wua_history
¶
$ target-query <path/to/target> -f wua_history
Module |
|
Output |
|
Module documentation
Plugin to return all available historical Windows Update Agent operations stored in the DataStore.edb.
Function documentation
Returns all available historical Windows Update Agent operations stored in the DataStore.edb.
The Windows Update Agent (WUA) stores information of its operations in a DataStore.edb file. Historical data of these operations, successful or failed performed patches, are stored in the ‘tbHistory’ table of this database. The plugin extracts all rows of this table. For certain columns of the table the extracted data is mapped to publicly available enumerations to provide more meaningful information.
With this plugin you should be able to ascertain the patch level of systems, and it may aid you into finding why a system was generating a lot of other types of events in a certain time period.
- References:
https://learn.microsoft.com/en-us/windows/deployment/update/how-windows-update-works
https://learn.microsoft.com/en-us/windows/win32/api/wuapi/nn-wuapi-iupdatehistoryentry
https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference
https://github.com/libyal/esedb-kb/blob/main/documentation/Windows%20Update.asciidoc
https://www.nirsoft.net/articles/extract-windows-updates-list-external-drive.html
Yields a WuaHistoryRecord with fields:
ts (datetime): The timestamp (UTC) of when the Windows Update Agent operation was finished.
categories (string): Category of the update.
classification (string): Unique ID indicating which classification the update has.
classification_mapped (string): Mapping of the 'classification' field, giving an understandable classification.
client_id (string): Client that initiated the Windows Update Agent operation.
description (string): Description of the update.
flags (int): Undocumented and unknown.
id_event (int): Index number of the Windows Update Agent record in the tbHistory table.
kb (string): Another unique ID of the update.
status (int): Integer signifying result of operation
status_mapped (string): Mapping of the 'status' field.
server_selection (int): The update service that was used for the Windows Update Agent operation.
server_selection_mapped (string): Mapping of the 'server_selection' field.
title (string): Title of the update.
mapped_result (string): The mapped result code of an update operation.
mapped_result_string (string): Mapping of the 'mapped_result' field, giving the error string.
mapped_result_description (string): Mapping of the 'mapped_result' field, giving a description of the error.
unmapped_result (string): The unmapped result code of an update operation.
unmapped_result_string (string): Mapping of the 'unmapped_result' field, giving the error string.
unmapped_result_description (string): Mapping of the 'unmapped_result' field, giving a description of the error.
update_id (string): Unique ID of the performed update.
server_id (string): Unique ID of the service used for the update operation.
server_id_mapped (string): Mapping of the 'server_id' field, indication the service used for the update operation.
support_url (string): Support URL of the update.
uninstall_notes (string): Uninstall notes of the update.
uninstall_steps (string): Uninstall steps of the update.
more_info_url (string): Additional informational URLs of the update.
path (uri): Path of the datastore containing the Windows Update Agent records.
id_user (int): Undocumented and unknown.
is_service_is_additional (string): Undocumented and unknown.