This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Checking MS17-010 patch is installed

ufficioced
Champion Sweeper

‎06-29-2017 09:51 AM

We can use lansweeper to check if MS17-010 was correctly installed on windows system, follow these steps:

-first add a custom File scanning into lansweeper, the file to check is '%windir%\system32\drivers\srv.sys'
following the idea you can find here: How to verify that MS17-010 is installed

-create a report to check if MS17-010 has problem or not, it has to check operating system version and consequently the srv.sys file version

Feel free to correct it or suggest improvements


Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblOperatingsystem.Caption As SO,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  Case
    When (tblOperatingsystem.Caption = 'Microsoft Windows 7 Professional' And
    (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',
    ''))) Then 'OK'
    When (tblOperatingsystem.Caption Like 'Microsoft Windows Server 2012 R2%'
    And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.3.9600.18604',
    '.', ''))) Then 'OK'
    When (tblOperatingsystem.Caption Like 'Microsoft(R) Windows(R) Server 2003%'
    And (Replace(SubQuery1.FileVersion, '.', '') > Replace('5.2.3790.6021', '.',
    ''))) Then 'OK'
    When (tblOperatingsystem.Caption =
    'Microsoft Windows Server 2008 R2 Standard' And
    (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',
    ''))) Then 'OK' Else 'ERR' End As [MS17-010],
  TsysLastscan.Lasttime As LastFileScan,
  Case SubQuery1.Found When 1 Then 'Yes' Else 'No' End As FileFound,
  SubQuery1.FileVersion,
  SubQuery1.CompanyName,
  SubQuery1.LastModified,
  SubQuery1.Lastchanged,
  Case
    When TsysLastscan.Lasttime < GetDate() -
    1 Then
    'Last file scan more than 24 hours ago!' End As Comment,
  SubQuery1.PatchSearched
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblFileVersions.AssetID,
    tblFileVersions.FilePathfull As PatchSearched,
    tblFileVersions.Found,
    tblFileVersions.FileVersion,
    tblFileVersions.CompanyName,
    tblFileVersions.Filesize,
    tblFileVersions.Lastchanged,
    tblFileVersions.CreationDate,
    tblFileVersions.LastAccessed,
    tblFileVersions.LastModified
  From tblFileVersions
  Where tblFileVersions.FilePathfull Like '%srv.sys') SubQuery1
    On SubQuery1.AssetID = tblAssets.AssetID
  Inner Join tblOperatingsystem
    On tblAssets.AssetID = tblOperatingsystem.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'files'
Order By tblAssets.Domain,
  tblAssets.AssetName
Labels:
0 Kudos
4 REPLIES 4
ufficioced
Champion Sweeper

‎07-05-2017 03:35 PM

You are right! I added a new option in "case/when" condition to check if file "SRV.SYS" exists or not


Select Top 1000000 tsysOS.Image As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblOperatingsystem.Caption As SO,
  tblAssets.Username,
  tblAssets.Userdomain,
  tblAssets.IPAddress,
  tblAssets.Lastseen,
  tblAssets.Lasttried,
  Case
    When (SubQuery1.Found!=1) Then 'NO SRV.SYS'
    When (tblOperatingsystem.Caption = 'Microsoft Windows 7 Professional' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',''))) Then 'OK'
    When (tblOperatingsystem.Caption Like 'Microsoft Windows Server 2012 R2%' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.3.9600.18604','.', ''))) Then 'OK'
    When (tblOperatingsystem.Caption Like 'Microsoft(R) Windows(R) Server 2003%' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('5.2.3790.6021', '.',''))) Then 'OK'
    When (tblOperatingsystem.Caption = 'Microsoft Windows Server 2008 R2 Standard' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',''))) Then 'OK' Else 'ERR' End As [MS17-010],
  TsysLastscan.Lasttime As LastFileScan,
  Case SubQuery1.Found When 1 Then 'Yes' Else 'No' End As FileFound,
  SubQuery1.FileVersion,
  SubQuery1.CompanyName,
  SubQuery1.LastModified,
  SubQuery1.Lastchanged,
  Case
    When TsysLastscan.Lasttime < GetDate() -
    1 Then
    'Last file scan more than 24 hours ago! Scanned file information may not be up-to-date. Try rescanning this machine.' End As Comment,
  SubQuery1.PatchSearched
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblFileVersions.AssetID,
    tblFileVersions.FilePathfull As PatchSearched,
    tblFileVersions.Found,
    tblFileVersions.FileVersion,
    tblFileVersions.CompanyName,
    tblFileVersions.Filesize,
    tblFileVersions.Lastchanged,
    tblFileVersions.CreationDate,
    tblFileVersions.LastAccessed,
    tblFileVersions.LastModified
  From tblFileVersions
  Where tblFileVersions.FilePathfull Like '%srv.sys') SubQuery1
    On SubQuery1.AssetID = tblAssets.AssetID
  Inner Join tblOperatingsystem
    On tblAssets.AssetID = tblOperatingsystem.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'files'
Order By tblAssets.Domain,
  tblAssets.AssetName
0 Kudos
poweld1
Champion Sweeper

‎07-04-2017 03:55 PM

It's a good report but with one flaw, if you uninstall SMB from a computer it also removes srv.sys from the computer. If you scan a computer and run the report it displays ERR in the MS17-010 column.
0 Kudos
ufficioced
Champion Sweeper

‎07-03-2017 04:14 PM

Yes, you are right, the report linked by you is more completed, but I was looking for a solution to check if that specific updated was installed, not by the HotFixID but instead reading file version (we experienced some case with right HotFixID but srv.sys file not updated).

Thanks for your reply.
0 Kudos
David_G
Lansweeper Employee
Lansweeper Employee

‎07-03-2017 02:06 PM

We would like to thank you for the report you have provided the Lansweeper community with. However, it does not include all possible hotfixes that are available for all Windows operating systems. We would like to link an additional forum topic to this where we have provided our customers with a report that checks if the necessary hotfixes are installed on a Windows asset. If not, the report will give back the asset as vulnerable. The report can be found here.
0 Kudos

Reports & Analytics

Ask about reports you're interested in and share reports you've created. Subscribe to receive daily updates of reports shared in the Community.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now
Top