dissect.target.plugins.os.windows.wua_history

Module Contents

Classes

WuaHistoryPlugin

Plugin to return all available historical Windows Update Agent operations stored in the DataStore.edb.

Attributes

WuaHistoryRecord
TBHISTORY_COLUMN_MAP
CLASSIFICATION_MAP
SERVER_ID_MAP
SERVER_SELECTION_MAP
STATUS_MAP
WUA_CODE_MAP

dissect.target.plugins.os.windows.wua_history.WuaHistoryRecord

dissect.target.plugins.os.windows.wua_history.TBHISTORY_COLUMN_MAP

dissect.target.plugins.os.windows.wua_history.CLASSIFICATION_MAP

dissect.target.plugins.os.windows.wua_history.SERVER_ID_MAP

dissect.target.plugins.os.windows.wua_history.SERVER_SELECTION_MAP

dissect.target.plugins.os.windows.wua_history.STATUS_MAP

dissect.target.plugins.os.windows.wua_history.WUA_CODE_MAP

class dissect.target.plugins.os.windows.wua_history.WuaHistoryPlugin(target)

Bases: dissect.target.plugin.Plugin

Plugin to return all available historical Windows Update Agent operations stored in the DataStore.edb.

DATASTORE_PATH = 'sysvol/windows/softwaredistribution/datastore/datastore.edb'

DATASTORE_UPDATE_TABLE = 'tbHistory'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

get_table_records() → Iterator[dict[str, str | int | datetime.datetime]]

wua_history() → Iterator[WuaHistoryRecord]

Returns all available historical Windows Update Agent operations stored in the DataStore.edb.

The Windows Update Agent (WUA) stores information of its operations in a DataStore.edb file. Historical data of these operations, successful or failed performed patches, are stored in the ‘tbHistory’ table of this database. The plugin extracts all rows of this table. For certain columns of the table the extracted data is mapped to publicly available enumerations to provide more meaningful information.

With this plugin you should be able to ascertain the patch level of systems, and it may aid you into finding why a system was generating a lot of other types of events in a certain time period.

References

• https://learn.microsoft.com/en-us/windows/deployment/update/how-windows-update-works

• https://learn.microsoft.com/en-us/windows/win32/api/wuapi/nn-wuapi-iupdatehistoryentry

• https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference

• https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors

• https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors?context=%2Fwindows%2Fdeployment%2Fcontext%2Fcontext

• https://github.com/libyal/esedb-kb/blob/main/documentation/Windows%20Update.asciidoc

• https://www.nirsoft.net/articles/extract-windows-updates-list-external-drive.html

Yields a WuaHistoryRecord with fields:

ts (datetime): The timestamp (UTC) of when the Windows Update Agent operation was finished.
categories (string): Category of the update.
classification (string): Unique ID indicating which classification the update has.
classification_mapped (string): Mapping of the 'classification' field, giving an understandable classification.
client_id (string): Client that initiated the Windows Update Agent operation.
description (string): Description of the update.
flags (int): Undocumented and unknown.
id_event (int): Index number of the Windows Update Agent record in the tbHistory table.
kb (string): Another unique ID of the update.
status (int): Integer signifying result of operation
status_mapped (string): Mapping of the 'status' field.
server_selection (int): The update service that was used for the Windows Update Agent operation.
server_selection_mapped (string): Mapping of the 'server_selection' field.
title (string): Title of the update.
mapped_result (string): The mapped result code of an update operation.
mapped_result_string (string): Mapping of the 'mapped_result' field, giving the error string.
mapped_result_description (string): Mapping of the 'mapped_result' field, giving a description of the error.
unmapped_result (string): The unmapped result code of an update operation.
unmapped_result_string (string): Mapping of the 'unmapped_result' field, giving the error string.
unmapped_result_description (string): Mapping of the 'unmapped_result' field, giving a description of the error.
update_id (string): Unique ID of the performed update.
server_id (string): Unique ID of the service used for the update operation.
server_id_mapped (string): Mapping of the 'server_id' field, indication the service used for the update operation.
support_url (string): Support URL of the update.
uninstall_notes (string): Uninstall notes of the update.
uninstall_steps (string): Uninstall steps of the update.
more_info_url (string): Additional informational URLs of the update.
path (uri): Path of the datastore containing the Windows Update Agent records.
id_user (int): Undocumented and unknown.
is_service_is_additional (string): Undocumented and unknown.