# Obtaining MSFT Patches for Analysis

* <https://portal.msrc.microsoft.com/en-us/security-guidance>
* Can download cumulative updates from above site
* Patch files for Vista, 7, 8, 10 and Server 2008/2012/2016/2019 have .msu extensions

### Extraction of Patches

* use the `expand` tool to unpack the packages with `.msu` extensions
* `expand -F:* Windows8.1-KBXXXXXXX-x64.msu`
* Interesting files are `.cab` files
* The dir names will have the name of the file they are patching, for example

```
dir /s /b/ /o:n /ad 
Patched/x64_microsoft-windows-user32_XXXXXXXX
```

* The above patch file is for `user32.dll`
* `cd` into above directory and dir to see the patched `user32.dll` file

### PatchExtract

* Cumulative updates can be giant with thousands of files. Greg Linares wrote some powershell scripts to simplify the file amount

```
powershell -executionpolicy Bypass -File C:\Patch\PatchExtract14.ps1 -Path windows10.0-XXX.msu -Path C:\Patch\MS19-MAR
```

* above command extracts every folder and file form the cumulative update and results in a large amount of files and folders
* Some of the files and folders can date back years which we do not care about
* Download: <http://pastebin.com/u/Laughing\\_Mantis>
* Download alt: <https://pastebin.com/VjwNv23n>
* After extraction of all the files we will clean up all the files that are older than 30 days which limit how much we have to look at
* use the patchclean script

```
powershell.exe -ExecutionPolicy Bypass -File C:\Patch\PatchClean.ps1 -Path C:\Patch\MS18-MAR\x64\
```

* Download PatchClean: <http://pastebin/com/u/Laughing\\_Mantis>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/exploit-development/obtaining-msft-patches-for-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.