
exists

value

“Installdate”

of

it
)

then

(
" - "

&

value

“Installdate”

of

it

as

string)

else

(
“”
))))

of

keys

whose

(
exists

value

“UninstallString”

of

it

AND

exists

value

“DisplayName”

of

it

AND

value

“DisplayName”

of

it

as

string

as

lowercase

contains

“window”
)

of

key

“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall”

of

registry

I tried using wmic qfe command that produces a text file but Bigfix doesn’t read it properly with the lines of file c:\temp\file.txt relevance

system · October 16, 2013, 11:51pm

(imported comment written by SecurityMG)

use native registry or x64 registry

key

“HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall”

of

registry

Regards,

MG

system · October 16, 2013, 11:57pm

(imported comment written by jpeppers91)

No output.

system · October 31, 2013, 4:12pm

(imported comment written by Trickfinger)

Your last condition, ‘as lowercase contains “window”’ maybe excluding all entries in that tree. Look over some of the entries in that branch to see if those items are what you are interested in. They may have moved MS patches elsewhere. Removing the ‘contains “window”’ part will list items in there. Don’t forget to add ‘native’ as suggested by SecurityMG.

system · October 31, 2013, 6:05pm

(imported comment written by Ahwilson)

Try this

((
if

(
exists

property

“HotFixID”

of

it
)

then

(string value

of

property

“HotFixID”

of

it
)

else

(
""
))
,

(
if

(
exists

property

“InstalledOn”

of

it
)

then

((
if

(
exists

hexadecimal integer (
it
))

then

(((month

of

it

as

integer

as

string
&
"/"
&

day_of_month

of

it

as

integer

as

string
&
"/"
&
year

of

it

as

string)

of

((january

1

of

1601
)
+
((hexadecimal integer (
it
)
/
(
864000000000
))
*
day)))

of

it
)

else

(
it
))

of

string value

of

property

“InstalledOn”

of

it
)

else

(
""
))
,

(
if

(
exists

property

“Description”

of

it
)

then

(string value

of

property

“Description”

of

it
)

else

(
""
)))

of

select objects

“* from Win32_QuickFixEngineering”

of

WMI