Cluster Validation: Missing hotfixes display only the GUID
Published Mar 15 2019 01:37 PM 638 Views
First published on MSDN on May 01, 2009

Hi Cluster fans,

[1/13/2010] UPDATE: This issue has been fixed in Windows Server 2008 R2.  All Hotfixes should now correctly return the KB number.  If you still see this issue on a 2008 R2 cluster, please let us know by clicking the ‘Email’ link in the upper right of the blog and share the KB number which you seeing this issue reproduced with.  Thanks!

In Windows Server 2008 Failover Clustering the “Validate a Configuration…” tool was introduced which analyzes all components of the cluster to ensure it will work after deployment.  One of the tests will inventory the updates/QFEs/hotfixes installed on the cluster nodes and report back if the cluster nodes are not at the same patch level.  These tests can be found in the validation tool log in the “System Configuration” section under “Validate Software Updates Level”.  However this report will sometimes list the missing hotfix by an internal reference, their ‘Patch GUID’, rather than use a publically-discoverable reference, such as the hotfix name or KB article number.

If all the nodes in the cluster are at the same patch level, the test will be flagged as “Success”, otherwise you will get a warning.  A typical “Validate Software Updates Level” section in successful report would look something like this:

On the other hand, if one of the nodes in the cluster is missing some updates, the report will look like this:

These missing hotfixes can be found at 956572 (replace with your KB number) or search for the KB number at .

Although the validation tool logs the patch level discrepancies as a warning, as opposed to an error, it is important to realize that this test is important for maintaining high-availability on your cluster.  All the nodes in your cluster should be at the same patch level.  Imagine the following situation:

1.       You have a 2-node cluster running a cluster aware LOB application that has a database resource.

2.       You install an update only on one of the nodes

3.       The installed update introduces a new functionality in the database engine which is not backwards compatible with previous database engine versions.

4.       When the updated database engine mounts the database for the first time, it upgrades the database to support the new functionality (it could easily be some index rebuilt in a new and more efficient way).

5.       The patched node that currently holds the database application fails and the resources are failed over to the second node that is not patched

6.       The node that is missing the update tries to mount the database and fails because it encounters data that it does not know how to deal with

7.       Your LOB application fails.

Get the point?

Now back to the topic of this post. In most cases the validation tool’s log will clearly state the KB article associated with the missing update, but from time to time you might find something like this in the report:

Ah? What are those GUIDs doing here? How can I find a publically-discoverable name for the update so that I can install it on the nodes that are missing it?

If you are lucky, you will paste the GUID into the search engine and will get a hint about the actual name/KB of the update. Those that are used to dealing with previous versions of Windows OS (W2K3 and down) might be tempted to search the registry for the GUID and will be quite disappointed to come up empty handed.

So how do we pull the useful hotfix information we are looking for?   You could actually find the information in the registry, but there is a caveat – the GUID is represented differently and you need to apply a special logic when looking for it.

Script to the rescue!

D:\Scripts>cscript EnumPatchesReg.vbs /?

Displays details for installed patches/hotfixes

Usage: cscript EnumPatchesReg.vbs [/computer:<NAME>] [/id:<GUID|KB>]

/computer:<NAME>   The name of the computer to query. If the parameter

is not specified, the script will default to localhost.

/id: <GUID|KB>             The GUID or KB of the hotfix to query

If parameter is not specified, the script will enumerate

all the patches installed.

Running the script without parameters will enumerate all

the patches installed  on computer the script is executed on.

The script is available here:

Copy and save it to a text file called EnumPatchesReg.vbs.

Note: this is an unsupported script and has not undergone testing.  Please use this script at your own risk.  Microsoft’s Customer Support Services (CSS/PSS) will not support issues associated with this script.

Using the script:

-          The script has the ability to query remote W2K8 computers by specifying “/computer:NAME” as argument. If you omit the parameter, the query will be performed against the computer the script is executed on.

-          If you do not pass the “/id:” argument, the script will try to enumerate all the hotfixes installed.

Example usage:

D:\Scripts>cscript EnumPatchesReg.vbs /computer:W2K8CL01N2 /id:{47740627-D81D-4A45-A215-03B075A18EC7}

Patch Name:    Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)

Patch Code:    {47740627-D81D-4A45-A215-03B075A18EC7}

More Info URL:

Patch State:   Installed

Install Date:  20081020

Product Name:  Microsoft Office 2003 Web Components

Product Code:  {90120000-00A4-0409-0000-0000000FF1CE}

D:\Scripts>EnumPatchesReg.vbs /id:940157

HotfixId:     940157


Description:  Update

Now you know what hides behind this GUID and even have a link to the KB where you can download the relevant update J


Guy Teverovsky

Premier Field Engineer

Microsoft Services

Version history
Last update:
‎Mar 15 2019 01:37 PM
Updated by: