SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Detecting Security Updates on Vista/Windows 7/2008/2008R2

When trying to detect whether updates have been installed or not, there were several places we investigated:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
  • HKLM\Software\Microsoft\WindowsNT\CurrentVersion\HotFix
  • HKLM\Software\Microsoft\Updates

Some updates still write to these locations to enable detection and they should be looked for. For instance, SQL Server 2005 SP4 for the database engine will be found at:


However, OS based updates to Vista and above don't tend to get written to a registry key. You could use MBSA or something of that sort to try and detect them all, but there is a simpler method that can be easily scripted. It's the PowerShell Get-Hotfix Cmdlet. If I want a list of all hotfixes, it's simply:


If I know of a specific hotfix to find, I can use the -ID switch. For instance, to find out whether MS11-064 has been installed, I need to refer to its KB#.

Get-Hotfix -ID KB2563894

Do note that this detection isn't perfect. Updates don't necessarily register where Get-Hotfix is looking. For instance, this will throw an error, even if it's installed (SQL Server 2005 SP4):

Get-Hotfix -ID KB246332

Instead, you can use the provder to look for it:

gci HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall `
 | Where-Object {$_.name -match "KB2463332_.*"}

Given the multiple locations it may be easier to use a specialized tool, but if you're just looking for a handful of patches, then it should be fairly easy to use Powershell to do so.

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.


Posted by Steve Jones on 6 October 2011

Good tool, and something to keep around. Briefcasing this one. Thanks

Leave a Comment

Please register or log in to leave a comment.