Notice
This Knowledge Base article is provided as is and does not replace supersedence data that is provided through the normal update channels. Supersedence information that post-dates the following data can be found in the Security Update Guide and other collateral tools.
Summary
See the products that this article applies to.
Security update MS17-010 addresses several vulnerabilities in Windows Server Message Block (SMB) v1. The WannaCrypt ransomware is exploiting one of the vulnerabilities that is part of the MS17-010 update. Computers that do not have MS17-010 installed are at heightened risk because of several strains of malware. This article provides several quick methods to detect whether the computer is updated.
Method 1: Check by installed Knowledge Base number
Use the following table to check for any of the listed updates (except the ones marked as "Does not contain MS17-010 patch"). If any of these is installed, MS17-010 is installed.
Table 1 of 2: Windows 7 SP1 and later. The following rollup KBs contain the fix (except in the "April Security Only 4B" column). Beneath each KB number is the updated Srv.sys version number.
|
Windows versions |
March Security Only Update (3/14/17) |
March Monthly Rollup (3/14/17) |
March Preview of Monthly Rollup (3/21/17) |
April Security Only Update (4/11/17) |
April Monthly Rollup (4/11/17) |
April Preview of Monthly Rollup (4/18/17) |
May Security Only Update (5/09/17) |
May Monthly Rollup (5/09/17) |
Download link |
|
Windows 7 SP1 and Windows Server 2008 R2 SP1 |
4012212 6.1.7601.23689 |
4012215 6.1.7601.23689 |
4012218 6.1.7601.23689 |
4015546 Does not contain MS17-010 patch |
4015549 6.1.7601.23689 |
4015552 6.1.7601.23689 |
4019263 6.1.7601.23762 |
4019264 6.1.7601.23762 |
|
|
Windows 2012 |
4012214 6.2.9200.22099 |
4012217 6.2.9200.22099 |
4012220 6.2.9200.22099 |
4015548 Does not contain MS17-010 patch |
4015551 6.2.9200.22099 |
4015554 6.2.9200.22099 |
4019214 6.2.9200.22137 |
4019216 6.2.9200.22137 |
|
|
Windows 8.1 and Windows Server 2012 R2 |
4012213 6.3.9600.18604 |
4012216 6.3.9600.18604 |
4012219 6.3.9600.18604 |
4015547 Does not contain MS17-010 patch |
4015550 6.3.9600.18604 |
4015553 6.3.9600.18619 |
4019213 6.3.9600.18655 |
4019215 6.3.9600.18655 |
|
|
Windows 10 Version 1507 |
4012606 10.0.10240.17319 |
4016637 10.0.10240.17319 |
- |
- |
4015221 10.0.10240.17319 |
- |
- |
4019474 10.0.10240.17394 |
|
|
Windows 10 Version 1511 |
4013198 10.0.10586.839 |
4016636 10.0.10586.839 |
- |
- |
4015219 10.0.10586.839 |
- |
- |
4019473 10.0.10586.916 |
|
|
Windows 10 Version Windows Server 2016 |
4013429 10.0.14393.953 |
4016635 10.0.14393.953 |
- |
- |
4015217 10.0.14393.953 |
- |
- |
4019472 10.0.14393.1198 |
Table 2 of 2: Continued for the May and June 2017 updates.
|
Windows versions |
May Preview of Monthly Rollup (5/16/17) |
June Security Only Update (6/13/17) |
June Monthly Rollup (6/13/17) |
Download link |
|
Windows 7 and Server 2008 R2 |
4019265 6.1.7601.23762
|
4022722 |
4022168 6.1.7601.23762 |
|
|
Windows Server 2012 |
4019218 6.2.9200.22137 |
4022718 |
4022724 6.2.9200.22137 |
|
|
Windows 8.1 and Windows Server 2012 R2 |
4019217 6.3.9600.18655 |
4022717 |
4022720 6.3.9600.18688 |
|
|
Windows 10 Version 1507 |
- |
- |
4032695 |
|
|
Windows 10 Version 1511 |
- |
- |
4032693 |
|
|
Windows 10 Version 1607 and Windows Server 2016 |
- |
- |
4022723 10.0.14393.1198 |
Table 2: Other Windows versions. Use KB 4012598 for the security update.
|
Windows versions |
KB number and updated Srv.sys version |
Download link |
|
Windows Server 2003 SP2 |
4012598 5.2.3790.6021 |
|
|
Windows XP |
4012598 5.1.2600.7208 |
Windows XP SP2 x64 Windows XP SP3 x86 Windows XP Embedded SP3 x86 |
|
Windows Vista SP2 |
4012598 GDR:6.0.6002.19743 LDR:6.0.6002.24067 |
Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 |
|
Windows Server 2008 SP2 |
4012598 GDR:6.0.6002.19743 LDR:6.0.6002.24067 |
Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 |
|
Windows 8 |
4012598 6.2.9200.22099 |
Table 3: Additional updates that contain the fix.
Windows 8.1 and Windows Server 2012 R2
|
Release date |
KB number |
Support page |
|
March 21, 2017 |
4012219 |
|
|
April 18, 2017 |
4015553 |
|
|
May 16, 2017 |
4019217 |
|
|
June 27, 2017 |
4022720 |
Windows server 2012
|
Release date |
KB number |
Support page |
|
March 21, 2017 |
4012220 |
|
|
April 18, 2017 |
4015554 |
|
|
May 16, 2017 |
4019218 |
|
|
June 27, 2017 |
4022721 |
Windows 7 SP1 and Windows Server 2008 R2 SP1
|
Release date |
KB number |
Support page |
|
March 21, 2017 |
4012218 |
|
|
April 18, 2017 |
4015552 |
|
|
May 16, 2017 |
4019265 |
|
|
June 27, 2017 |
4022168 |
Method 2: Check by %systemroot%\system32\drivers\srv.sys file version
Use the following chart to check the file version of %systemroot%\system32\drivers\srv.sys. If the file version is equal to or greater than the listed version, MS17-010 is installed.
|
Windows versions |
Minimum updated Srv.sys version |
|
Windows XP |
5.1.2600.7208 |
|
Windows Server 2003 SP2 |
5.2.3790.6021 |
|
Windows Vista Windows Server 2008 SP2 |
GDR:6.0.6002.19743, LDR:6.0.6002.24067 |
|
Windows 7 Windows Server 2008 R2 |
6.1.7601.23689 |
|
Windows 8 Windows Server 2012 |
6.2.9200.22099 |
|
Windows 8.1 Windows Server 2012 R2 |
6.3.9600.18604 |
|
Windows 10 TH1 v1507 |
10.0.10240.17319 |
|
Windows 10 TH2 v1511 |
10.0.10586.839 |
|
Windows 10 RS1 v1607 Windows Server 2016 |
10.0.14393.953 |
Method 3: Check by WMI and Windows PowerShell
Use WMI and Windows PowerShell to determine whether MS17-010 fixes have been installed.WMI command To find a specified KB number, open an elevated Command Prompt window, and then run the following command:
wmic qfe get hotfixid | find "KB1234567"
Notes
-
In this command, replace <KB1234567> with the actual KB number.
-
Use an ampersand character (&) to search for multiple updates. For example, run the following command:
wmic qfe get hotfixid | find "KB4012212" & wmic qfe get hotfixid | find "KB4012215" & wmic qfe get hotfixid | find "KB4015549"
PowerShell commands
To check in the local system, run the following administrative PowerShell cmdlet:
get-hotfix -id KB1234567
Notes
-
In this command, replace <KB1234567> with the actual KB number.
-
Use a comma ( , ) to search for multiple updates. For example, run the following command:
get-hotfix -id KB4012212,KB4012215,KB4015549
To check all computers in an Active Directory domain or OU, run the following administrative PowerShell cmdlet on a domain controller:
foreach ( $n in (get-adcomputer -searchbase ‘OU=workstations,dc=contoso,dc=com’ -filter * -property * | select name )) {get-hotfix -computername $n.name -id KB1234567}Note The "OU=workstations,dc=contoso,dc=com" part can be changed to point to the root of an Active Directory domain directory partition, such as "dc=contoso,dc=com" to search computers in the entire domain. In this command, replace <KB1234567> with the actual KB number.
How to resolve the “not applicable” installation error
If prerequisite fixes are not installed on the computers, you may receive the following error message when you install MS17-010 on Windows 8.1 or Windows Server 2012 R2:
The update is not applicable to your computer
To resolve this error, follow these steps:
-
Make sure that you are trying to install the correct update. To do this, check the KB number in Table 1 in Method 1. Compare it to your system version, system service pack level, and system bit level (x64, IA64, or x86).
-
Check for missing dependencies. For Windows 8.1 and Windows Server 2012 R2, install dependent fixes as required according to the following articles:
-
If you are unable to install a rollup update, try a different rollup version. See Table 1 for the available updates.
PowerShell script
The following Windows PowerShell script compares the Srv.sys version on the local computer with the versions that are listed in the chart in Method 2. Save this script to a .ps1 file, and then run the script from PowerShell. This script applies to Windows XP and Windows Server 2003 and later versions. It requires Windows PowerShell 2.0 or a later version.
[reflection.assembly]::LoadWithPartialName("System.Version")
$os = Get-WmiObject -class Win32_OperatingSystem
$osName = $os.Caption
$s = "%systemroot%\system32\drivers\srv.sys"
$v = [System.Environment]::ExpandEnvironmentVariables($s)
If (Test-Path "$v")
{
Try
{
$versionInfo = (Get-Item $v).VersionInfo
$versionString = "$($versionInfo.FileMajorPart).$($versionInfo.FileMinorPart).$($versionInfo.FileBuildPart).$($versionInfo.FilePrivatePart)"
$fileVersion = New-Object System.Version($versionString)
}
Catch
{
Write-Host "Unable to retrieve file version info, please verify vulnerability state manually." -ForegroundColor Yellow
Return
}
}
Else
{
Write-Host "Srv.sys does not exist, please verify vulnerability state manually." -ForegroundColor Yellow
Return
}
if ($osName.Contains("Vista") -or ($osName.Contains("2008") -and -not $osName.Contains("R2")))
{
if ($versionString.Split('.')[3][0] -eq "1")
{
$currentOS = "$osName GDR"
$expectedVersion = New-Object System.Version("6.0.6002.19743")
}
elseif ($versionString.Split('.')[3][0] -eq "2")
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.0.6002.24067")
}
else
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("9.9.9999.99999")
}
}
elseif ($osName.Contains("Windows 7") -or ($osName.Contains("2008 R2")))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.1.7601.23689")
}
elseif ($osName.Contains("Windows 8.1") -or $osName.Contains("2012 R2"))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.3.9600.18604")
}
elseif ($osName.Contains("Windows 8") -or $osName.Contains("2012"))
{
$currentOS = "$osName LDR"
$expectedVersion = New-Object System.Version("6.2.9200.22099")
}
elseif ($osName.Contains("Windows 10"))
{
if ($os.BuildNumber -eq "10240")
{
$currentOS = "$osName TH1"
$expectedVersion = New-Object System.Version("10.0.10240.17319")
}
elseif ($os.BuildNumber -eq "10586")
{
$currentOS = "$osName TH2"
$expectedVersion = New-Object System.Version("10.0.10586.839")
}
elseif ($os.BuildNumber -eq "14393")
{
$currentOS = "$($osName) RS1"
$expectedVersion = New-Object System.Version("10.0.14393.953")
}
elseif ($os.BuildNumber -eq "15063")
{
$currentOS = "$osName RS2"
"No need to Patch. RS2 is released as patched. "
return
}
}
elseif ($osName.Contains("2016"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("10.0.14393.953")
}
elseif ($osName.Contains("Windows XP"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("5.1.2600.7208")
}
elseif ($osName.Contains("Server 2003"))
{
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("5.2.3790.6021")
}
else
{
Write-Host "Unable to determine OS applicability, please verify vulnerability state manually." -ForegroundColor Yellow
$currentOS = "$osName"
$expectedVersion = New-Object System.Version("9.9.9999.99999")
}
Write-Host "`n`nCurrent OS: $currentOS (Build Number $($os.BuildNumber))" -ForegroundColor Cyan
Write-Host "`nExpected Version of srv.sys: $($expectedVersion.ToString())" -ForegroundColor Cyan
Write-Host "`nActual Version of srv.sys: $($fileVersion.ToString())" -ForegroundColor Cyan
If ($($fileVersion.CompareTo($expectedVersion)) -lt 0)
{
Write-Host "`n`n"
Write-Host "System is NOT Patched" -ForegroundColor Red
}
Else
{
Write-Host "`n`n"
Write-Host "System is Patched" -ForegroundColor Green
}
#
References
Customer Guidance for WannaCrypt attacks
Microsoft Malware Protection Center blog
Configuration Manager SQL Server queries for compliance reporting related to MS17-010
This article applies to:
-
Windows Server 2016
-
Windows 10 Version 1607
-
Windows 10 Version 1511
-
Windows 10 Version 1507
-
Windows Server 2012 R2
-
Windows 8.1
-
Windows Server 2012
-
Windows 8
-
Windows Server 2008 R2
-
Windows 7
-
Windows Server 2008 Service Pack 2
-
Windows Vista
-
Windows Server 2003 Service Pack 2
-
Windows XP
