# Obtaining MSFT Patches for Analysis * * Can download cumulative updates from above site * Patch files for Vista, 7, 8, 10 and Server 2008/2012/2016/2019 have .msu extensions ### Extraction of Patches * use the `expand` tool to unpack the packages with `.msu` extensions * `expand -F:* Windows8.1-KBXXXXXXX-x64.msu` * Interesting files are `.cab` files * The dir names will have the name of the file they are patching, for example ``` dir /s /b/ /o:n /ad Patched/x64_microsoft-windows-user32_XXXXXXXX ``` * The above patch file is for `user32.dll` * `cd` into above directory and dir to see the patched `user32.dll` file ### PatchExtract * Cumulative updates can be giant with thousands of files. Greg Linares wrote some powershell scripts to simplify the file amount ``` powershell -executionpolicy Bypass -File C:\Patch\PatchExtract14.ps1 -Path windows10.0-XXX.msu -Path C:\Patch\MS19-MAR ``` * above command extracts every folder and file form the cumulative update and results in a large amount of files and folders * Some of the files and folders can date back years which we do not care about * Download: * Download alt: * After extraction of all the files we will clean up all the files that are older than 30 days which limit how much we have to look at * use the patchclean script ``` powershell.exe -ExecutionPolicy Bypass -File C:\Patch\PatchClean.ps1 -Path C:\Patch\MS18-MAR\x64\ ``` * Download PatchClean: