Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
$ProgressPreference = 'SilentlyContinue';$Session=New-Object -ComObject 'Microsoft.Update.Session';$Searcher=$Session.CreateUpdateSearcher();$FormatEnumerationLimit=-1;$historyCount=$Searcher.GetTotalHistoryCount(); if ($historyCount -gt 0) {$xx=$($Searcher.QueryHistory(0, $historyCount)|Select-Object Title, Date, Operation, Resultcode|Where-Object {$_.Operation -like 1 -and $_.Resultcode -match '[123]'}| Select-object Title); } else {$xx=$(Get-Hotfix|Where-object {$_.hotfixid -match 'KB\d{6,7}'}| Select-object Hotfixid)}; If ($xx -eq $null) {'WARNING - No updates returned'} else {$xx = $xx|Where-Object {$_ -match 'KB(401221[2-8]|4012598|4012606|4013198|4013429|4015217|4015438|401554[69]|401555[02]|4016635|4019215|401926[34]|4019472)' -or ( $_ -match '^((2017-0[3-9]|2017-1[0-2]|2018-[0-9-){7}|(Ma|A|Ju|[SOND][^ ]+ber).* 2017 |[a-z]{3,10} 201[89] )' -and $_ -match '(Security .*Rollup|Cumulative Update) for Windows')}; If ($xx -eq $null) {'Vulnerable'} else {'Secured - Detected Updates: ' + ($xx | Select-String 'KB\d{6,7}' -AllMatches | ForEach-Object {$_.matches} | ForEach-Object {$_.Value} ) -join ','}}
@gnubyte

This comment has been minimized.

Copy link

@gnubyte gnubyte commented May 15, 2017

Thank you for posting this!

@aaronmedora

This comment has been minimized.

Copy link

@aaronmedora aaronmedora commented May 15, 2017

Formatted version below. I added $match1, $match2, and $match3 for readability.

$ProgressPreference = 'SilentlyContinue';

$Session = New-Object -ComObject 'Microsoft.Update.Session';
$Searcher = $Session.CreateUpdateSearcher();
$FormatEnumerationLimit = -1;
$historyCount = $Searcher.GetTotalHistoryCount();
if ($historyCount -gt 0) {
    $xx = $($Searcher.QueryHistory(0, $historyCount) |
    Select-Object Title, Date, Operation, Resultcode |
    Where-Object {
        $_.Operation -like 1 -and $_.Resultcode -match '[123]'
    } | Select-object Title);
}
else {
    $xx = $(Get-Hotfix |
    Where-object {
        $_.hotfixid -match 'KB\d{6,7}'
    } | Select-object Hotfixid)
};
if ($xx -eq $null) {
    'WARNING - No updates returned'
}
else {
    $match1 = 'KB(401221[2-8]|4012598|4012606|4013198|4013429|4015217|4015438|401554[69]|401555[02]|4016635|4019215|401926[34]|4019472)';
    $match2 = '^((2017-0[3-9]|2017-1[0-2]|2018-[0-9-){7}|(Ma|A|Ju|[SOND][^ ]+ber).* 2017 |[a-z]{3,10} 201[89] )';
    $match3 = '(Security .*Rollup|Cumulative Update) for Windows';
    $xx = $xx |
    Where-Object {
        $_ -match $match1 -or ( $_ -match $match2 -and $_  -match $match3)
    };
    if ($xx -eq $null) {
        'Vulnerable'
    }
    else {
        'Secured - Detected Updates: ' + ($xx | Select-String 'KB\d{6,7}' -AllMatches | ForEach-Object {
            $_.matches
        } |
        ForEach-Object {
            $_.Value
        } ) -join ','
    }
}
@jundis

This comment has been minimized.

Copy link

@jundis jundis commented May 15, 2017

Script for LT using EDF titled MS17-010 under computers

<LabTech_Expansion Version="110.360" Name="LabTech Script Expansion" Type="PackedScript"> <PackedScript> <NewDataSet> <Table> <ScriptId>6039</ScriptId> <FolderId>12</FolderId> <ScriptName>Wcry Vulnerability Checker</ScriptName> <ScriptNotes>Powershell by gavsto, script by jundis</ScriptNotes> <Permission>0,</Permission> <EditPermission>0,</EditPermission> <ComputerScript>1</ComputerScript> <LocationScript>0</LocationScript> <MaintenanceScript>0</MaintenanceScript> <FunctionScript>0</FunctionScript> <LicenseData> <Type>1</Type> <RunCounter>0</RunCounter> <ExpireDate>Monday, May 15, 2017 3:02:46 PM</ExpireDate> <ScriptVersion>0</ScriptVersion> <ScriptGuid>dcc832ac-397f-11e7-89ce-000c2983d155</ScriptGuid> </LicenseData> <ScriptData> <Scripts> <ExtraDataFields /> <Parameters /> <Globals /> <ScriptVersion>1</ScriptVersion> <ScriptGuid>dcc832ac-397f-11e7-89ce-000c2983d155</ScriptGuid> </Scripts> <ScriptSteps> <Action>1</Action> <FunctionId>1</FunctionId> <Param1 /> <Param2 /> <Param3 /> <Param4 /> <Param5 /> <Sort>0</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>135</FunctionId> <Param1>$ProgressPreference = 'SilentlyContinue';$Session=New-Object -ComObject 'Microsoft.Update.Session';$Searcher=$Session.CreateUpdateSearcher();$FormatEnumerationLimit=-1;$historyCount=$Searcher.GetTotalHistoryCount(); if ($historyCount -gt 0) {$xx=$($Searcher.QueryHistory(0, $historyCount)|Select-Object Title, Date, Operation, Resultcode|Where-Object {$_.Operation -like 1 -and $_.Resultcode -match '[123]'}| Select-object Title); } else {$xx=$(Get-Hotfix|Where-object {$_.hotfixid -match 'KB\d{6,7}'}| Select-object Hotfixid)}; If ($xx -eq $null) {'WARNING - No updates returned'} else {$xx = $xx|Where-Object {$_ -match 'KB(401221[2-8]|4012598|4012606|4013198|4013429|4015217|4015438|401554[69]|401555[02]|4016635|4019215|401926[34]|4019472)' -or ( $_ -match '^((2017-0[3-9]|2017-1[0-2]|2018-[0-9-){7}|(Ma|A|Ju|[SOND][^ ]+ber).* 2017 |[a-z]{3,10} 201[89] )' -and $_ -match '(Security .*Rollup|Cumulative Update) for Windows')}; If ($xx -eq $null) {'Vulnerable'} else {'Secured - Detected Updates: ' + ($xx | Select-String 'KB\d{6,7}' -AllMatches | ForEach-Object {$_.matches} | ForEach-Object {$_.Value} ) -join ','}}</Param1> <Param2 /> <Param3 /> <Param4 /> <Param5 /> <Sort>0</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>70</FunctionId> <Param1>powershellresult</Param1> <Param2>8</Param2> <Param3>Secured</Param3> <Param4>:Good</Param4> <Param5 /> <Sort>1</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>70</FunctionId> <Param1>powershellresult</Param1> <Param2>8</Param2> <Param3>Vulnerable</Param3> <Param4>:Bad</Param4> <Param5 /> <Sort>2</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>80</FunctionId> <Param1>f4d427cd-e427-4749-85ed-2392c120f8d3</Param1> <Param2>@computerid@</Param2> <Param3>Unknown</Param3> <Param4 /> <Param5 /> <Sort>3</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>129</FunctionId> <Param1>0</Param1> <Param2 /> <Param3 /> <Param4 /> <Param5 /> <Sort>4</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>139</FunctionId> <Param1>:Good</Param1> <Param2 /> <Param3 /> <Param4 /> <Param5 /> <Sort>5</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>80</FunctionId> <Param1>f4d427cd-e427-4749-85ed-2392c120f8d3</Param1> <Param2>@computerid@</Param2> <Param3>Secure</Param3> <Param4 /> <Param5 /> <Sort>6</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>129</FunctionId> <Param1>0</Param1> <Param2 /> <Param3 /> <Param4 /> <Param5 /> <Sort>7</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>139</FunctionId> <Param1>:Bad</Param1> <Param2 /> <Param3 /> <Param4 /> <Param5 /> <Sort>8</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>80</FunctionId> <Param1>f4d427cd-e427-4749-85ed-2392c120f8d3</Param1> <Param2>@computerid@</Param2> <Param3>Vulnerable</Param3> <Param4 /> <Param5 /> <Sort>9</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> <ScriptSteps> <Action>2</Action> <FunctionId>129</FunctionId> <Param1>0</Param1> <Param2 /> <Param3 /> <Param4 /> <Param5 /> <Sort>10</Sort> <Continue>0</Continue> <OsLimit>0</OsLimit> <Indentation>0</Indentation> </ScriptSteps> </ScriptData> <ScriptVersion>1</ScriptVersion><ScriptGuid>dcc832ac-397f-11e7-89ce-000c2983d155</ScriptGuid><ScriptFlags>0</ScriptFlags><Parameters></Parameters></Table> </NewDataSet> <ExtraDataField> <NewDataSet> <Table> <ID>548</ID> <Form>1</Form> <Name>MS17-010</Name> <Sort>0</Sort> <NoBreak>0</NoBreak> <FType>0</FType> <Section>CryptoPrevent</Section> <UnEditable>0</UnEditable> <Collapsed>0</Collapsed> <Fill>Is the machine vulnerable to Wannacry</Fill> <LtGuid>f4d427cd-e427-4749-85ed-2392c120f8d3</LtGuid> <IsPassword>false</IsPassword> <IsEncrypted>false</IsEncrypted> <IsHidden>false</IsHidden> <IsRestricted>false</IsRestricted> <ViewPermissions> </ViewPermissions> <EditPermissions> </EditPermissions> </Table> </NewDataSet> </ExtraDataField> <ScriptFolder> <NewDataSet> <Table> <FolderID>12</FolderID> <ParentID>0</ParentID> <Name>Antivirus</Name> <GUID>8261b97d-eb72-4d61-8a76-827c805f4d29</GUID> </Table> </NewDataSet> </ScriptFolder> </PackedScript> </LabTech_Expansion>

@jplusc

This comment has been minimized.

Copy link

@jplusc jplusc commented May 15, 2017

thank you for this. Works great on most of my machines, but unfortunately, i can't seem to get it to work on XP-sp3. Thankfully I only have about a 1/2 dozen XP machines left to maintain, so it doesn't matter much -- but should this work on XP?

the script always says "Vulnerable" even when I can manually verify that KB4012598 was installed.

has anyone else tested on XP?

Thanks

screenclip 2
screenclip 1
(oops, sorry that screenshot got clipped, just wanted to show XP is running PS 2.0, which i believe is the latest)

@rogueslerv21

This comment has been minimized.

Copy link

@rogueslerv21 rogueslerv21 commented May 15, 2017

Is there a way to run this detection across an entire domain forest?

@tech-zombie

This comment has been minimized.

Copy link

@tech-zombie tech-zombie commented May 15, 2017

@rogueslerv21
not mine but I have been using this for my domains today:-
https://github.com/kieranwalsh/PowerShell/tree/master/Get-WannaCryPatchState

Probably worth clearing out stale computer objects first though as runs sequentially.

@tonypags

This comment has been minimized.

Copy link

@tonypags tonypags commented May 15, 2017

you can also add the 'enabled' boolean to filter out the disabled objects.

$WindowsComputers = (Get-ADComputer -Filter { (OperatingSystem -Like 'Windows*') -and (OperatingSystem -notlike '*Windows 10*') }|where {$_.enabled}).Name| Sort-Object

@bodysoda

This comment has been minimized.

Copy link

@bodysoda bodysoda commented May 17, 2017

Would it be possible to print the missing KB when this script finds the system vulnerable ?

@randaladams

This comment has been minimized.

Copy link

@randaladams randaladams commented May 17, 2017

Can I specify a domain container instead of it running on the entire forest?

@SnootsMagoots

This comment has been minimized.

Copy link

@SnootsMagoots SnootsMagoots commented May 18, 2017

Is this script correct? I ran it on a fully updated windows 10 install and it said it was vulnerable. There were no more updates to install via windows update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.