Filtering Windows Updates by a Specific Date

Learning that lasts. Online courses from $14.99

When I logged into a user's Microsoft Windows 10 system to check on a problem, I found the system had rebooted late the night before, September 12, 2003, at a time much later than I would expect the user to be working, so I didn't think she had rebooted it. I didn't know if the reboot might be related to the problem she reported to me or could possibly just be Microsoft Windows rebooting because of an automatically installed update. From a command prompt window, you can obtain the last time the system was rebooted using the systeminfo command. To see just the last reboot time and not all of the other output it provides, you can filter the output with the find command by piping the output of the systeminfo command to the find command. You can check on updates that have been installed using the Windows Management Instrumentation Command-line (WMIC) command wmic qfe list ("qfe" stands for "Quick Fix Engineering"). Since that command can also generate a lot of output for updates on dates you may not be interested in, you can also filter that output with the find command.

C:\>systeminfo | find "Boot Time"
System Boot Time:          9/12/2023, 7:41:35 PM

C:\>wmic qfe list | find "9/12/2023"
http://support.microsoft.com/?kbid=5029923  THELMA-LOU  Update                        KB5029923               NT AUTHORITY\SYSTEM  9/12/2023
https://support.microsoft.com/help/5030211  THELMA-LOU  Security Update               KB5030211               NT AUTHORITY\SYSTEM  9/12/2023
                                            THELMA-LOU  Update                        KB5029709               NT AUTHORITY\SYSTEM  9/12/2023

C:\>

Since I saw three updates were installed on 9/12/2023, I thought it likely the reboot occurred because of the updates, but since the wmic command didn't show me the time the updates were installed, I thought I should check the time they were installed to be certain. That can be done from a PowerShell window, which can be opened by typing PowerShell in the Windows "Type here to search" field and selecting "Windows PowerShell" when you see the app listed in the search results. You can use the same systeminfo command in PowerShell, but to select a particular string from the output, pipe its output into the select-string command.

PS C:\> systeminfo | Select-String "Boot Time"

System Boot Time:          9/12/2023, 7:41:35 PM


PS C:\>

You can use the get-wmiobject command to obtain the date and time updates were installed, but again you will get a lot of data for other dates than the one you are interested in. You can not use the Select-String command to filter its output because the installation dates aren't strings, but are date objects. You can filter the output of the get-wmiobject using the where-object command, instead. Since I want to see any updates installed on or after September 12, 2023, I can limit the output by specifying a date equal to that date with -eq "9/12/2023". The full command is get-wmiobject -class win32_quickfixengineering | Where-Object {$_.InstalledOn -eq "9/12/2023"}.

PS C:\> get-wmiobject -class win32_quickfixengineering | Where-Object {$_.InstalledOn -eq "9/12/2023"}

Source        Description      HotFixID      InstalledBy          InstalledOn
------        -----------      --------      -----------          -----------
THELMA-LOU    Update           KB5029923     NT AUTHORITY\SYSTEM  9/12/2023 12:00:00 AM
THELMA-LOU    Security Update  KB5030211     NT AUTHORITY\SYSTEM  9/12/2023 12:00:00 AM
THELMA-LOU    Update           KB5029709     NT AUTHORITY\SYSTEM  9/12/2023 12:00:00 AM


PS C:\>

If I wanted to see any updates installed on or after September 12, 2023, I can limit the output by specifying a date greater than or equal to that date with -ge "9/12/2023". If I didn't want to include any updates on 9/12/2023, but only updates after that date, I could use -gt instead of -ge, i.e., get-wmiobject -class win32_quickfixengineering | Where-Object {$_.InstalledOn -gt "9/12/2023"}.

If you wish to filter on other values, you can see values you can filter on in the column headings of the output. If you wished to look for information for a particular hotfix ID, for instance, you could replace "InstalledOn" in the command with "HotFixID" to search based on the variable $_.HotFixID, instead, e.g., get-wmiobject -class win32_quickfixengineering | Where-Object {$_.HotFixID -eq "KB5030211"}.

Since the time the updates were installed was many hours off from the time the system rebooted, I realized I would have to check the system's event log to determine why the system rebooted. But I also thought I should look for other updates that day besides the hotfixes. Another PowerShell get-wmiobject command you can use to check for updates to software on a Microsoft Windows system is get-wmiobject -class Win32_ReliabilityRecords where you use the the class Win32_ReliabilityRecords instead of the class win32_quickfixengineering. If I only want to look for any updates to the system for Microsoft software between the times of 7:00 AM and 11:59 PM on September 12, 2023, I can use the command below. The command filters the output from get-wmiobject to just records where the "SourceName" equals Microsoft-Windows-WindowsUpdateClient. For the date and time values, I need to specify the object TimeGenerated for the records. The date and time format is different from the format I used for dates for the win32_quickfixengineering class and I need to specify the time boundaries as YYYYMMDDHHMMSS where YYYY is the four digit year, MM is the two digit month, HH is the two digit hour, MM is the number of minutes using two digits, and SS is the number of seconds, if I wish to specify the time to that granularity. The hour value is in 24-hour clock format, aka "military time". So 7:00 in the morning is 0700 and 11:59 at night is 2359. To use an upper and lower value for the time range, you can use the logical operator "and" between a greater than (gt) value and a lesser than (lt) value.

PS C:\> get-wmiobject -class Win32_ReliabilityRecords -Filter "SourceName = 'Microsoft-Windows-WindowsUpdateClient'" | Where-Object {$_.TimeGenerated -gt "202309120700" -and $_.TimeGenerated -lt "202309122359"}


__GENUS          : 2
__CLASS          : Win32_ReliabilityRecords
__SUPERCLASS     : Win32_Reliability
__DYNASTY        : Win32_Reliability
__RELPATH        : Win32_ReliabilityRecords.Logfile="System",RecordNumber=202073,TimeGenerated="20230912203018.810000-0
                   00"
__PROPERTY_COUNT : 10
__DERIVATION     : {Win32_Reliability}
__SERVER         : THELMA-LOU
__NAMESPACE      : root\cimv2
__PATH           : \\THELMA-LOU\root\cimv2:Win32_ReliabilityRecords.Logfile="System",RecordNumber=202073,TimeGenerated=
                   "20230912203018.810000-000"
ComputerName     : thelma-lou.office.example.com
EventIdentifier  : 19
InsertionStrings : {Windows Malicious Software Removal Tool x64 - v5.117 (KB890830),
                   {91722aa2-d45a-4a79-b59a-2365f590b8c6}, 200, {7971f918-a847-4430-9279-4a52d1efe18d}}
Logfile          : System
Message          : Installation Successful: Windows successfully installed the following update: Windows Malicious
                   Software Removal Tool x64 - v5.117 (KB890830)
ProductName      : Windows Malicious Software Removal Tool x64 - v5.117 (KB890830)
RecordNumber     : 202073
SourceName       : Microsoft-Windows-WindowsUpdateClient
TimeGenerated    : 20230912203018.810000-000
User             : NT AUTHORITY\SYSTEM
PSComputerName   : THELMA-LOU



PS C:\>

In the above example, I can see there was an update to the Windows Malicious Software Removal Tool at 2030, i.e., 8:30 PM. If I wish to look for issues with other software on the system besides software provided by Microsoft, I can omit the -Filter parameter. E.g., if I wish to look for any issues with software on the system noted in the Reliability Records between 4:00 AM and 7:59 PM, I can use the command below, which shows me there was a problem with QuickBooks on the system at 10:48 AM.

PS C:\> get-wmiobject -class Win32_ReliabilityRecords | Where-Object {$_.TimeGenerated -gt "202309120400" -and $_.TimeGenerated -lt "202309121959"}


__GENUS          : 2
__CLASS          : Win32_ReliabilityRecords
__SUPERCLASS     : Win32_Reliability
__DYNASTY        : Win32_Reliability
__RELPATH        : Win32_ReliabilityRecords.Logfile="Application",RecordNumber=555487,TimeGenerated="20230912104800.268
                   000-000"
__PROPERTY_COUNT : 10
__DERIVATION     : {Win32_Reliability}
__SERVER         : THELMA-LOU
__NAMESPACE      : root\cimv2
__PATH           : \\THELMA-LOU\root\cimv2:Win32_ReliabilityRecords.Logfile="Application",RecordNumber=555487,TimeGener
                   ated="20230912104800.268000-000"
ComputerName     : thelma-lou.office.example.com
EventIdentifier  : 1000
InsertionStrings : {QBCFMonitorService.exe, 4.0.6992.8981, 5c6f3451, KERNELBASE.dll...}
Logfile          : Application
Message          : Faulting application name: QBCFMonitorService.exe, version: 4.0.6992.8981, time stamp: 0x5c6f3451
                   Faulting module name: KERNELBASE.dll, version: 10.0.19041.3324, time stamp: 0xbe39fd8b
                   Exception code: 0xe0434352
                   Fault offset: 0x0013d8c2
                   Faulting process id: 0x4080
                   Faulting application start time: 0x01d9e56511598a3b
                   Faulting application path: C:\Program Files (x86)\Common
                   Files\Intuit\QuickBooks\QBCFMonitorService.exe
                   Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
                   Report Id: 915b08a3-b3c2-4b10-bbc5-e46c17288b07
                   Faulting package full name:
                   Faulting package-relative application ID:
ProductName      : QBCFMonitorService.exe
RecordNumber     : 555487
SourceName       : Application Error
TimeGenerated    : 20230912104800.268000-000
User             :
PSComputerName   : THELMA-LOU



PS C:\>

References:

  1. about_Logical_Operators
    Date: September 18, 2022
    Microsoft Learn