CVEs fixed in a KB

Question

Hi,

I want to get a list of CVEs fixed in a KB that is installed on a machine.

There are two things:

1. Getting the list of KBs installed in a machine. For this I found two commands. Get-WUHistory and Get-Hotfix. But both of them give different size of list. Why is there difference . And in Get-
   Hotfix command output I want to get the Title of the KB installed also. How can I get that?
2. Get the CVEs fixed in a KB. Here I found 2 websites https://www.catalog.update.microsoft.com/ and https://msrc.microsoft.com/update-guide/update-guide . I search for a KB on https://www.catalog.update.microsoft.com/ , here what is the meaning of Last updated column and what is updated in a KB? and in second website https://msrc.microsoft.com/update-guide/update-guide is there any API to get the list of CVEs fixed in a KB based on KB and date.

Answer 1

Hello there,

There are several sources of information about installed software updates. All of them store slightly different data and hence different results for both commands.

Get-Hotfix commandlet leverages the Win32_QuickFixEngineering WMI class to list Windows Updates, but only returns updates supplied by Component Based Servicing (CBS). Updates supplied by the Microsoft Windows Installer (MSI) or the Windows update site are not returned by Get-Hotfix/Win32_QuickFixEngineering.

Windows: How to List All of the Windows and Software Updates Applied to a Computer https://social.technet.microsoft.com/wiki/contents/articles/4197.windows-how-to-list-all-of-the-windows-and-software-updates-applied-to-a-computer.aspx

------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Hi,

And what updates are returned by Get-WUHistory command? I see that only one update from this commands output is in list provided by Get-Hotfix command. I am still confused here that which command to use to get the list of KBs installed in the machine. And why both the lists are different?

Answer 3

Hi.
Get-Hotfix command returns only updates provided by component-based services (CBS), while Get-WUHistory command returns all updates, so get-hotfix is different from the updates returned by Get-WUHistory.
On your computer, Settings > Updates and Security > Windows Update are all the patches you have installed, which you can use to compare whether the updates returned by the Get-WUHistory command are the same.

Hope the information is helpful.

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 4

Hi.
Get-Hotfix command returns only updates provided by component-based services (CBS), while Get-WUHistory command returns all updates, so get-hotfix is different from the updates returned by Get-WUHistory.
On your computer, Settings > Updates and Security > Windows Update are all the patches you have installed, which you can use to compare whether the updates returned by the Get-WUHistory command are the same.

Hope the information is helpful.

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 5

Hi,

I checked the windows updates as you suggested. It has only one update and that update is in the output of both the commands i.e. Get-Hotfix and Get-WUHistory. But both the commands also contains many other updates. Get-WUHistory command contains other updates as well.

Regards,
Vanshika