Skip to main content

Overview

The Hotfixes command enumerates all installed Windows updates and hotfixes via WMI. This helps identify missing security patches and potential vulnerabilities that could be exploited for privilege escalation or other attacks.

Syntax

Seatbelt.exe Hotfixes

Remote Execution

Seatbelt.exe Hotfixes -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns hotfix information:
  • HotFix ID (KB number)
  • Description
  • Installed date
  • Installed by (user)

Use Cases

  • Red Team
  • Blue Team
  • Identify missing security patches
  • Find exploitable vulnerabilities
  • Plan privilege escalation attacks
  • Assess system patch level
  • Identify outdated systems

Example Output

====== Hotfixes ======

HotFixID     : KB5034127
Description  : Security Update
InstalledOn  : 1/15/2024
InstalledBy  : NT AUTHORITY\SYSTEM

HotFixID     : KB5033909
Description  : Update
InstalledOn  : 12/12/2023
InstalledBy  : NT AUTHORITY\SYSTEM

HotFixID     : KB890830
Description  : Windows Malicious Software Removal Tool
InstalledOn  : 1/10/2024
InstalledBy  : NT AUTHORITY\SYSTEM

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Low detection risk - queries WMI for installed updates.