Purpose
The purpose of this article is to explain how patch scanning detection works in Patch for Windows.
Overview
The Patch for Windows scan engine performs security patch assessment against a variety of Windows-based operating systems and products from Microsoft and other product vendors.
The Patch for Windows engine uses an Extensible Markup Language (XML) file that contains information about which security hotfixes are available for each product. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including:
- Files in each hotfix package and their file versions
- Registry changes that were applied by the hotfix installation package
- Information about patch supersedence
- Related Microsoft Knowledge Base article numbers
- Links to additional information from Bugtraq (BugtraqID) and cross references to the Common Vulnerabilities and Exposures (CVE) database hosted by Mitre.org (CVEID)
The content data file, called WindowsPatchData.zip, is created and hosted by Ivanti.
When you run Patch for Windows (without specifying advanced file input options), the program must download a copy of this XML file so that it can identify the hotfixes that are available for each product. The XML file is a digitally signed CAB file and is available on the Shavlik website. Patch for Windows downloads the CAB file, verifies its digital signature, and then extracts the XML file to your local computer. Note that a CAB file is a compressed archive that is similar to a ZIP file.
After the XML file is extracted, Patch for Windows scans your machine (or the selected machines) to determine the operating system, service packs, and programs that you are running. Patch for Windows then identifies security patches that are available for your combination of installed software. Patches that are applicable to your machine but are not currently installed are displayed as "Missing Patch" in the resulting output. In the default configuration, Patch for Windows output displays only those patches that are necessary to bring your machine up-to-date. Patch for Windows recognizes roll-up packages and does not display those patches that are replaced by later patches.
Read more about supersedence detection (replacement patches) here: Determining Patch Replacements
During the scanning process the detection goes through a few main steps, simplified in order here:
1. DPD (Dynamic Product Detection) - The scan engine will first use DPD to identify the:
A. Operating System
B. Any products installed on the target system
C. The service pack level of any installed products (if applicable).
2. Patch detection - Once the DPD determines all applicable products on the target system the scan then goes into individual patch detection for all patches that apply to the OS or products on the target system. For each individual patch the scan goes through registry and/or file checks for any registry keys or files that are affected by the patch. This is also where any filtering comes into play. (i.e. product, patch type, criticality, or any other patch filter settings)
Additional Information
Affected Products
Patch for Windows 9.3+