WannaCry: how to check if your system is protected using a PowerShell script

Ryan

7 years ago

If you've stumbled upon this post you are probably well-aware of the Win32/WannaCrypt Ransomware, better known as WannaCry: we already talked about it in this other post, which contains an extensive list of links to download the various patches to shield almost any Windows-based operating system against this dangerous treat.

However, you might also need to find a way to quickly check if your system is effectively protected against WannaCry or not: this could come very handy if you are a System Administrator and you don't know which server is missing the updates or not. Altough the best suggestion we can give would always be "patch everything", you can also use this great PowerShell script (which we stole from this great post from SpiceWorks community site - credits to CarlosTech for the great job):

#list of all the hotfixes from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606", "KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213", "KB4019214", "KB4019215", "KB4019216", "KB4019217", "KB4019218", "KB4019263", "KB4019264", "KB4019265", "KB4019472", "KB4015221", "KB4019474", "KB4015219", "KB4019473", "KB4022168", "KB4022722", "KB4022717", "KB4022718", "KB4022720", "KB4022723", "KB4022724", "KB4032693", "KB4032695"

#checks the computer it's run on if any of the listed hotfixes are present
$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"

#confirms whether hotfix is found or not
if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID})
{
"Found HotFix: " + $hotfix.HotFixID
} else {
"Didn't Find HotFix"
}

#list of all the hotfixes from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606", "KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213", "KB4019214", "KB4019215", "KB4019216", "KB4019217", "KB4019218", "KB4019263", "KB4019264", "KB4019265", "KB4019472", "KB4015221", "KB4019474", "KB4015219", "KB4019473", "KB4022168", "KB4022722", "KB4022717", "KB4022718", "KB4022720", "KB4022723", "KB4022724", "KB4032693", "KB4032695"

#checks the computer it's run on if any of the listed hotfixes are present

$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"

#confirms whether hotfix is found or not

if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID})

{

"Found HotFix: " + $hotfix.HotFixID

} else {

"Didn't Find HotFix"

}

As we can see, this will check all the relevant hotfixes released by Microsoft containing the fix for the MS17-010 Jump issue - the one used by WannaCry to perform its attack. Using it is just as easy as copy the given source code, paste it into a PowerShell command prompt and press Enter to execute it.

Once you do that, it will return one of the following strings:

Found Hotfix XXXX, if your system is protected.
Didn't Find HotFix, if your system is NOT protected.

Needless to say, if you're receiving the latter, you should really need to take a good look here and apply the relevant patch before it's too late.

That's it for now: happy check!

Print Friendly & PDF Download