Hot Fixes Scan Doesn't Show Installed Hotfixes After Microsoft KB3004394 Was Installed
I am using PDQ Inventory 4 Enterprise to scan to see how many of our computers have the Microsoft Update KB3004394 and KB3024777 installed. When I scan a computer that has both, which they should but we want to make sure, I can only see Microsoft Updates installed up through the day the KB3004394 was installed and nothing after that, including not seeing the KB3004394 install. On the same computer there are four updates installed after the KB3004394 update was installed. There has been a lot of press about this update, KB3004394, breaking things and I am curious if it may have messed with the way PDQ Inventory is scanning for the Security Hot Fixes and more importantly the things I really need to know... Am I doing something wrong by just running the Standard scan or the Hot Fixes scan to see whether these updates are installed?
I accidentally submitted this as a request yesterday, sorry. The request # is 30270.
Thanks,
Bob Turner
Technical Support
SNYDER & ASSOCIATES, INC.
2727 SW Snyder Blvd. | Ankeny, IA 50023
P: 515.964.2020 ext. 2574 | F: 515.964.7938
C: 515.238.7748
bturner@snyder-associates.com
Comments
Bob,
Our QA Engineer Kris did some digging on this and just emailed me this information which makes perfect sense as to why you're getting the results you're seeing.
His email:
We investigated this as best as we could. Unfortunately, we didn't have any machines with the original bad hotfix (KB3004394) installed.
Microsoft has already removed their direct download links to the hotfix for Win7/2008R2. As it turns out, KB3004394 only has issues on Windows 7 SP1 and Windows Server 2008 R2 SP1.
Since we didn't have the ability to test this issue directly, we attempted to look more deeply into what the new fix (KB3024777) was doing that might cause any issues with other hotfixes.
Here's what we found:
The KB3024777 is a wrapper for the following command:
dism.exe /online /remove-package /packagename:Package_for_KB3004394~31bf3856ad364e35~x86~~6.1.1.0 /quiet /norestart
That means that KB3024777 isn't actually installing a hotfix. It's not installing anything at all.
We believe that this is why it is not showing up in the list of installed hotfixes. It's only calling an uninstaller to uninstall KB3004394 via dism (info link). This explains why both of them are showing up in the install history but not showing up as installed hotfixes.
If you're interested in seeing this in action yourself, you're welcome to duplicate our steps. We utilized the Sysinternals Process Monitor (link) to trace the process as it was created when we ran the KB3024777 exe file.
Just a head's up, though, if you've never used a process monitor before. It's like trying to drink from a fire hose.
Here's what to look for inside Process Monitor:
Process name: <name of the kb's .exe> (in our case, that was KB302477-x86.exe)
Operation: Process Create
If you add these as a filter, you should be find the same information pretty quick.