Announcement

**Ulrich** · 04-14-2018, 08:55 PM

You will not be able to check for a certain Windows hotfix on the target computer using the Control Panel. This method is not reliable for a number of reasons:

The hotfix you are looking for may already have been superseded by another one, such as a "Security Monthly Quality Rollup";
The user may have performed a cleanup of the Windows Installer logs, and the hotfix may not be listed as installed, but it is actually installed;
For the same reason, using tools such as "wmic get hotfix" or "systeminfo" may not show the specific hotfix you are looking for.

So, instead of looking for the hotfix, or a for a setting in the registry, you will get much better results if you know what this hotfix actually does. Use the Microsoft Support site or Google to find the security bulletin for KB3033929. There you will find the list of files - and the version numbers - which are being deployed by this package.

If you visit the linked page, you will see that the "wintrust" DLL will be upgraded to 6.1.7601.18741 on Windows 7 SP1 computers. This is a good candidate for checking if the KB3033929 was already deployed, or if even a newer version is available on the target system. Only if you find an older version of this file you should attempt to deploy the standalone Windows Update file. If you attempt to run the Windows6.1-KB3033929-x[86|64].msu package when the PC is already updated, you will get an error.

Here is some sample code which you can use:

Code:

function CheckForKB3033929()
    local nRet = 1;
    
    local tOSInfo = System.GetOSVersionInfo();
    
    -- this code is only relevant for Windows 7 SP1
    if (tOSInfo.MajorVersion == "6") and (tOSInfo.MinorVersion == "1") and (tOSInfo.BuildNumber == "7601") then
    
        local tVersion = File.GetVersionInfo(SessionVar.Expand("%SystemFolder%\\wintrust.dll"));
        if (String.CompareFileVersions(tVersion.FileVersion, "6.1.7601.18741") >= 0) then
            -- required version or newer found
            Dialog.Message("Info", "KB3033929 installed", MB_OK, MB_ICONINFORMATION);
            nRet = 0;
        end
    else
        Dialog.Message("Info", "KB3033929 does not apply on this platform", MB_OK, MB_ICONINFORMATION);
        nRet = 0;
    end
    
    return nRet;
end


if (CheckForKB3033929() == 1) then
    Dialog.Message("Info", "No support for SHA-2 codesigning found on this device", MB_OK, MB_ICONINFORMATION);
    -- need to install the update
end

Ulrich

**amrum** · 04-15-2018, 11:49 AM

Thank you for your answer Ulrich,

Originally posted by Ulrich View Post

Only if you find an older version of this file you should attempt to deploy the standalone Windows Update file. If you attempt to run the Windows6.1-KB3033929-x[86|64].msu package when the PC is already updated, you will get an error.

I have found a way to install the Windows Update (KB3033929 / x64) even if it already exists!

How do I know that the Windows Update KB3033929 from a certain Windows version (6.1.7601.18741) must / should be available through a rollup?

- Until Windows Version >> 6.1.7601.18740, the KB3033929 must be installed
- As of Windows version 6.1.7601.18741 >> the update KB3033929 is included

Did I interpret that correctly?

**Ulrich** · 04-16-2018, 07:24 AM

What the working Lua code checks for is not the Windows version of the target system, but the version of the DLL. If the file version is older than what is required, then you need to update the target system. And unless your application works exclusively on 64-bit systems, you need to enable the update process for both platforms, 32 and 64-bit Windows 7 SP1.

Ulrich

Announcement

Query Windows Update

Query Windows Update

Comment

Comment

Comment