# Security Patch/KB Install Date

There may be times when you need to determine when a security update was installed. This is obviously a lot easier if you had access to a live machine to run live queries (see [here ](https://osd365.com/a-powershell-script-to-list-all-installed-microsoft-windows-updates/)for PowerShell queries) however that's not always possible. You may only have a limited logical collection, triage collection (collected by CyLR/UAC etc), or are working from a limited backup.

Installed security packages are located at the following location;

```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
```

Each key references a specific package

![](/files/rVzMLDum5d4y9CnDgEcZ)

Keys may contain the following values;

* SelfUpdate (0 for manual updates, 1 for automatic updates)
* InstallTimeHigh
* InstallTimeLow
* InstallUser (SID of the user who installed the package)

Even though the key "Package\_8\_for\_KB4033393\~..." contains a corresponding 'last write timestamp' of **2022-07-14 01:47:25 (UTC)**, I wanted to validate this against the values within the key itself based on the InstallTimeHigh and InstallTimeLow timestamps.

I found a BigFix article which referenced the following formula used to calculate the corresponding timestamp.

`Timestamp = InstallTimeHigh * 2^32 + InstallTimeLow`

2 ^ 32 is 4294967296

In the above example, our formula would look like this;

`Timestamp = (30971683 * 4294967296) + 2864280153`

`Timestamp = (133022365587079168) + 2864280153`

`Timestamp = 133022368451359321`

<div align="center"><img src="/files/1gTs1H1BLeeNF5IV7cgj" alt=""></div>

Converter: <https://www.epochconverter.com/ldap>

:exclamation:Note: if you mount the SOFTWARE hive on another machine and export the key/value as a text file, the corresponding date/timestamp will be adjusted for the host machine's local time.:exclamation:

![](/files/uis4JJD0bZ9oJCIbncds)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.iblue.team/windows-forensics/security-patch-kb-install-date.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.