Is anyone aware of a mechanism to determine what the source of a given OS binary is from?
I.E. Say you want to know where your lsass.exe binary or tcpip.sys binary came from, what specific hot fix or rollup or whatever. How do you do it?
joe
-
logon:
-
visitors:
-
- Journalized Theme Copyright © 2002–2024 Mike Little.
I typically follow this procedure:
Search the WinSxS directory for the folder that contains the specific version that is running. Use the date/time of the folder creation date as a reference against the Setup log in Event Viewer to try and figure out what package was installing during that time. Not foolproof but better than nothing.
It’s not the cleanest option, but you can get a good start searching on support.microsoft.com for the Product version that’s shown on the Details tab.
If you want to follow me as I delve past my comfort zone, you can try this powershell script – super rough and likely buggy, but basically it’s looking in WinSXS for copy of the desired file that matches the ProductVersion and then looks in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect for that component and displays a KB number…at least it does on the few I’ve tested, including tcpip.sys and lsass.exe.
I have no idea if this is a sanctioned method or how fool proof, but I’m sure it’s a decent starting point.
$file = Get-Item -Path C:\Windows\System32\drivers\tcpip.sys
$shortName = $file.Name
$productVersion = $file.VersionInfo.ProductVersion
$sxsCopies = Get-ChildItem -Path C:\Windows\WinSxS -Filter $shortName -Recurse
foreach ($sxsCopy in $sxsCopies) {
if ($sxsCopy.VersionInfo.ProductVersion -eq $productVersion) {
$regName = $sxsCopy.FullName
}
}
$split = $regName.Split(‘_’)
$splitLength = $split.Length
$startName = ”
for($i = 0; $i -lt $splitLength – 3; $i++) {
$startName += $split[$i] + “_”
}
$startName = $startName.Split(‘\’)[3]
$regKey = Get-ChildItem -Path ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect’ | ? PSChildName -like $startName*
$path = $regKey.Name.Replace(‘HKEY_LOCAL_MACHINE’, ‘HKLM:’)
Get-ItemProperty -Path $path
Well, that paste turned out ugly 🙂
OK, this is a little bit tidier and fixed some bugs. I also re-worked the method using fsutil to point directly to WinSxS. I’m still not too confident, but we’re getting there. It looks like the ComponentDetect registry key shows all hotfixes that tried to update it. So, the final line shows the most recently successful hotfix install…presumably, that’s the one that created the file in question. Mounds of salt and ymmv.
$fileName = “C:\Windows\System32\Drivers\tcpip.sys”
$hardLinks = fsutil.exe hardlink list $fileName
foreach ($hardLink in $hardLinks) {
if ($hardLink.StartsWith(“\Windows\WinSxS\”)) {
$pieces = $hardLink.Split(‘_’)
$pieceCount = $pieces.Length
$sxsName = ”
for($i = 0; $i -lt $pieceCount – 3; $i++) {
$sxsName += $pieces[$i] + “_”
}
$sxsName = $sxsName.Replace(‘\Windows\WinSxS\’, ”)
}
}
$regTree = ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect’
$regKey = (Get-ChildItem -Path $regTree | Where-Object PSChildName -like “$sxsName*”)
$properties = $regKey.Property
$KBs = @()
foreach ($property in $properties) {
$KB = $property.Split(‘_’)[3].Split(‘~’)[0]
$KBs += $KB
}
Get-HotFix -Id $KBs | Sort-Object -Property InstalledOn -Descending | Select-Object -First 1
I would check file properties, and then look for that filename and that version in internet.
Regards
Rodolfo Giovanninetti