joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Where did this OS binary come from?

by @ 10:24 am on 3/21/2017. Filed under tech

Is anyone aware of a mechanism to determine what the source of a given OS binary is from?

I.E. Say you want to know where your lsass.exe binary or tcpip.sys binary came from, what specific hot fix or rollup or whatever. How do you do it?

    joe

Rating 3.00 out of 5

5 Responses to “Where did this OS binary come from?”

  1. David Loder says:

    I typically follow this procedure:
    Search the WinSxS directory for the folder that contains the specific version that is running. Use the date/time of the folder creation date as a reference against the Setup log in Event Viewer to try and figure out what package was installing during that time. Not foolproof but better than nothing.

  2. Scotte says:

    It’s not the cleanest option, but you can get a good start searching on support.microsoft.com for the Product version that’s shown on the Details tab.

    If you want to follow me as I delve past my comfort zone, you can try this powershell script – super rough and likely buggy, but basically it’s looking in WinSXS for copy of the desired file that matches the ProductVersion and then looks in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect for that component and displays a KB number…at least it does on the few I’ve tested, including tcpip.sys and lsass.exe.

    I have no idea if this is a sanctioned method or how fool proof, but I’m sure it’s a decent starting point.

    $file = Get-Item -Path C:\Windows\System32\drivers\tcpip.sys
    $shortName = $file.Name
    $productVersion = $file.VersionInfo.ProductVersion
    $sxsCopies = Get-ChildItem -Path C:\Windows\WinSxS -Filter $shortName -Recurse
    foreach ($sxsCopy in $sxsCopies) {
    if ($sxsCopy.VersionInfo.ProductVersion -eq $productVersion) {
    $regName = $sxsCopy.FullName
    }
    }
    $split = $regName.Split(‘_’)
    $splitLength = $split.Length
    $startName = ”
    for($i = 0; $i -lt $splitLength – 3; $i++) {
    $startName += $split[$i] + “_”
    }
    $startName = $startName.Split(‘\’)[3]
    $regKey = Get-ChildItem -Path ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect’ | ? PSChildName -like $startName*
    $path = $regKey.Name.Replace(‘HKEY_LOCAL_MACHINE’, ‘HKLM:’)
    Get-ItemProperty -Path $path

  3. Scotte says:

    Well, that paste turned out ugly 🙂

  4. Scotte says:

    OK, this is a little bit tidier and fixed some bugs. I also re-worked the method using fsutil to point directly to WinSxS. I’m still not too confident, but we’re getting there. It looks like the ComponentDetect registry key shows all hotfixes that tried to update it. So, the final line shows the most recently successful hotfix install…presumably, that’s the one that created the file in question. Mounds of salt and ymmv.

    $fileName = “C:\Windows\System32\Drivers\tcpip.sys”
    $hardLinks = fsutil.exe hardlink list $fileName
    foreach ($hardLink in $hardLinks) {
    if ($hardLink.StartsWith(“\Windows\WinSxS\”)) {
    $pieces = $hardLink.Split(‘_’)
    $pieceCount = $pieces.Length
    $sxsName = ”
    for($i = 0; $i -lt $pieceCount – 3; $i++) {
    $sxsName += $pieces[$i] + “_”
    }
    $sxsName = $sxsName.Replace(‘\Windows\WinSxS\’, ”)
    }
    }
    $regTree = ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect’
    $regKey = (Get-ChildItem -Path $regTree | Where-Object PSChildName -like “$sxsName*”)
    $properties = $regKey.Property
    $KBs = @()
    foreach ($property in $properties) {
    $KB = $property.Split(‘_’)[3].Split(‘~’)[0]
    $KBs += $KB
    }
    Get-HotFix -Id $KBs | Sort-Object -Property InstalledOn -Descending | Select-Object -First 1

  5. Rodolfo Giovanninetti says:

    I would check file properties, and then look for that filename and that version in internet.

    Regards

    Rodolfo Giovanninetti

[joeware – never stop exploring… :) is proudly powered by WordPress.]