<note: I work for Shavlik, a vendor of some of the tools mentioned in
this thread>
Determine status of 'installed' patches can be tricky. There are
several moving parts to this - I'll try and define the various
components below as well as provide a background on the referenced
tools.
'Installed' patches can be defined in two ways
1) explicitly installed - those patches that have been specifically
installed on the system at one point in time. Action was taken (Windows
Update or other) to deploy the referenced patch on the machine.
2) effectively installed - those patches that were not explicitly
installed on the machine, but have been effectively installed via the
installation of a later, superseding hotfix.
An example of number 2 is MS02-001 for Windows 2000 - also known as the
Windows 2000 Post-SP2 SRP1, or simply the SP2 SRP (security rollup
package). If you've installed only Windows 2000, SP2, and MS02-001,
you've 'explicitly' installed 1 hotfix (MS02-001 Q311401), but you've
effectively installed 20+ earlier hotfixes that were subsumed by
MS02-001. (Examples of the superseded hotfixes would include: MS00-077,
079, 01-004, 007, 011, 013, 015, 024, etc)
Another example:
Let's examine a SQL Server SP2 system (no SQL hotfixes). The machine is
vulnerable to the SQL Slammer vulnerability. Patches for SQL Server
2000 SP2 include 02-039, 02-043, 02-056, and 02-061 (among others).
02-039 was the first patch to address the Slammer issue. The fix in
02-039 was also included in 43, 56, and 61. If the only SQL patch you
installed was 02-061, you've explicitly installed 02-061, and
effectively installed 02-039, 43, and 56.
While it's most important to the system administrator that they are now
fully patched, the VP of IT may ask "were we patched for Slammer shortly
after 02-039 was released?" You'd then like to know if 02-039 had been
explicitly installed, rather then effectively installed 5 months later.
Which brings us to the next question... How do you determine if a patch
was explicitly installed? First, you must determine if the files on the
system are equal or greater than the files that shipped in the patch.
If so* the patch can be assumed to be at least effectively installed (if
the files on the system are less than what's in the patch, consider the
patch not installed.)
*barring any other special considerations for the patch
Once you know it's been remediated it's time to determine if it's been
explicitly installed, rather than applied through some rollup. The
simplest way to do this is by checking the registry. If the registry
contains a reg key specific to the patch in question
(HKLM\Software\Microsoft\Updates\ProductName\Qnumber or similar) it's a
good bet that the patch in question was specifically applied. This
solution works well for patches that write registry keys during
installation. (Note that I'm not advocating checking registry keys only
for patch status - registry keys are snapshots of a point in time and
may not reflect the actual current state of the box - if a file has been
regressed - the registry key values alone won't help identify this.)
However, there are still many types of patches that don't write registry
keys during the installation process. Some examples of these patches
include SQL Server (prior to the re-released 02-061 at least) and
Microsoft Office patches. Installing 02-039 (SQL) updates various
files, but does not leave a flag on the system that says 02-039 was
explicitly installed - if you later install 02-056, the files will be
greater than 02-039, and there is no automated record showing that
02-039 was specifically installed.
Automated patch scanning tools can do a pretty good job of identifying
explicitly installed patches that also write registry keys - some can
also do a decent job of identifying effectively installed patches (as
it's only necessary to see that the files are equal to or greater than
expected.) It's a much tougher job to identify explicitly installed
patches for those that don't write registry keys.
On to the tools mentioned in the below posts...
QFECheck:
This utility analyzes patch installation status specific to Operating
System (and IIS) patches. It reads the various hotfix entries under
HKLM\Software\Microsoft\Updates\OSProductName, obtains the file versions
listed under \Files and compares these to the files versions of the
files on the local system. If the file on the system (say in \system32)
is less than what is recorded in the registry (at the time the patch was
installed), qfecheck says
Q######: This hotfix should be reinstalled.
The following files are incorrect for this hotfix:
C:\WINDOWS\SYSTEM32\FILE.EXT
You can test this yourself - run qfecheck and receive a list of current
patches on system. Open the registry and find a hotfix matching one
listed in the qfecheck output. Under \Filelist, select a folder, then
select a file - edit the Version number - make it some number much
larger than you know is on the system (if file version 5.#, make it
6.#). Now run qfecheck and it will say the specific file is incorrect.
(QFECheck also performs a catalog check as discussed in the Qarticle for
QFECheck)
Note that QFECheck is only checking the OS products - it won't report on
patch status for IE patches, Office patches, SQL patches, etc.
Microsoft Baseline Security Analyzer (developed for Microsoft by Shavlik
Technologies):
The GUI interface to the product displays information about missing
patches (and notes and warnings). To receive a list of installed
patches, it's necessary to run the scanner from command line in hfnetchk
mode: mbsacli.exe /hf -history 1.
The hfnetchk mode within MBSA 1.1.1 is running the 3.82 version of
hfnetchk. This version displays information about 'pseudo effectively'
installed patches.
HFNetChk (developed by Shavlik)
There are several versions of HFNetChk, and each behaves a little
differently:
HFNetChk 3.32
was released by Microsoft several years ago and is no longer available
as a direct download. HFNetChk 3.32 with the -history switch will
display pseudo effectively installed patches for the products that it
scans. (Note that Q303215 and the syntax usage mention that -history
displays 'explicitly installed' hotfixes. This is true, assuming that
the XML file contains registry key data for the patches in the output.
Since the Microsoft XML file used by HFNetChk 3.32 and 3.82 does not
contain registry key data for many patches, these patches may appear in
the output as 'installed', even though they are really only 'effectively
installed', hence my use of the term pseudo effectively installed)
HFNetChk 3.82
is included as part of MBSA 1.1.1, discussed above.
HFNetChk 3.86 is available from Shavlik and is a more advanced engine
than previous versions. With respect to patch installation status, the
-history flag was updated to enforce 'explicitly' installed checks -
meaning a registry key must exist in the XML file in order for the patch
to be considered for 'patch installed' status'. Patches without
registry keys will not show up as explicitly or effectively installed.
HFNetChk 4.0 (command line eve available within HFNetChkLT or Pro 4.0)
Takes yet another advancement with respect to 'effectively installed'
vs. 'explicitly installed'. In order to capture better data on explicit
installation status for patches that don't write registry keys (SQL,
Office, etc), the patch deployment process (within the 4.0 product)
writes a registry key for each patch it installs
(HKLM\Software\Microsoft\Updates\Shavlik) including who installed it and
when. When a scan for explicitly installed is performed (the default),
if the files pass the test and a registry key is in the XML file and is
found in the \Updates\product key, or a registry key exists for this
qnumber under the \shavlik key, the patch is displayed as 'installed'.
(There is a separate scan option to scan for and display 'effectively
installed' patches.) If SQL or Office (or any) patches have been
deployed with the 4.0 engine, the command line scanner will display
these as 'installed'.
I performed an analysis on my machine (fully patched WinXP SP1 with
Office XP Gold) and the tools mentioned above and received the following
results for explicitly installed patches:
PRODUCT # of Patches Found
HFNetChk 4.0 27
HFNetChk 3.86 21
MBSACLI (3.82) 21
HFNetChk 3.32 20
QFECheck 17
(A GIF image of my results can be found here:
http://users.tellurian.net/ews/patches/installedpatches.gif)
All of the above mentioned products will display the relevant Knowledge
Base article number when displaying the patch status. They do not,
however, display the Qnumbers for items included in an already installed
Service Pack. (There can be hundreds of Qnumbers related to fixes in an
SP). If you have questions about which SP includes the fix for a
specific bulletin number, we've tried to include that information for
each patch here:
http://www.shavlik.com/bulletin_details.aspx?bltid=MS02-042
(Press Go, then select an individual item - the display will include
information on what patch, if any, supersedes this patch, and which
Service Pack includes this fix.)
Probably a bit more information than you were looking for, but I hope a
useful background on 'effectively installed' vs 'explicitly installed'
patch assessment as well as the way that the various products mentioned
earlier in this thread operate.
-----Original Message-----
From: "CORREIA, PATRICK" <pcorreia (at) cha-llp (dot) com [email concealed]>
To: "'Simon R. Binder'" <sbinder (at) glynwood (dot) org [email concealed]>, Focus-MS
<focus-ms (at) securityfocus (dot) com [email concealed]>
Subject: RE: How to generate list of patches installed?
Date: Thu, 10 Jul 2003 10:48:26 -0400
I would recommend looking at Qfecheck, a tool from Microsoft that lists
all
installed hotfixes on a machine.
http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP
(This link is for the Windows 2000/XP version; more info and other
versions
can be found by searching
http://www.google.com/search?q=qfecheck+site%3Amicrosoft%2Ecom)
I'm not sure whether it breaks out the rollups into their component
parts
for the report, but it's a quick cheap thing to try. Good luck!
--
Patrick Correia, Web Designer
Clough, Harbour & Associates LLP
III Winners Circle
P.O. Box 5269
Albany, New York 12205-0269
http://www.cha-llp.com
-----Original Message-----
From: Simon R. Binder [mailto:sbinder (at) glynwood (dot) org [email concealed]]
Sent: Wednesday, July 09, 2003 12:51 PM
To: Focus-MS
Subject: How to generate list of patches installed?
Hi, folks-
HFNetChk and the Microsoft Baseline Security Analyzer allow me to scan
a domain and view a list of hotfixes *not* installed on machines. I
want to go one step further and generate a list of all hotfixes
installed on all machines- including the individual hotfixes included
in the rollups. Ideally, I'd also like it to include hotfix q-numbers
included in applied service packs.
this thread>
Determine status of 'installed' patches can be tricky. There are
several moving parts to this - I'll try and define the various
components below as well as provide a background on the referenced
tools.
'Installed' patches can be defined in two ways
1) explicitly installed - those patches that have been specifically
installed on the system at one point in time. Action was taken (Windows
Update or other) to deploy the referenced patch on the machine.
2) effectively installed - those patches that were not explicitly
installed on the machine, but have been effectively installed via the
installation of a later, superseding hotfix.
An example of number 2 is MS02-001 for Windows 2000 - also known as the
Windows 2000 Post-SP2 SRP1, or simply the SP2 SRP (security rollup
package). If you've installed only Windows 2000, SP2, and MS02-001,
you've 'explicitly' installed 1 hotfix (MS02-001 Q311401), but you've
effectively installed 20+ earlier hotfixes that were subsumed by
MS02-001. (Examples of the superseded hotfixes would include: MS00-077,
079, 01-004, 007, 011, 013, 015, 024, etc)
Another example:
Let's examine a SQL Server SP2 system (no SQL hotfixes). The machine is
vulnerable to the SQL Slammer vulnerability. Patches for SQL Server
2000 SP2 include 02-039, 02-043, 02-056, and 02-061 (among others).
02-039 was the first patch to address the Slammer issue. The fix in
02-039 was also included in 43, 56, and 61. If the only SQL patch you
installed was 02-061, you've explicitly installed 02-061, and
effectively installed 02-039, 43, and 56.
While it's most important to the system administrator that they are now
fully patched, the VP of IT may ask "were we patched for Slammer shortly
after 02-039 was released?" You'd then like to know if 02-039 had been
explicitly installed, rather then effectively installed 5 months later.
Which brings us to the next question... How do you determine if a patch
was explicitly installed? First, you must determine if the files on the
system are equal or greater than the files that shipped in the patch.
If so* the patch can be assumed to be at least effectively installed (if
the files on the system are less than what's in the patch, consider the
patch not installed.)
*barring any other special considerations for the patch
Once you know it's been remediated it's time to determine if it's been
explicitly installed, rather than applied through some rollup. The
simplest way to do this is by checking the registry. If the registry
contains a reg key specific to the patch in question
(HKLM\Software\Microsoft\Updates\ProductName\Qnumber or similar) it's a
good bet that the patch in question was specifically applied. This
solution works well for patches that write registry keys during
installation. (Note that I'm not advocating checking registry keys only
for patch status - registry keys are snapshots of a point in time and
may not reflect the actual current state of the box - if a file has been
regressed - the registry key values alone won't help identify this.)
However, there are still many types of patches that don't write registry
keys during the installation process. Some examples of these patches
include SQL Server (prior to the re-released 02-061 at least) and
Microsoft Office patches. Installing 02-039 (SQL) updates various
files, but does not leave a flag on the system that says 02-039 was
explicitly installed - if you later install 02-056, the files will be
greater than 02-039, and there is no automated record showing that
02-039 was specifically installed.
Automated patch scanning tools can do a pretty good job of identifying
explicitly installed patches that also write registry keys - some can
also do a decent job of identifying effectively installed patches (as
it's only necessary to see that the files are equal to or greater than
expected.) It's a much tougher job to identify explicitly installed
patches for those that don't write registry keys.
On to the tools mentioned in the below posts...
QFECheck:
This utility analyzes patch installation status specific to Operating
System (and IIS) patches. It reads the various hotfix entries under
HKLM\Software\Microsoft\Updates\OSProductName, obtains the file versions
listed under \Files and compares these to the files versions of the
files on the local system. If the file on the system (say in \system32)
is less than what is recorded in the registry (at the time the patch was
installed), qfecheck says
Q######: This hotfix should be reinstalled.
The following files are incorrect for this hotfix:
C:\WINDOWS\SYSTEM32\FILE.EXT
You can test this yourself - run qfecheck and receive a list of current
patches on system. Open the registry and find a hotfix matching one
listed in the qfecheck output. Under \Filelist, select a folder, then
select a file - edit the Version number - make it some number much
larger than you know is on the system (if file version 5.#, make it
6.#). Now run qfecheck and it will say the specific file is incorrect.
(QFECheck also performs a catalog check as discussed in the Qarticle for
QFECheck)
Note that QFECheck is only checking the OS products - it won't report on
patch status for IE patches, Office patches, SQL patches, etc.
Microsoft Baseline Security Analyzer (developed for Microsoft by Shavlik
Technologies):
The GUI interface to the product displays information about missing
patches (and notes and warnings). To receive a list of installed
patches, it's necessary to run the scanner from command line in hfnetchk
mode: mbsacli.exe /hf -history 1.
The hfnetchk mode within MBSA 1.1.1 is running the 3.82 version of
hfnetchk. This version displays information about 'pseudo effectively'
installed patches.
HFNetChk (developed by Shavlik)
There are several versions of HFNetChk, and each behaves a little
differently:
HFNetChk 3.32
was released by Microsoft several years ago and is no longer available
as a direct download. HFNetChk 3.32 with the -history switch will
display pseudo effectively installed patches for the products that it
scans. (Note that Q303215 and the syntax usage mention that -history
displays 'explicitly installed' hotfixes. This is true, assuming that
the XML file contains registry key data for the patches in the output.
Since the Microsoft XML file used by HFNetChk 3.32 and 3.82 does not
contain registry key data for many patches, these patches may appear in
the output as 'installed', even though they are really only 'effectively
installed', hence my use of the term pseudo effectively installed)
HFNetChk 3.82
is included as part of MBSA 1.1.1, discussed above.
HFNetChk 3.86 is available from Shavlik and is a more advanced engine
than previous versions. With respect to patch installation status, the
-history flag was updated to enforce 'explicitly' installed checks -
meaning a registry key must exist in the XML file in order for the patch
to be considered for 'patch installed' status'. Patches without
registry keys will not show up as explicitly or effectively installed.
HFNetChk 4.0 (command line eve available within HFNetChkLT or Pro 4.0)
Takes yet another advancement with respect to 'effectively installed'
vs. 'explicitly installed'. In order to capture better data on explicit
installation status for patches that don't write registry keys (SQL,
Office, etc), the patch deployment process (within the 4.0 product)
writes a registry key for each patch it installs
(HKLM\Software\Microsoft\Updates\Shavlik) including who installed it and
when. When a scan for explicitly installed is performed (the default),
if the files pass the test and a registry key is in the XML file and is
found in the \Updates\product key, or a registry key exists for this
qnumber under the \shavlik key, the patch is displayed as 'installed'.
(There is a separate scan option to scan for and display 'effectively
installed' patches.) If SQL or Office (or any) patches have been
deployed with the 4.0 engine, the command line scanner will display
these as 'installed'.
I performed an analysis on my machine (fully patched WinXP SP1 with
Office XP Gold) and the tools mentioned above and received the following
results for explicitly installed patches:
PRODUCT # of Patches Found
HFNetChk 4.0 27
HFNetChk 3.86 21
MBSACLI (3.82) 21
HFNetChk 3.32 20
QFECheck 17
(A GIF image of my results can be found here:
http://users.tellurian.net/ews/patches/installedpatches.gif)
All of the above mentioned products will display the relevant Knowledge
Base article number when displaying the patch status. They do not,
however, display the Qnumbers for items included in an already installed
Service Pack. (There can be hundreds of Qnumbers related to fixes in an
SP). If you have questions about which SP includes the fix for a
specific bulletin number, we've tried to include that information for
each patch here:
http://www.shavlik.com/bulletin_details.aspx?bltid=MS02-042
(Press Go, then select an individual item - the display will include
information on what patch, if any, supersedes this patch, and which
Service Pack includes this fix.)
Probably a bit more information than you were looking for, but I hope a
useful background on 'effectively installed' vs 'explicitly installed'
patch assessment as well as the way that the various products mentioned
earlier in this thread operate.
-----Original Message-----
From: "CORREIA, PATRICK" <pcorreia (at) cha-llp (dot) com [email concealed]>
To: "'Simon R. Binder'" <sbinder (at) glynwood (dot) org [email concealed]>, Focus-MS
<focus-ms (at) securityfocus (dot) com [email concealed]>
Subject: RE: How to generate list of patches installed?
Date: Thu, 10 Jul 2003 10:48:26 -0400
I would recommend looking at Qfecheck, a tool from Microsoft that lists
all
installed hotfixes on a machine.
http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP
(This link is for the Windows 2000/XP version; more info and other
versions
can be found by searching
http://www.google.com/search?q=qfecheck+site%3Amicrosoft%2Ecom)
I'm not sure whether it breaks out the rollups into their component
parts
for the report, but it's a quick cheap thing to try. Good luck!
--
Patrick Correia, Web Designer
Clough, Harbour & Associates LLP
III Winners Circle
P.O. Box 5269
Albany, New York 12205-0269
http://www.cha-llp.com
-----Original Message-----
From: Simon R. Binder [mailto:sbinder (at) glynwood (dot) org [email concealed]]
Sent: Wednesday, July 09, 2003 12:51 PM
To: Focus-MS
Subject: How to generate list of patches installed?
Hi, folks-
HFNetChk and the Microsoft Baseline Security Analyzer allow me to scan
a domain and view a list of hotfixes *not* installed on machines. I
want to go one step further and generate a list of all hotfixes
installed on all machines- including the individual hotfixes included
in the rollups. Ideally, I'd also like it to include hotfix q-numbers
included in applied service packs.
------------------------------------------------------------------------
-----
------------------------------------------------------------------------
------
[ reply ]