How to determine installation time of a specific security patch/update/KB package based on registry key values.
There may be times when you need to determine when a security update was installed. This is obviously a lot easier if you had access to a live machine to run live queries (see here for PowerShell queries) however that's not always possible. You may only have a limited logical collection, triage collection (collected by CyLR/UAC etc), or are working from a limited backup.
Installed security packages are located at the following location;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
Each key references a specific package
Keys may contain the following values;
SelfUpdate (0 for manual updates, 1 for automatic updates)
InstallUser (SID of the user who installed the package)
Even though the key "Package_8_for_KB4033393~..." contains a corresponding 'last write timestamp' of 2022-07-14 01:47:25 (UTC), I wanted to validate this against the values within the key itself based on the InstallTimeHigh and InstallTimeLow timestamps.
I found a BigFix article which referenced the following formula used to calculate the corresponding timestamp.