WannaCry? More like wanna pull your hair out from all the confusing information out there? Yeah. We hear you. With the recent news about the WannaCry/WannaCrypt ransomware, people are scrambling to find out if their machines are patched and protected.
Worry not, this blog will show you how to find out if you’re protected or not. Additionally, if you use PDQ Deploy and PDQ Inventory, we have pre-built packages and collections to keep all your machines safe and protected.
PDQ Inventory – We now have a collection in our Collection Library for determining which machines are vulnerable to WannaCry.
We even detail how to create your own collection if you don’t use the Collection Library (Link here).
PDQ Deploy – We have packages in our Package Library for the cumulative/rollup updates for Windows 7, 8.1, and Windows 10.
PDQ Deploy – As a bonus, we’ve recently released a package with the out-of-band patches for Windows XP, Windows 8, and Server 2003. (
As Professor Farnsworth would say, “good news, everybody!”
The good news is the exploit WannaCry takes advantage of was actually fixed back in March of this year. There was a patch released to fix some Windows Server SMB security issues (info link here).
Plus, Microsoft has recently been doing cumulative updates to push out patches to Windows machines. Because they are cumulative, it doesn’t require the previous cumulative updates to be installed in order to be up to date.
In other words, if you regularly patch your machines with the latest Windows patches, you are protected against the current ransomware known as WannaCry/WannaCrypt. Thank goodness!
How can you be sure your machines are patched?
How do you look for installed updates?
Most of the time, it’s easiest just to open the Programs and Features
window and look for installed updates.
Additionally, you can look at some other locations to verify whether or not a patch has been installed.
Get-Hotfix (a PowerShell cmdlet)
Win32_QuickFixEngineering (a WMI class being shown via PowerShell)
PDQ Inventory (which scans for hot fixes for Windows as well as other Microsoft products)
Using these methods should enable you to search for any installed and active hot fix.
Do you remember that time (2 seconds ago) when I mentioned you could search for any installed hot fix using the aforementioned methods?
Yeah, so there’s actually a little (big) gotcha that people can encounter when dealing with cumulative updates. Cumulative updates get superseded by other updates, and that means they won’t show up in the normal spots that we check.
For example, on my machine, I am running Windows 10 1703 (Creators Update).
You can see that I have installed two cumulative updates:
KB4016871 (the most recent)
KB4016240 (the older)
Yet, if I use one of those previous methods to look for hot fixes, I will not see both of the cumulative updates. I will only see the most recent cumulative update since that update supersedes the previous cumulative update.
So, to summarize, if you’re using PDQ Inventory (for example), the older cumulative update will not show up since it’s been superseded by the newest one.
You can even verify this on the Microsoft Windows Update Catalog. It shows that the older cumulative update was replaced by the newer cumulative update.
Now that we know we may or may not have older cumulative updates installed, how do we find out if they’ve ever been installed?
We use the Windows Update Agent COM Object, that’s how! (If you’re interested in more information, look here)
We’re going to use the Windows Update Agent API to query the update history to see if it’s ever been installed.
Searching through the Windows Update history, do the following:
Create the Windows Update Agent COM Object.
Use the Windows Update Agent to create an Update Searcher.
Query the update history.
Use the Update Searcher to search for the updates.
For Windows 10, it will look something like this:
For Windows 7 and Windows 8.1, you could use something like this.
Since my machine is a Windows 10 machine, I’ll run the Windows 10 code.
This will show you which cumulative updates have been installed, when they were installed, and if there were any failed installation attempts.
By using PDQ Deploy and PDQ Inventory, you can easily identify any vulnerable computers and get them patched with the latest updates (including the cumulative updates).
To sum up what we’ve done:
We made multiple collections in the Collection Library for determining machines with the recent WannaCrypt vulnerability.
If you don’t use the Collection Library, here are instructions on how to create your own collection (Link here).
We have packages in the Package Library for the cumulative/rollup updates for Windows 7, 8.1, and Windows 10.
We also have the March security-only updates Windows 7 and 8.1 (we personally recommend the cumulative updates, though).
As a bonus, we’ve recently released a package with the
This was a brief look at how all the update information is connected and how to find it.
You can (and should) protect your machines by keeping them up to date.
Most important of all, WannaCry/WannaCrypt is
something to dismiss.