Security Patch/KB Install Date
How to determine installation time of a specific security patch/update/KB package based on registry key values.
There may be times when you need to determine when a security update was installed. This is obviously a lot easier if you had access to a live machine to run live queries (see here for PowerShell queries) however that's not always possible. You may only have a limited logical collection, triage collection (collected by CyLR/UAC etc), or are working from a limited backup.
Installed security packages are located at the following location;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
Each key references a specific package
Keys may contain the following values;
- SelfUpdate (0 for manual updates, 1 for automatic updates)
- InstallUser (SID of the user who installed the package)
Even though the key "Package_8_for_KB4033393~..." contains a corresponding 'last write timestamp' of 2022-07-14 01:47:25 (UTC), I wanted to validate this against the values within the key itself based on the InstallTimeHigh and InstallTimeLow timestamps.
I found a BigFix article which referenced the following formula used to calculate the corresponding timestamp.
Timestamp = InstallTimeHigh * 2^32 + InstallTimeLow
2 ^ 32 is 4294967296
In the above example, our formula would look like this;
Timestamp = (30971683 * 4294967296) + 2864280153
Timestamp = (133022365587079168) + 2864280153
Timestamp = 133022368451359321
Note: if you mount the SOFTWARE hive on another machine and export the key/value as a text file, the corresponding date/timestamp will be adjusted for the host machine's local time.