How to audit installed Vista updates?

[Joe Morris]

How can I design a procedure to inventory the Microsoft patches that have
been applied to Vista?

Although the process wasn't completely reliable, in XP you could get a good
idea of what had been installed by enumerating the Registry keys under
HKLM\SOFTWARE\Microsoft\Updates. Microsoft even published a small
command-line utility (QFECHECK) which would (usually) tell you what Windows
patches were installed and which had downleveled files that needed to be
reinstalled. (A real advantage of QFECHECK was that the help desk could
tell users to run it as part of their triage process.)

All of this has changed in Vista. The Registry path used in XP no longer
exists, and the data that was there seems to be scattered over various parts
of the Registy. Further, the Security Bulletin notices do not publish a
Registry key test for Vista.

What I'm trying to do is to be able to have an inventory program record an
enumeration of the installed patches, allowing downstream programs to
determine if the machine has the updates that are required by company
policy. With XP this could (with a few exceptions) be done by saving the
contents of the UPDATES key, but at this time I don't see any way to do it
except by including massive amounts of data from the HKCR hive, which will
(a) mean a huge increase in the size of the inventory files, and (b) take
longer to read and send from the user's machine.

Does anyone have a solution for this?

And if there is an RTFM answer, I'll be happy to accept it if you'll just
tell me which FM is appropriate.

Joe Morris

 

[Andre Da Costa[ActiveWin]]

Windows Server Update Services
http://technet.microsoft.com/wsus/default.aspx

Download:
http://technet.microsoft.com/wsus/bb466193.aspx

 

[Jon]

How can I design a procedure to inventory the Microsoft patches that have
been applied to Vista?

Although the process wasn't completely reliable, in XP you could get a
good idea of what had been installed by enumerating the Registry keys
under HKLM\SOFTWARE\Microsoft\Updates. Microsoft even published a small
command-line utility (QFECHECK) which would (usually) tell you what
Windows patches were installed and which had downleveled files that needed
to be reinstalled. (A real advantage of QFECHECK was that the help desk
could tell users to run it as part of their triage process.)

All of this has changed in Vista. The Registry path used in XP no longer
exists, and the data that was there seems to be scattered over various
parts of the Registy. Further, the Security Bulletin notices do not
publish a Registry key test for Vista.

What I'm trying to do is to be able to have an inventory program record an
enumeration of the installed patches, allowing downstream programs to
determine if the machine has the updates that are required by company
policy. With XP this could (with a few exceptions) be done by saving the
contents of the UPDATES key, but at this time I don't see any way to do it
except by including massive amounts of data from the HKCR hive, which will
(a) mean a huge increase in the size of the inventory files, and (b) take
longer to read and send from the user's machine.

Does anyone have a solution for this?

And if there is an RTFM answer, I'll be happy to accept it if you'll just
tell me which FM is appropriate.

Joe Morris

You can get a basic list by typing this at a command prompt

systeminfo

You could also use the wmic command eg

wmic qfe get hotfixid
wmic qfe get hotfixid,Description
wmic qfe list brief

 

[Joe Morris]

Windows Server Update Services
http://technet.microsoft.com/wsus/default.aspx

What does WSUS offer that will allow an inventory program (in my case,
Opsware's "Asset Tracking Edition" product, now owned by HP) to inventory
the patch status?

I'm asking since last time I looked I didn't see an API in WSUS that would
allow it to be used as a closed routine for a third-party product. As I
said in my posting, if the answer is "RTFM" please tell me what FM is
needed.

Joe Morris

 

[Joe Morris]

You can get a basic list by typing this at a command prompt

systeminfo

You could also use the wmic command eg

wmic qfe get hotfixid
wmic qfe get hotfixid,Description
wmic qfe list brief

Thanks. That certainly helps (and I hadn't run across it -- USENET to the
rescue!) but what would be most useful would be if I can identify
information somewhere on the computer (preferably in the Registry) that
could be picked up by the existing inventory program (Opsware's "Asset
Tracking Edition") and included verbatim in the inventory report for later
parsing. The less the function would require new features to be added to
the Opsware product the more quickly it is likely to be available.

Joe Morris