For those who remember Windows Server 2000, the QFECheck.exe tool was the go-to solution for listing installed hotfixes. While this tool is deprecated in later versions, Windows Server 2003/2008 provides several native methods to achieve the same result without requiring third-party tools.

The most comprehensive method is through WMI queries. This PowerShell snippet extracts hotfix information:

Get-WmiObject -Class Win32_QuickFixEngineering | 
Select-Object HotFixID, Description, InstalledOn, InstalledBy | 
Sort-Object InstalledOn -Descending | 
Format-Table -AutoSize

For environments where PowerShell isn't available, the Command Prompt provides alternatives:

wmic qfe list brief /format:csv > hotfixes.csv
systeminfo | find "KB"

Hotfix information is also stored in the registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix

This PowerShell command enumerates registry-based hotfixes:

Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix" | 
ForEach-Object { Get-ItemProperty $_.PSPath }

Each approach has advantages:

• WMI provides the most complete information
• Command line is fastest for quick checks
• Registry method shows uninstalled patches

To create an audit-friendly report:

Get-HotFix | Export-Csv -Path "C:\hotfix_report.csv" -NoTypeInformation

Some hotfixes might not appear in standard queries due to:

• Component-Based Servicing (CBS) updates
• Pending reboots
• Corrupted WMI repository

For CBS updates, use:

dism /online /get-packages

For Windows Server 2003/2008, you have several built-in options to list hotfixes without third-party tools:

:: Basic list with QFE info (works on 2003/2008)
wmic qfe list brief /format:csv

:: Detailed output including installation dates
wmic qfe get Caption,Description,HotFixID,InstalledOn

For servers with PowerShell installed (recommended for 2008+):

# Get all hotfixes with full details
Get-HotFix | Format-Table -AutoSize

# Export to CSV for audit purposes
Get-HotFix | Export-Csv -Path "C:\hotfixes.csv" -NoTypeInformation

If you're working with older systems where QFECheck was used, these methods provide similar functionality:

:: Windows 2000-style output
systeminfo | find "KB"

For comprehensive audit documentation, combine multiple data sources:

# PowerShell script to generate detailed report
$report = @()
$hotfixes = Get-HotFix
foreach ($hf in $hotfixes) {
    $report += [PSCustomObject]@{
        KBArticle = $hf.HotFixID
        Description = $hf.Description
        InstalledBy = $hf.InstalledBy
        Date = $hf.InstalledOn
        Computer = $env:COMPUTERNAME
    }
}
$report | Export-Csv -Path "C:\hotfix_audit_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

To check for particular updates (e.g., security patches):

# Check if KB1234567 is installed
if (Get-HotFix -Id "KB1234567" -ErrorAction SilentlyContinue) {
    Write-Host "Security update KB1234567 is installed"
} else {
    Write-Warning "Missing critical update KB1234567"
}

• The wmic command might be deprecated in newer Windows versions
• For servers with PowerShell 2.0+, Get-HotFix is more reliable
• Some updates might not appear in these lists if they were slipstreamed
• Always run commands with administrative privileges