Printed 2017/08/22 11:10AM

Detecting Security Updates on Vista/Windows 7/2008/2008R2


When trying to detect whether updates have been installed or not, there were several places we investigated:

Some updates still write to these locations to enable detection and they should be looked for. For instance, SQL Server 2005 SP4 for the database engine will be found at:


However, OS based updates to Vista and above don't tend to get written to a registry key. You could use MBSA or something of that sort to try and detect them all, but there is a simpler method that can be easily scripted. It's the PowerShell Get-Hotfix Cmdlet. If I want a list of all hotfixes, it's simply:


If I know of a specific hotfix to find, I can use the -ID switch. For instance, to find out whether MS11-064 has been installed, I need to refer to its KB#.

Get-Hotfix -ID KB2563894

Do note that this detection isn't perfect. Updates don't necessarily register where Get-Hotfix is looking. For instance, this will throw an error, even if it's installed (SQL Server 2005 SP4):

Get-Hotfix -ID KB246332

Instead, you can use the provder to look for it:

gci HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall `
 | Where-Object {$ -match "KB2463332_.*"}

Given the multiple locations it may be easier to use a specialized tool, but if you're just looking for a handful of patches, then it should be fairly easy to use Powershell to do so.

Copyright © 2002-2017 Redgate. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.