How to detect if a reboot is needed after installing a patch

  • Article

If you use ITMU (SMS 2003 Inventory Tool for Microsoft Updates) or MBSA 2.0 to scan
machines for patch status, a patch may be reported as installed even though a
reboot is needed in order complete the installation. Example scenario:

- You install patch M05-051 (KB 902400) by manually downloading the patch
installation EXE and then running the EXE.

- After the installation is done, you do not reboot the machine even though the
installation wizard states that it's needed.

- You scan the client using ITMU (scanwrapper.exe) or MBSA 2.0 (mbsacli.exe). The
patch is reported as installed by both ITMU and MBSA. However, MBSA flags that a
reboot is needed by some software update/patch as part of its general vulnerability
scan, not its software updates scan. Note that in this scenario, MBSA 1.2.x would
report the patch as applicable.

This behavior is by design. Both ITMU and MBSA 2.0 use the Windows Update Agent
(WUA) as their scan agent, hence the identical results. (WUA logs to
%systemroot%\WindowsUpdate.log). In order for ITMU to accurately report software
update status, the software updates/patches need to be installed through ITMU or
Microsoft Update. The reason for this is that when a patch is manually installed, a
registry key/value that ITMU uses to detect needed reboots is not set. This is set
by WUA which is not utilized when the patch is manually installed. Here's how ITMU
detects a pending reboot:

1. When a patch is installed by WUA, either via ITMU or Microsoft Update, if the
patch installation returns exit code 3010, WUA creates the volatile registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update\RebootRequired. It then adds a DWORD value for each update ID that requires
a reboot, for example:

"9306cdfc-c4a1-4a22-9996-848cb67eddc3"=1

2. When ITMU next performs a scan via smswushandler.exe which invokes a WUA scan,
the following takes place:

a) WUA will scan for missing updates according to their detection rules. If a patch doesn't pass its detection rules, WUA reports that a reboot is pending.

b) If a patch is reported as installed by WUA, ITMU (smswushandler.exe) checks to
see if any patches are listed under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired. If so, those are flagged as applicable. As mentioned
earlier, this key will be missing if a patch was manually installed. Note that the
RebootRequired key is automatically deleted when the machine reboots as it's
volatile (only held in memory). It's possible to manually create the RebootRequired
key and its values to force ITMU to detect a pending reboot. The Win32 API
RegCreateKeyEx could be used with the REG_OPTION_VOLATILE flag set for dwOptions to create the RebootRequired key.

So without SMS and ITMU in the picture, why does MBSA 1.2.x report the patch as
applicable while ITMU and MBSA 2.0 (actually WUA) report it as installed when the
detection rules really are the same? The reason is that when WUA comes across a
file version or file CRC detection rule, in addition to the file's original
location, for example system32, WUA also checks the files that the
PendingFileRenameOperations value under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager points to.

Example:

The detection rule for a patch states that file system32\clbcatq.dll should be
version 10.
The current version of the file in system32 is 9.
WUA performs a scan and finds that the file is in compliance.
PendingFileRenameOperations  has the following two entries:
\??\C:\WINDOWS\system32\SET31.tmp
!\??\C:\WINDOWS\system32\clbcatq.dll
During a scan, WUA will actually check the file version of system32\SET31.tmp which
is 10.
SET31.tmp will be renamed to clbcatq.dll when the machine restarts.

Besides the above two registry values under "Session Manager" and "RebootRequired",
there is a third one that can be used to detect a pending reboot. ITMU can't use
this though as ITMU reports compliance on a per patch basis, not per machine.
However, MBSA 2.0 makes use of this new registry key that was introduced with
version 6.1.22.0 and later of update.exe. The key is
HKLM\SOFTWARE\Microsoft\Updates\UpdateExeVolatile and the value is called flags.
See https://support.microsoft.com/default.aspx?kbid=832475 for details on this
value. Basically, if you have a 1 or 2 in the flags value, a reboot is pending.
MBSA 1.2.x or ITMU does not check this key/value. A possible workaround to detect
pending reboots when a patch was not installed via WUA, is to for example send out
a vbscript or update sms_def.mof to check for the presence of this key/value.

To use MBSA 2.0 to detect a missing reboot, run mbsacli /n Password+OS+SQL+IIS /nai
/nm

To query WUA for outstanding reboots, use the script at https://msdn.microsoft.com/library/default.asp?url=/library/en-us/wua_sdk/wua/using_wua_to_scan_for_updates_offline.asp and replace "IsInstalled=0" with "RebootRequired=1".