How to verify that Wannacry patch is correctly installed

In a big company, with a lot of windows systems, checking the correct patching for Wannacry could be a little tricky.

Security update MS17–010 addresses several vulnerabilities in Windows SMB v1 exploited by the WannaCrypt ransomware.

However, the KB that contains that update differs between Windows versions, and some times it could be included into service packs or cumulative updates: in short, a big mess!

We can simplify!

However, there is another way to check the correct patching: the MS17–010 installs a patched version of %systemroot%\system32\drivers\srv.sys.

So, we can simply check the file version and compare it with this list:

  • Windows XP: 5.1.2600.7208
  • Windows Server 2003 SP2: 5.2.3790.6021
  • Windows Vista,Windows Server 2008 SP2: GDR:6.0.6002.19743, LDR:6.0.6002.24067
  • Windows 7, Windows Server 2008 R2: 6.1.7601.23689
  • Windows 8, Windows Server 2012:6.2.9200.22099
  • Windows 8.1, Windows Server 2012 R2: 6.3.9600.18604
  • Windows 10 TH1 v1507: 10.0.10240.17319
  • Windows 10 TH2 v1511: 10.0.10586.839
  • Windows 10 RS1 v1607,Windows Server 2016: 10.0.14393.953

If the version installed on our system is equal or major of the version in the list, the OS is correctly patched.

Automate it!

The srv.sys file version can be simply extracted using wmic:

C:>WMIC DATAFILE WHERE name="c:\windows\system32\drivers\srv.sys" get Version /format:Textvaluelist
Output on Windows 10

This command can be included in a batch script that compare the correct version of the file.

However, in this page on Microsoft support i’ve found a powershell script that automate the entire process:

 

To correct execute the script, you need to set the execution policy to ‘unrestricted’:

Set-ExecutionPolicy unrestricted
Output on Windows 10

References

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed

Comments