Skip to content

Windows Paste Scan#

By registering Windows update information (KBIDs) and package information in the FutureVuls console, you can detect vulnerabilities without using a scanner.

This scanning method is recommended for the following environments:

  • Environments where scanner programs "cannot be installed"
  • Environments that are isolated from the internet and "cannot upload" configuration information to FutureVuls
  • Environments that "cannot connect" to the internet or a Windows Update service like WSUS

It supports environments where deploying the FutureVuls scanner is difficult.

For supported OSes and versions, please refer to "Supported Environments".

Differences from Scans Using a Scanner#

Compared to a scan that uses a scanner, the Windows paste scan cannot retrieve the following information:

  • Restart status of applied updates

    Information on whether a restart is required for installed updates.

  • Unapplied updates

    Information about updates that are not installed.

  • Update information retrieved using Windows Update Search

    The paste scan does not retrieve KB (update) information that is obtained by using the UpdateSearcher. (This information is retrieved in a local scan. For details, see the Windows Local Scan Manual).

    $UpdateSearcher = $UpdateSession.CreateUpdateSearcher(); $UpdateSearcher.ServerSelection = 2;
    $UpdateSearcher.search("IsInstalled = 1 and RebootRequired = 0 and Type='Software'").Updates
    $UpdateSearcher.search("IsInstalled = 0 and Type='Software'").Updates
    
    $UpdateSearcher = (New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher();
    $HistoryCount = $UpdateSearcher.GetTotalHistoryCount();
    $UpdateSearcher.QueryHistory(0, $HistoryCount);
    

If the KB information registered via paste scan is outdated or incomplete, you can supplement it using the "Manual KBID Registration" feature.

New Registration#

To perform a new Windows paste scan, follow these steps.

  1. Click Server > Add Server > Add Paste Server to open the dialog box.

    Add Paste Server button

  2. Enter the server name and OS information (OS Family, Edition, Kernel Version).

    Enter server name

  3. To retrieve update information, execute the command displayed on the screen in PowerShell and paste the result.

    Enter update information

  4. To retrieve package information, execute the command displayed on the screen in PowerShell and paste the result.

    Enter package information

After registration, a scan is automatically executed, supplementing unapplied update information and detecting vulnerabilities. For more precise vulnerability management, please use the Manual KBID Registration feature to register any unregistered update information.

Information Required for Windows Paste Server Registration and How to Obtain It#

Info Command
Kernel Version $CurrentVersion = (Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion"); @($CurrentVersion.CurrentMajorVersionNumber, $CurrentVersion.CurrentMinorVersionNumber, $CurrentVersion.CurrentBuildNumber, $CurrentVersion.UBR) -join '.'
KBIDs (Get-Hotfix | Select-Object -Property HotFixID | % { If ($_ -match '(KB\d{6,7})') { $Matches[0] }}) -Join ','
Packages Get-Package | Select-Object Name, Version, ProviderName, @{Name='Publisher';Expression={$_.Metadata['Publisher']}} | Format-List | Out-String -Width 1024

Manual KBID Registration#

If the KB information registered via paste scan is outdated or incomplete, use this feature to register KBIDs manually. You can also use this feature if the KB information registered by a scanner-based Windows scan is incomplete.

For details, please refer to "Manual KBID Registration".