There may be times when you need to determine when a security update was installed. This is obviously a lot easier if you had access to a live machine to run live queries (see here for PowerShell queries) however that's not always possible. You may only have a limited logical collection, triage collection (collected by CyLR/UAC etc), or are working from a limited backup.

Installed security packages are located at the following location;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages

Each key references a specific package

Keys may contain the following values;

• SelfUpdate (0 for manual updates, 1 for automatic updates)

• InstallTimeHigh

• InstallTimeLow

• InstallUser (SID of the user who installed the package)

Even though the key "Package_8_for_KB4033393~..." contains a corresponding 'last write timestamp' of 2022-07-14 01:47:25 (UTC), I wanted to validate this against the values within the key itself based on the InstallTimeHigh and InstallTimeLow timestamps.

I found a BigFix article which referenced the following formula used to calculate the corresponding timestamp.

Timestamp = InstallTimeHigh * 2^32 + InstallTimeLow

2 ^ 32 is 4294967296

In the above example, our formula would look like this;

Timestamp = (30971683 * 4294967296) + 2864280153

Timestamp = (133022365587079168) + 2864280153

Timestamp = 133022368451359321

Converter: https://www.epochconverter.com/ldap

❗Note: if you mount the SOFTWARE hive on another machine and export the key/value as a text file, the corresponding date/timestamp will be adjusted for the host machine's local time.❗