How to audit installed Vista updates?

How can I design a procedure to inventory the Microsoft patches that have
been applied to Vista?

Although the process wasn't completely reliable, in XP you could get a good
idea of what had been installed by enumerating the Registry keys under
HKLM\SOFTWARE\Microsoft\Updates. Microsoft even published a small
command-line utility (QFECHECK) which would (usually) tell you what Windows
patches were installed and which had downleveled files that needed to be
reinstalled. (A real advantage of QFECHECK was that the help desk could
tell users to run it as part of their triage process.)

All of this has changed in Vista. The Registry path used in XP no longer
exists, and the data that was there seems to be scattered over various parts
of the Registy. Further, the Security Bulletin notices do not publish a
Registry key test for Vista.

What I'm trying to do is to be able to have an inventory program record an
enumeration of the installed patches, allowing downstream programs to
determine if the machine has the updates that are required by company
policy. With XP this could (with a few exceptions) be done by saving the
contents of the UPDATES key, but at this time I don't see any way to do it
except by including massive amounts of data from the HKCR hive, which will
(a) mean a huge increase in the size of the inventory files, and (b) take
longer to read and send from the user's machine.

Does anyone have a solution for this?

And if there is an RTFM answer, I'll be happy to accept it if you'll just
tell me which FM is appropriate.

Joe Morris

Windows Server Update Services
http://technet.microsoft.com/wsus/default.aspx

Download:
http://technet.microsoft.com/wsus/bb466193.aspx
--
Andre
Blog: http://adacosta.spaces.live.com
My Vista Quickstart Guide:
http://adacosta.spaces.live.com/blog...3DB!9709.entry
"Joe Morris" <> wrote in message
news:tgX%i.6827$e35.3610@trnddc08...
> How can I design a procedure to inventory the Microsoft patches that have
> been applied to Vista?
>
> Although the process wasn't completely reliable, in XP you could get a
> good idea of what had been installed by enumerating the Registry keys
> under HKLM\SOFTWARE\Microsoft\Updates. Microsoft even published a small
> command-line utility (QFECHECK) which would (usually) tell you what
> Windows patches were installed and which had downleveled files that needed
> to be reinstalled. (A real advantage of QFECHECK was that the help desk
> could tell users to run it as part of their triage process.)
>
> All of this has changed in Vista. The Registry path used in XP no longer
> exists, and the data that was there seems to be scattered over various
> parts of the Registy. Further, the Security Bulletin notices do not
> publish a Registry key test for Vista.
>
> What I'm trying to do is to be able to have an inventory program record an
> enumeration of the installed patches, allowing downstream programs to
> determine if the machine has the updates that are required by company
> policy. With XP this could (with a few exceptions) be done by saving the
> contents of the UPDATES key, but at this time I don't see any way to do it
> except by including massive amounts of data from the HKCR hive, which will
> (a) mean a huge increase in the size of the inventory files, and (b) take
> longer to read and send from the user's machine.
>
> Does anyone have a solution for this?
>
> And if there is an RTFM answer, I'll be happy to accept it if you'll just
> tell me which FM is appropriate.
>
> Joe Morris
>

"Joe Morris" <> wrote in message
news:tgX%i.6827$e35.3610@trnddc08...
> How can I design a procedure to inventory the Microsoft patches that have
> been applied to Vista?
>
> Although the process wasn't completely reliable, in XP you could get a
> good idea of what had been installed by enumerating the Registry keys
> under HKLM\SOFTWARE\Microsoft\Updates. Microsoft even published a small
> command-line utility (QFECHECK) which would (usually) tell you what
> Windows patches were installed and which had downleveled files that needed
> to be reinstalled. (A real advantage of QFECHECK was that the help desk
> could tell users to run it as part of their triage process.)
>
> All of this has changed in Vista. The Registry path used in XP no longer
> exists, and the data that was there seems to be scattered over various
> parts of the Registy. Further, the Security Bulletin notices do not
> publish a Registry key test for Vista.
>
> What I'm trying to do is to be able to have an inventory program record an
> enumeration of the installed patches, allowing downstream programs to
> determine if the machine has the updates that are required by company
> policy. With XP this could (with a few exceptions) be done by saving the
> contents of the UPDATES key, but at this time I don't see any way to do it
> except by including massive amounts of data from the HKCR hive, which will
> (a) mean a huge increase in the size of the inventory files, and (b) take
> longer to read and send from the user's machine.
>
> Does anyone have a solution for this?
>
> And if there is an RTFM answer, I'll be happy to accept it if you'll just
> tell me which FM is appropriate.
>
> Joe Morris
>


You can get a basic list by typing this at a command prompt

systeminfo

You could also use the wmic command eg

wmic qfe get hotfixid
wmic qfe get hotfixid,Description
wmic qfe list brief

--
Jon

"Andre Da Costa[ActiveWin]" <> wrote:
> "Joe Morris" <> wrote:

>> How can I design a procedure to inventory the Microsoft patches that have
>> been applied to Vista?
>>
>> What I'm trying to do is to be able to have an inventory program record
>> an enumeration of the installed patches, allowing downstream programs to
>> determine if the machine has the updates that are required by company
>> policy.>

> Windows Server Update Services
> http://technet.microsoft.com/wsus/default.aspx


What does WSUS offer that will allow an inventory program (in my case,
Opsware's "Asset Tracking Edition" product, now owned by HP) to inventory
the patch status?

I'm asking since last time I looked I didn't see an API in WSUS that would
allow it to be used as a closed routine for a third-party product. As I
said in my posting, if the answer is "RTFM" please tell me what FM is
needed.

Joe Morris

"Jon" <> wrote:
> "Joe Morris" <> wrote:

>> How can I design a procedure to inventory the Microsoft patches that have
>> been applied to Vista?
>>
>> What I'm trying to do is to be able to have an inventory program record
>> an enumeration of the installed patches, allowing downstream programs to
>> determine if the machine has the updates that are required by company
>> policy.


> You can get a basic list by typing this at a command prompt
>
> systeminfo
>
> You could also use the wmic command eg
>
> wmic qfe get hotfixid
> wmic qfe get hotfixid,Description
> wmic qfe list brief

Thanks. That certainly helps (and I hadn't run across it -- USENET to the
rescue!) but what would be most useful would be if I can identify
information somewhere on the computer (preferably in the Registry) that
could be picked up by the existing inventory program (Opsware's "Asset
Tracking Edition") and included verbatim in the inventory report for later
parsing. The less the function would require new features to be added to
the Opsware product the more quickly it is likely to be available.

Joe Morris