Obtaining MSFT Patches for Analysis

• https://portal.msrc.microsoft.com/en-us/security-guidance

• Can download cumulative updates from above site

• Patch files for Vista, 7, 8, 10 and Server 2008/2012/2016/2019 have .msu extensions

Extraction of Patches

• use the expand tool to unpack the packages with .msu extensions

• expand -F:* Windows8.1-KBXXXXXXX-x64.msu

• Interesting files are .cab files

• The dir names will have the name of the file they are patching, for example

dir /s /b/ /o:n /ad 
Patched/x64_microsoft-windows-user32_XXXXXXXX

• The above patch file is for user32.dll

• cd into above directory and dir to see the patched user32.dll file

PatchExtract

• Cumulative updates can be giant with thousands of files. Greg Linares wrote some powershell scripts to simplify the file amount

powershell -executionpolicy Bypass -File C:\Patch\PatchExtract14.ps1 -Path windows10.0-XXX.msu -Path C:\Patch\MS19-MAR

• above command extracts every folder and file form the cumulative update and results in a large amount of files and folders

• Some of the files and folders can date back years which we do not care about

• Download: http://pastebin.com/u/Laughing_Mantis

• Download alt: https://pastebin.com/VjwNv23n

• After extraction of all the files we will clean up all the files that are older than 30 days which limit how much we have to look at

• use the patchclean script

powershell.exe -ExecutionPolicy Bypass -File C:\Patch\PatchClean.ps1 -Path C:\Patch\MS18-MAR\x64\

• Download PatchClean: http://pastebin/com/u/Laughing_Mantis