RE: How to generate list of patches installed? (long)

<note: I work for Shavlik, a vendor of some of the tools mentioned in this thread>

Determine status of 'installed' patches can be tricky. There are several moving parts to this - I'll try and define the various components below as well as provide a background on the referenced tools.

'Installed' patches can be defined in two ways

1. explicitly installed - those patches that have been specifically installed on the system at one point in time. Action was taken (Windows Update or other) to deploy the referenced patch on the machine.
2. effectively installed - those patches that were not explicitly installed on the machine, but have been effectively installed via the installation of a later, superseding hotfix.

An example of number 2 is MS02-001 for Windows 2000 - also known as the Windows 2000 Post-SP2 SRP1, or simply the SP2 SRP (security rollup package). If you've installed only Windows 2000, SP2, and MS02-001, you've 'explicitly' installed 1 hotfix (MS02-001 Q311401), but you've effectively installed 20+ earlier hotfixes that were subsumed by MS02-001. (Examples of the superseded hotfixes would include: MS00-077, 079, 01-004, 007, 011, 013, 015, 024, etc)

Another example:
Let's examine a SQL Server SP2 system (no SQL hotfixes). The machine is vulnerable to the SQL Slammer vulnerability. Patches for SQL Server 2000 SP2 include 02-039, 02-043, 02-056, and 02-061 (among others). 02-039 was the first patch to address the Slammer issue. The fix in 02-039 was also included in 43, 56, and 61. If the only SQL patch you installed was 02-061, you've explicitly installed 02-061, and effectively installed 02-039, 43, and 56.

While it's most important to the system administrator that they are now fully patched, the VP of IT may ask "were we patched for Slammer shortly after 02-039 was released?" You'd then like to know if 02-039 had been explicitly installed, rather then effectively installed 5 months later.

Which brings us to the next question... How do you determine if a patch was explicitly installed? First, you must determine if the files on the system are equal or greater than the files that shipped in the patch. If so* the patch can be assumed to be at least effectively installed (if the files on the system are less than what's in the patch, consider the patch not installed.)

*barring any other special considerations for the patch

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Once you know it's been remediated it's time to determine if it's been explicitly installed, rather than applied through some rollup. The simplest way to do this is by checking the registry. If the registry contains a reg key specific to the patch in question
(HKLM\Software\Microsoft\Updates\ProductName\Qnumber or similar) it's a
good bet that the patch in question was specifically applied. This solution works well for patches that write registry keys during installation. (Note that I'm not advocating checking registry keys only for patch status - registry keys are snapshots of a point in time and may not reflect the actual current state of the box - if a file has been regressed - the registry key values alone won't help identify this.)

However, there are still many types of patches that don't write registry keys during the installation process. Some examples of these patches include SQL Server (prior to the re-released 02-061 at least) and Microsoft Office patches. Installing 02-039 (SQL) updates various files, but does not leave a flag on the system that says 02-039 was explicitly installed - if you later install 02-056, the files will be greater than 02-039, and there is no automated record showing that 02-039 was specifically installed.

Automated patch scanning tools can do a pretty good job of identifying explicitly installed patches that also write registry keys - some can also do a decent job of identifying effectively installed patches (as it's only necessary to see that the files are equal to or greater than expected.) It's a much tougher job to identify explicitly installed patches for those that don't write registry keys.

On to the tools mentioned in the below posts... QFECheck:
This utility analyzes patch installation status specific to Operating System (and IIS) patches. It reads the various hotfix entries under HKLM\Software\Microsoft\Updates\OSProductName, obtains the file versions listed under \Files and compares these to the files versions of the files on the local system. If the file on the system (say in \system32) is less than what is recorded in the registry (at the time the patch was installed), qfecheck says
Q######: This hotfix should be reinstalled. The following files are incorrect for this hotfix: C:\WINDOWS\SYSTEM32\FILE.EXT You can test this yourself - run qfecheck and receive a list of current patches on system. Open the registry and find a hotfix matching one listed in the qfecheck output. Under \Filelist, select a folder, then select a file - edit the Version number - make it some number much larger than you know is on the system (if file version 5.#, make it 6.#). Now run qfecheck and it will say the specific file is incorrect.
(QFECheck also performs a catalog check as discussed in the Qarticle for
QFECheck)

Note that QFECheck is only checking the OS products - it won't report on patch status for IE patches, Office patches, SQL patches, etc.

Microsoft Baseline Security Analyzer (developed for Microsoft by Shavlik Technologies):
The GUI interface to the product displays information about missing patches (and notes and warnings). To receive a list of installed patches, it's necessary to run the scanner from command line in hfnetchk mode: mbsacli.exe /hf -history 1.

The hfnetchk mode within MBSA 1.1.1 is running the 3.82 version of hfnetchk. This version displays information about 'pseudo effectively' installed patches.

HFNetChk (developed by Shavlik)
There are several versions of HFNetChk, and each behaves a little differently:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

HFNetChk 3.32
was released by Microsoft several years ago and is no longer available as a direct download. HFNetChk 3.32 with the -history switch will display pseudo effectively installed patches for the products that it scans. (Note that Q303215 and the syntax usage mention that -history displays 'explicitly installed' hotfixes. This is true, assuming that the XML file contains registry key data for the patches in the output. Since the Microsoft XML file used by HFNetChk 3.32 and 3.82 does not contain registry key data for many patches, these patches may appear in the output as 'installed', even though they are really only 'effectively installed', hence my use of the term pseudo effectively installed)

HFNetChk 3.82
is included as part of MBSA 1.1.1, discussed above.

HFNetChk 3.86 is available from Shavlik and is a more advanced engine than previous versions. With respect to patch installation status, the -history flag was updated to enforce 'explicitly' installed checks - meaning a registry key must exist in the XML file in order for the patch to be considered for 'patch installed' status'. Patches without registry keys will not show up as explicitly or effectively installed.

HFNetChk 4.0 (command line eve available within HFNetChkLT or Pro 4.0) Takes yet another advancement with respect to 'effectively installed' vs. 'explicitly installed'. In order to capture better data on explicit installation status for patches that don't write registry keys (SQL, Office, etc), the patch deployment process (within the 4.0 product) writes a registry key for each patch it installs
(HKLM\Software\Microsoft\Updates\Shavlik) including who installed it and
when. When a scan for explicitly installed is performed (the default), if the files pass the test and a registry key is in the XML file and is found in the \Updates\product key, or a registry key exists for this qnumber under the \shavlik key, the patch is displayed as 'installed'.
(There is a separate scan option to scan for and display 'effectively
installed' patches.) If SQL or Office (or any) patches have been deployed with the 4.0 engine, the command line scanner will display these as 'installed'.

I performed an analysis on my machine (fully patched WinXP SP1 with Office XP Gold) and the tools mentioned above and received the following results for explicitly installed patches:

PRODUCT		# of Patches Found
HFNetChk 4.0	27
HFNetChk 3.86	21
MBSACLI (3.82)	21
HFNetChk 3.32	20
QFECheck		17

(A GIF image of my results can be found here:
http://users.tellurian.net/ews/patches/installedpatches.gif)

All of the above mentioned products will display the relevant Knowledge Base article number when displaying the patch status. They do not, however, display the Qnumbers for items included in an already installed Service Pack. (There can be hundreds of Qnumbers related to fixes in an SP). If you have questions about which SP includes the fix for a specific bulletin number, we've tried to include that information for each patch here:
http://www.shavlik.com/bulletin_details.aspx?bltid=MS02-042

(Press Go, then select an individual item - the display will include
information on what patch, if any, supersedes this patch, and which Service Pack includes this fix.)

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Probably a bit more information than you were looking for, but I hope a useful background on 'effectively installed' vs 'explicitly installed' patch assessment as well as the way that the various products mentioned earlier in this thread operate.

-----Original Message-----
From: "CORREIA, PATRICK" <pcorreia@cha-llp.com> To: "'Simon R. Binder'" <sbinder@glynwood.org>, Focus-MS <focus-ms@securityfocus.com>
Subject: RE: How to generate list of patches installed? Date: Thu, 10 Jul 2003 10:48:26 -0400

I would recommend looking at Qfecheck, a tool from Microsoft that lists all
installed hotfixes on a machine.

http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP
(This link is for the Windows 2000/XP version; more info and other
versions
can be found by searching
http://www.google.com/search?q=qfecheck+site%3Amicrosoft%2Ecom)

I'm not sure whether it breaks out the rollups into their component parts
for the report, but it's a quick cheap thing to try. Good luck!

--
Patrick Correia, Web Designer
Clough, Harbour & Associates LLP
III Winners Circle 
P.O. Box 5269 
Albany, New York 12205-0269
http://www.cha-llp.com



-----Original Message-----
From: Simon R. Binder [mailto:sbinder@glynwood.org] 
Sent: Wednesday, July 09, 2003 12:51 PM
To: Focus-MS
Subject: How to generate list of patches installed?


Hi, folks-


HFNetChk and the Microsoft Baseline Security Analyzer allow me to scan
a domain and view a list of hotfixes *not* installed on machines.  I
want to go one step further and generate a list of all hotfixes
installed on all machines- including the individual hotfixes included
in the rollups.  Ideally, I'd also like it to include hotfix q-numbers
included in applied service packs.

-----------------------------------------------------------------------------
------------------------------------------------------------------------------