API/WMI Query for complete list of hotfixes and updates installed on a system?

Earl Sven picture Earl Sven · Sep 7, 2012 · Viewed 7.4k times · Source

Previously, how to query for a list of hotfixes installed on a Windows system has been discussed, and the use of WMI and the class Win32_QuickFixEngineering was suggested as providing the information. However MSDN indicates that from Vista onwards this particular class only returns hotfixes, and not updates installed by other means.

An older question discusses the use of this class to get installed updates indicating the author is also not satisfied using it because of the limitation I described above. Unfortunately, as a comment on the accepted answer points out, the alternative solution of using the Windows Update Agent API will still indicate a hotfix has been installed even after it has been subsequently removed (it's querying the installation history, not the currently installed updates).

Does anybody know how to get in C# (via WMI or some other API) a complete list of updates and hotfixes installed on the system, which doesn't exclude some means by which updates may be installed, and won't return updates that were subsequently removed? Essentially, I'm after the same set of data as is available in 'Programs and Features' under the 'View Installed Updates' pane.

Apologies if this discussion ought to have been had on either of the linked questions previously looking at this issue, however with my current reputation the only way I could contribute to either question would be to submit a new answer, and that's definitely not the right way to ask a further question such as this.

Thanks!

Answer

Peter Ritchie picture Peter Ritchie · Sep 10, 2012

As far as I know anything that is installed and able to be uninstalled must be registered in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall It appears that subkey names KB999999 are reserved for system updates (hotfixes or service packs). Something that is an update will have a REG_SZ value within that subkey named ParentKeyName which links to the registry entry that it updated.

For example, I have Service Pack 1 for SQL Server 2008, so, I have a subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968369 in the registry. It has a REG_SZ value named HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968369\ParentKeyName with the value "Microsoft SQL Server 10 Release". Because I have SQL Server 2008 installed (as KB968369 is the SP for it) I also have a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft SQL Server 10 Release which is the ParentKeyName link.

You can tell what type an update is from the ReleaseType REG_SZ value. For example, the KB968369 install has a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968369\ReleaseType value of "ServicePack"

I assume only the updates that can be uninstalled are registered under the Uninstall key. There is also the HKEY_LOCAL_MACHINE\Software\Classes\Installer\Patches registry key (referenced in various places like here: http://support.microsoft.com/kb/971187 ) that seems to detail various system updates.

there's also apparently a Microsoft Update object that you can instantiate and query. An example of this is detailed here: http://msmvps.com/blogs/athif/archive/2005/11/20/76035.aspx

I'm not sure if that gives you entirely what you want; but it's some various things I've learned over the years...