Notice

This Knowledge Base article is provided as is and does not replace supersedence data that is provided through the normal update channels. Supersedence information that post-dates the following data can be found in the Security Update Guide and other collateral tools.

Summary

See the products that this article applies to.

Security update MS17-010 addresses several vulnerabilities in Windows Server Message Block (SMB) v1. The WannaCrypt ransomware is exploiting one of the vulnerabilities that is part of the MS17-010 update. Computers that do not have MS17-010 installed are at heightened risk because of several strains of malware. This article provides several quick methods to detect whether the computer is updated.

Method 1: Check by installed Knowledge Base number

Use the following table to check for any of the listed updates (except the ones marked as "Does not contain MS17-010 patch"). If any of these is installed, MS17-010 is installed.

Table 1 of 2: Windows 7 SP1 and later. The following rollup KBs contain the fix (except in the "April Security Only 4B" column). Beneath each KB number is the updated Srv.sys version number.

Windows versions

March Security Only Update (3/14/17)

March Monthly Rollup (3/14/17)

March Preview of Monthly Rollup (3/21/17)

April Security Only Update (4/11/17)

April Monthly Rollup (4/11/17)

April Preview of Monthly Rollup (4/18/17)

May Security Only Update (5/09/17)

May Monthly Rollup (5/09/17)

Download link

Windows 7 SP1 and  Windows Server 2008 R2 SP1

4012212 6.1.7601.23689

4012215 6.1.7601.23689

4012218 6.1.7601.23689

4015546 Does not contain MS17-010 patch

4015549 6.1.7601.23689

4015552 6.1.7601.23689

4019263 6.1.7601.23762

4019264 6.1.7601.23762

Windows 7 SP1 and Windows Server 2008 R2 SP1 update history

Windows 2012

4012214 6.2.9200.22099

4012217 6.2.9200.22099

4012220 6.2.9200.22099

4015548 Does not contain MS17-010 patch

4015551 6.2.9200.22099

4015554 6.2.9200.22099

4019214 6.2.9200.22137

4019216 6.2.9200.22137

Windows Server 2012 update history

Windows 8.1 and Windows Server 2012 R2

4012213 6.3.9600.18604

4012216 6.3.9600.18604

4012219 6.3.9600.18604

4015547 Does not contain MS17-010 patch

4015550 6.3.9600.18604

4015553 6.3.9600.18619

4019213 6.3.9600.18655

4019215 6.3.9600.18655

Windows 8.1 and Windows Server 2012 R2 update history

Windows 10 Version 1507

4012606 10.0.10240.17319

4016637 10.0.10240.17319

-

-

4015221 10.0.10240.17319

-

-

4019474 10.0.10240.17394

Windows 10 update history

Windows 10 Version 1511  

4013198 10.0.10586.839

4016636 10.0.10586.839

-

-

4015219 10.0.10586.839

-

-

4019473 10.0.10586.916

Windows 10 update history

Windows 10 Version Windows Server 2016

4013429 10.0.14393.953

4016635 10.0.14393.953

-

-

4015217 10.0.14393.953

-

-

4019472 10.0.14393.1198

Windows 10 and Windows Server 2016 update history

 

Table 2 of 2: Continued for the May and June 2017 updates.

Windows versions

May Preview of Monthly Rollup

(5/16/17)

June Security Only Update

(6/13/17)

June Monthly Rollup

(6/13/17)

Download link

Windows 7 and Server 2008 R2

4019265 6.1.7601.23762

 

4022722

4022168 6.1.7601.23762

Windows 7 SP1 and Windows Server 2008 R2 SP1 update history

Windows Server 2012

4019218 6.2.9200.22137

4022718

4022724 6.2.9200.22137

Windows Server 2012 update history

Windows 8.1 and Windows Server 2012 R2

4019217 6.3.9600.18655

4022717

4022720 6.3.9600.18688

Windows 8.1 and Windows Server 2012 R2 update history

Windows 10 Version 1507

-

-

4032695

Windows 10 update history

Windows 10 Version 1511

-

-

4032693

Windows 10 update history

Windows 10 Version 1607 and Windows Server 2016

-

-

4022723 10.0.14393.1198

Windows 10 and Windows Server 2016 update history

 

Table 2: Other Windows versions. Use KB 4012598 for the security update.

Windows versions

KB number and updated Srv.sys version

Download link

Windows Server 2003 SP2

4012598 5.2.3790.6021

Windows Server 2003 SP2 x64 Windows Server 2003 SP2 x86

Windows XP

4012598 5.1.2600.7208

Windows XP SP2 x64 Windows XP SP3 x86 Windows XP Embedded SP3 x86

Windows Vista SP2

4012598 GDR:6.0.6002.19743 LDR:6.0.6002.24067

Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2

Windows Server 2008 SP2

4012598 GDR:6.0.6002.19743 LDR:6.0.6002.24067

Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 8

4012598 6.2.9200.22099

Windows 8 x86, Windows 8 x64

 

Table 3: Additional updates that contain the fix.

Windows 8.1 and Windows Server 2012 R2

Release date

KB number

Support page

March 21, 2017

4012219

March 21, 2017—KB4012218 (Preview of Monthly Rollup)

April 18, 2017

4015553

April 18, 2017—KB4015553 (Preview of Monthly Rollup)

May 16, 2017

4019217

May 16, 2017—KB4019217 (Preview of Monthly Rollup)

June 27, 2017

4022720

June 27, 2017—KB4022720 (Preview of Monthly Rollup)

 

Windows server 2012

Release date

KB number

Support page

March 21, 2017

4012220

March 21, 2017—KB4012220 (Preview of Monthly Rollup)

April 18, 2017

4015554

April 18, 2017—KB4015554 (Preview of Monthly Rollup)

May 16, 2017

4019218

May 16, 2017—KB4019218 (Preview of Monthly Rollup)

June 27, 2017

4022721

June 27, 2017—KB4022721 (Preview of Monthly Rollup)

 

Windows 7 SP1 and Windows Server 2008 R2 SP1

Release date

KB number

Support page

March 21, 2017

4012218

March 21, 2017—KB4012218 (Preview of Monthly Rollup)

April 18, 2017

4015552

April 18, 2017—KB4015552 (Preview of Monthly Rollup)

May 16, 2017

4019265

May 16, 2017—KB4019265 (Preview of Monthly Rollup)

June 27, 2017

4022168

June 27, 2017—KB4022168 (Preview of Monthly Rollup)

Method 2: Check by %systemroot%\system32\drivers\srv.sys file version

Use the following chart to check the file version of %systemroot%\system32\drivers\srv.sys. If the file version is equal to or greater than the listed version, MS17-010 is installed.

Windows versions

Minimum updated Srv.sys version

Windows XP

5.1.2600.7208

Windows Server 2003 SP2

5.2.3790.6021

Windows Vista Windows Server 2008 SP2

GDR:6.0.6002.19743, LDR:6.0.6002.24067

Windows 7 Windows Server 2008 R2

6.1.7601.23689

Windows 8 Windows Server 2012

6.2.9200.22099

Windows 8.1 Windows Server 2012 R2

6.3.9600.18604

Windows 10 TH1 v1507

10.0.10240.17319

Windows 10 TH2 v1511

10.0.10586.839

Windows 10 RS1 v1607 Windows Server 2016

10.0.14393.953

Method 3: Check by WMI and Windows PowerShell

Use WMI and Windows PowerShell to determine whether MS17-010 fixes have been installed.WMI command To find a specified KB number, open an elevated Command Prompt window, and then run the following command:

wmic qfe get hotfixid | find "KB1234567"

Notes

  • In this command, replace <KB1234567> with the actual KB number.

  • Use an ampersand character (&) to search for multiple updates. For example, run the following command:

    wmic qfe get hotfixid | find "KB4012212" & wmic qfe get hotfixid | find "KB4012215" & wmic qfe get hotfixid | find "KB4015549"

PowerShell commands

To check in the local system, run the following administrative PowerShell cmdlet:

 get-hotfix -id KB1234567

Notes

  • In this command, replace <KB1234567> with the actual KB number.

  • Use a comma ( , ) to search for multiple updates. For example, run the following command:

    get-hotfix -id KB4012212,KB4012215,KB4015549

To check all computers in an Active Directory domain or OU, run the following administrative PowerShell cmdlet on a domain controller:

foreach ( $n in (get-adcomputer -searchbase ‘OU=workstations,dc=contoso,dc=com’ -filter * -property * | select name )) {get-hotfix -computername $n.name -id KB1234567}

Note The "OU=workstations,dc=contoso,dc=com" part can be changed to point to the root of an Active Directory domain directory partition, such as "dc=contoso,dc=com" to search computers in the entire domain. In this command, replace <KB1234567> with the actual KB number.

How to resolve the “not applicable” installation error

If prerequisite fixes are not installed on the computers, you may receive the following error message when you install MS17-010 on Windows 8.1 or Windows Server 2012 R2:

The update is not applicable to your computer

To resolve this error, follow these steps:

  1. Make sure that you are trying to install the correct update. To do this, check the KB number in Table 1 in Method 1. Compare it to your system version, system service pack level, and system bit level (x64, IA64, or x86).  

  2. Check for missing dependencies. For Windows 8.1 and Windows Server 2012 R2, install dependent fixes as required according to the following articles:

    • KB 2919355: Windows RT 8.1, Windows 8.1 and Windows Server 2012 R2 Update: April 2014

    • KB 2919442: March 2014 Servicing Stack Update for Windows 8.1 and Windows Server 2012 R2

    • KB 3173424: Servicing stack update for Windows 8.1 and Windows Server 2012 R2: July 12, 2016

  3. If you are unable to install a rollup update, try a different rollup version. See Table 1 for the available updates.  

PowerShell script

The following Windows PowerShell script compares the Srv.sys version on the local computer with the versions that are listed in the chart in Method 2. Save this script to a .ps1 file, and then run the script from PowerShell. This script applies to Windows XP and Windows Server 2003 and later versions. It requires Windows PowerShell 2.0 or a later version.  

[reflection.assembly]::LoadWithPartialName("System.Version")
$os = Get-WmiObject -class Win32_OperatingSystem
$osName = $os.Caption
$s = "%systemroot%\system32\drivers\srv.sys"
$v = [System.Environment]::ExpandEnvironmentVariables($s)
If (Test-Path "$v")
    {
    Try
        {
        $versionInfo = (Get-Item $v).VersionInfo
        $versionString = "$($versionInfo.FileMajorPart).$($versionInfo.FileMinorPart).$($versionInfo.FileBuildPart).$($versionInfo.FilePrivatePart)"
        $fileVersion = New-Object System.Version($versionString)
        }
    Catch
        {
        Write-Host "Unable to retrieve file version info, please verify vulnerability state manually." -ForegroundColor Yellow
        Return
        }
    }
Else
    {
    Write-Host "Srv.sys does not exist, please verify vulnerability state manually." -ForegroundColor Yellow
    Return
    }
if ($osName.Contains("Vista") -or ($osName.Contains("2008") -and -not $osName.Contains("R2")))
    {
    if ($versionString.Split('.')[3][0] -eq "1")
        {
        $currentOS = "$osName GDR"
        $expectedVersion = New-Object System.Version("6.0.6002.19743")
        } 
    elseif ($versionString.Split('.')[3][0] -eq "2")
        {
        $currentOS = "$osName LDR"
        $expectedVersion = New-Object System.Version("6.0.6002.24067")
        }
    else
        {
        $currentOS = "$osName"
        $expectedVersion = New-Object System.Version("9.9.9999.99999")
        }
    }
elseif ($osName.Contains("Windows 7") -or ($osName.Contains("2008 R2")))
    {
    $currentOS = "$osName LDR"
    $expectedVersion = New-Object System.Version("6.1.7601.23689")
    }
elseif ($osName.Contains("Windows 8.1") -or $osName.Contains("2012 R2"))
    {
    $currentOS = "$osName LDR"
    $expectedVersion = New-Object System.Version("6.3.9600.18604")
    }
elseif ($osName.Contains("Windows 8") -or $osName.Contains("2012"))
    {
    $currentOS = "$osName LDR"
    $expectedVersion = New-Object System.Version("6.2.9200.22099")
    }
elseif ($osName.Contains("Windows 10"))
    {
    if ($os.BuildNumber -eq "10240")
        {
        $currentOS = "$osName TH1"
        $expectedVersion = New-Object System.Version("10.0.10240.17319")
        }
    elseif ($os.BuildNumber -eq "10586")
        {
        $currentOS = "$osName TH2"
        $expectedVersion = New-Object System.Version("10.0.10586.839")
        }
    elseif ($os.BuildNumber -eq "14393")
        {
        $currentOS = "$($osName) RS1"
        $expectedVersion = New-Object System.Version("10.0.14393.953")
        }
    elseif ($os.BuildNumber -eq "15063")
        {
        $currentOS = "$osName RS2"
        "No need to Patch. RS2 is released as patched. "
        return
        }
    }
elseif ($osName.Contains("2016"))
    {
    $currentOS = "$osName"
    $expectedVersion = New-Object System.Version("10.0.14393.953")
    }
elseif ($osName.Contains("Windows XP"))
    {
    $currentOS = "$osName"
    $expectedVersion = New-Object System.Version("5.1.2600.7208")
    }
elseif ($osName.Contains("Server 2003"))
    {
    $currentOS = "$osName"
    $expectedVersion = New-Object System.Version("5.2.3790.6021")
    }
else
    {
    Write-Host "Unable to determine OS applicability, please verify vulnerability state manually." -ForegroundColor Yellow
    $currentOS = "$osName"
    $expectedVersion = New-Object System.Version("9.9.9999.99999")
    }
Write-Host "`n`nCurrent OS: $currentOS (Build Number $($os.BuildNumber))" -ForegroundColor Cyan
Write-Host "`nExpected Version of srv.sys: $($expectedVersion.ToString())" -ForegroundColor Cyan
Write-Host "`nActual Version of srv.sys: $($fileVersion.ToString())" -ForegroundColor Cyan
If ($($fileVersion.CompareTo($expectedVersion)) -lt 0)
    {
    Write-Host "`n`n"
    Write-Host "System is NOT Patched" -ForegroundColor Red
    }
Else
    {
    Write-Host "`n`n"
    Write-Host "System is Patched" -ForegroundColor Green
    }
#


References

Customer Guidance for WannaCrypt attacks

Malware Protection Center

Microsoft Malware Protection Center blog

Security Update MS17-010

Configuration Manager SQL Server queries for compliance reporting related to MS17-010

This article applies to:

 

  • Windows Server 2016

  • Windows 10 Version 1607

  • Windows 10 Version 1511

  • Windows 10 Version 1507

  • Windows Server 2012 R2

  • Windows 8.1

  • Windows Server 2012

  • Windows 8

  • Windows Server 2008 R2

  • Windows 7

  • Windows Server 2008 Service Pack 2

  • Windows Vista

  • Windows Server 2003 Service Pack 2

  • Windows XP

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.