cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ufficioced
Champion Sweeper
We can use lansweeper to check if MS17-010 was correctly installed on windows system, follow these steps:

-first add a custom File scanning into lansweeper, the file to check is '%windir%\system32\drivers\srv.sys'
following the idea you can find here: How to verify that MS17-010 is installed

-create a report to check if MS17-010 has problem or not, it has to check operating system version and consequently the srv.sys file version

Feel free to correct it or suggest improvements


Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblOperatingsystem.Caption As SO,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When (tblOperatingsystem.Caption = 'Microsoft Windows 7 Professional' And
(Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',
''))) Then 'OK'
When (tblOperatingsystem.Caption Like 'Microsoft Windows Server 2012 R2%'
And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.3.9600.18604',
'.', ''))) Then 'OK'
When (tblOperatingsystem.Caption Like 'Microsoft(R) Windows(R) Server 2003%'
And (Replace(SubQuery1.FileVersion, '.', '') > Replace('5.2.3790.6021', '.',
''))) Then 'OK'
When (tblOperatingsystem.Caption =
'Microsoft Windows Server 2008 R2 Standard' And
(Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',
''))) Then 'OK' Else 'ERR' End As [MS17-010],
TsysLastscan.Lasttime As LastFileScan,
Case SubQuery1.Found When 1 Then 'Yes' Else 'No' End As FileFound,
SubQuery1.FileVersion,
SubQuery1.CompanyName,
SubQuery1.LastModified,
SubQuery1.Lastchanged,
Case
When TsysLastscan.Lasttime < GetDate() -
1 Then
'Last file scan more than 24 hours ago!' End As Comment,
SubQuery1.PatchSearched
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Left Join (Select Top 1000000 tblFileVersions.AssetID,
tblFileVersions.FilePathfull As PatchSearched,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblFileVersions.CompanyName,
tblFileVersions.Filesize,
tblFileVersions.Lastchanged,
tblFileVersions.CreationDate,
tblFileVersions.LastAccessed,
tblFileVersions.LastModified
From tblFileVersions
Where tblFileVersions.FilePathfull Like '%srv.sys') SubQuery1
On SubQuery1.AssetID = tblAssets.AssetID
Inner Join tblOperatingsystem
On tblAssets.AssetID = tblOperatingsystem.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'files'
Order By tblAssets.Domain,
tblAssets.AssetName
4 REPLIES 4
ufficioced
Champion Sweeper
You are right! I added a new option in "case/when" condition to check if file "SRV.SYS" exists or not


Select Top 1000000 tsysOS.Image As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblOperatingsystem.Caption As SO,
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When (SubQuery1.Found!=1) Then 'NO SRV.SYS'
When (tblOperatingsystem.Caption = 'Microsoft Windows 7 Professional' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',''))) Then 'OK'
When (tblOperatingsystem.Caption Like 'Microsoft Windows Server 2012 R2%' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.3.9600.18604','.', ''))) Then 'OK'
When (tblOperatingsystem.Caption Like 'Microsoft(R) Windows(R) Server 2003%' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('5.2.3790.6021', '.',''))) Then 'OK'
When (tblOperatingsystem.Caption = 'Microsoft Windows Server 2008 R2 Standard' And (Replace(SubQuery1.FileVersion, '.', '') > Replace('6.1.7601.23689', '.',''))) Then 'OK' Else 'ERR' End As [MS17-010],
TsysLastscan.Lasttime As LastFileScan,
Case SubQuery1.Found When 1 Then 'Yes' Else 'No' End As FileFound,
SubQuery1.FileVersion,
SubQuery1.CompanyName,
SubQuery1.LastModified,
SubQuery1.Lastchanged,
Case
When TsysLastscan.Lasttime < GetDate() -
1 Then
'Last file scan more than 24 hours ago! Scanned file information may not be up-to-date. Try rescanning this machine.' End As Comment,
SubQuery1.PatchSearched
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Left Join (Select Top 1000000 tblFileVersions.AssetID,
tblFileVersions.FilePathfull As PatchSearched,
tblFileVersions.Found,
tblFileVersions.FileVersion,
tblFileVersions.CompanyName,
tblFileVersions.Filesize,
tblFileVersions.Lastchanged,
tblFileVersions.CreationDate,
tblFileVersions.LastAccessed,
tblFileVersions.LastModified
From tblFileVersions
Where tblFileVersions.FilePathfull Like '%srv.sys') SubQuery1
On SubQuery1.AssetID = tblAssets.AssetID
Inner Join tblOperatingsystem
On tblAssets.AssetID = tblOperatingsystem.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'files'
Order By tblAssets.Domain,
tblAssets.AssetName
poweld1
Champion Sweeper
It's a good report but with one flaw, if you uninstall SMB from a computer it also removes srv.sys from the computer. If you scan a computer and run the report it displays ERR in the MS17-010 column.
ufficioced
Champion Sweeper
Yes, you are right, the report linked by you is more completed, but I was looking for a solution to check if that specific updated was installed, not by the HotFixID but instead reading file version (we experienced some case with right HotFixID but srv.sys file not updated).

Thanks for your reply.
David_G
Lansweeper Employee
Lansweeper Employee
We would like to thank you for the report you have provided the Lansweeper community with. However, it does not include all possible hotfixes that are available for all Windows operating systems. We would like to link an additional forum topic to this where we have provided our customers with a report that checks if the necessary hotfixes are installed on a Windows asset. If not, the report will give back the asset as vulnerable. The report can be found here.