# Security Patch/KB Install Date
There may be times when you need to determine when a security update was installed. This is obviously a lot easier if you had access to a live machine to run live queries (see [here ](https://osd365.com/a-powershell-script-to-list-all-installed-microsoft-windows-updates/)for PowerShell queries) however that's not always possible. You may only have a limited logical collection, triage collection (collected by CyLR/UAC etc), or are working from a limited backup.
Installed security packages are located at the following location;
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
```
Each key references a specific package
Keys may contain the following values;
* SelfUpdate (0 for manual updates, 1 for automatic updates)
* InstallTimeHigh
* InstallTimeLow
* InstallUser (SID of the user who installed the package)
Even though the key "Package\_8\_for\_KB4033393\~..." contains a corresponding 'last write timestamp' of **2022-07-14 01:47:25 (UTC)**, I wanted to validate this against the values within the key itself based on the InstallTimeHigh and InstallTimeLow timestamps.
I found a BigFix article which referenced the following formula used to calculate the corresponding timestamp.
`Timestamp = InstallTimeHigh * 2^32 + InstallTimeLow`
2 ^ 32 is 4294967296
In the above example, our formula would look like this;
`Timestamp = (30971683 * 4294967296) + 2864280153`
`Timestamp = (133022365587079168) + 2864280153`
`Timestamp = 133022368451359321`
Converter:
:exclamation:Note: if you mount the SOFTWARE hive on another machine and export the key/value as a text file, the corresponding date/timestamp will be adjusted for the host machine's local time.:exclamation:
