You can't do this file based often anymore like in XP. Except you know what files or Keys have changed but then you would have to capture an install and review it. You need a little
knowledge of WMI and the rigth classes (Just the name of it) to do this.
The Win32_QuickFixEngineeringWMI class represents a small system-wide update, commonly referred to as a quick-fix engineering (QFE) update, applied to the current operating system. Starting with Windows Vista, this class returns only the updates supplied by Component Based Servicing (CBS). These updates are not listed in the registry. Updates supplied by Microsoft Windows Installer (MSI) or the Windows update site (http://update.microsoft.com) are not returned by
Here are some tools we use to get the info we need
How to find a WMI class in WMI when you find it on Technet (How to browse it):
Download WMI Explorer 2.0
You can SEARCH for Classes and see where they are located and how to query them
SELECT * FROM Win32_QuickFixEngineering
Test the Query with Paessler WMI Tester
Selection from Deployment that uses WMI Querys (Like Frontrange) or Windows GPO:
- You could make a WMI GPO Filter that selects the computers which have the patch
- Then Uninstall the patch with GPO
SELECT * FROM Win32_QuickFixEngineering where HotFixID = 'KB2984972'
Or use the Query in Enteo FrontRange Script.
Search the Patch in Batch
c:\windows\system32\wbem\wmic.exe qfe | find "kb2559392"
c:\windows\system32\wbem\wmic.exe qfe | find "KB2860142"
c:\windows\system32\wbem\wmic.exe qfe | find "kb2871803"
Gets all the info
c:\windows\system32\wbem\wmic.exe qfe GET HOTFIXID | find "KB2984972"
Only shows the KB
Uninstall the Patch:
wusa /uninstall /kb:2949927 /quiet /norestart