How to List All Installed Windows Updates (Hotfixes) in Batch Script

Auditing a system's patch level is a fundamental task for maintaining security and stability. For system administrators and developers, being able to quickly generate a list of all installed "Hotfixes" (Windows Updates) is essential for compliance checks and troubleshooting software conflicts. While the Windows Settings menu provides a visual list, a Batch script can export this data to a text file, CSV, or a network share for centralized analysis.

This guide explores the most effective ways to extract a complete list of installed updates using the wmic, systeminfo, and PowerShell commands.

Why Use a Batch Script to List Updates?

Automation: Easily gather data from hundreds of machines across a network.
Reporting: Export the list to a readable format (.txt, .csv) for inclusion in documentation or audits.
Speed: Query the update database directly without opening the heavy "Settings" application.
Offline Access: Save the list of updates before performing an offline system repair.

Terminology: Hotfix vs. Update

Throughout Windows, KB updates are often referred to as "Hotfixes." In technical commands like wmic, you will see them categorized under the "Quick Fix Engineering" (QFE) service.

Method 1: Using WMIC (Best for Formatting)

The Windows Management Instrumentation Command-line (wmic) allows you to select exactly which pieces of information you want (like the KB ID and the installation date) and can output directly to CSV format.

WMIC Deprecation

wmic.exe has been deprecated since Windows 10 21H1 and is removed in some Windows 11 builds. If wmic is unavailable on your system, use the PowerShell method shown in Method 3.

Basic List to Console

@echo off
echo [PROCESS] Retrieving installed updates...
wmic qfe get HotFixID,InstalledOn,Description
pause

Exporting to a CSV File

For analysis in Excel, you can use the /format:csv switch:

@echo off
setlocal

set "OUT_FILE=%userprofile%\Desktop\UpdateList.csv"

echo [PROCESS] Exporting updates to CSV...
wmic qfe get HotFixID,Description,InstalledOn /format:csv > "%OUT_FILE%"

rem Remove the blank first line that wmic /format:csv produces
findstr /v /r "^$" "%OUT_FILE%" > "%OUT_FILE%.tmp"
move /y "%OUT_FILE%.tmp" "%OUT_FILE%" >nul

echo [SUCCESS] File saved to: %OUT_FILE%
endlocal
pause

Method 2: Using the systeminfo Utility

If you need a more human-readable list without dealing with the complexities of WMI, the systeminfo command is a classic alternative. It provides the KB numbers along with general system details.

@echo off
echo [PROCESS] Gathering hotfix information...
systeminfo | findstr /i /c:"Hotfix(s)" /c:"KB"
pause

Performance Note

On systems with a long history of updates, systeminfo can take over a minute to process. For a faster experience, use the wmic or PowerShell methods instead.

Method 3: Using PowerShell (Recommended)

PowerShell's Get-HotFix cmdlet is the modern replacement for wmic qfe and works reliably on all current Windows versions:

@echo off
echo [PROCESS] Retrieving installed updates via PowerShell...
powershell -noprofile -command "Get-HotFix | Format-Table -AutoSize HotFixID, Description, InstalledOn"
pause

Exporting to CSV via PowerShell

@echo off
setlocal

set "OUT_FILE=%userprofile%\Desktop\UpdateList.csv"

echo [PROCESS] Exporting updates to CSV...
powershell -noprofile -command "Get-HotFix | Select-Object HotFixID, Description, InstalledOn | Export-Csv -Path '%OUT_FILE%' -NoTypeInformation"

echo [SUCCESS] File saved to: %OUT_FILE%
endlocal
pause

Creating a Robust Audit Script

The following script generates a professional-looking report of all installed updates, including the machine name and the date of the audit. It tries wmic first and falls back to PowerShell if unavailable.

@echo off
setlocal enabledelayedexpansion

rem Define the output file
set "OUT_FILE=%userprofile%\Desktop\UpdateAudit_%COMPUTERNAME%.txt"

echo ============================================================
echo   Windows Update Audit Tool
echo ============================================================

rem 1. Write header information
(
    echo Audit Date: %date% %time%
    echo Computer Name: %COMPUTERNAME%
    echo User: %USERNAME%
    echo ------------------------------------------------------------
) > "%OUT_FILE%"

rem 2. Attempt to query installed hotfixes
echo [PROCESS] Querying Windows for installed hotfixes...

where wmic >nul 2>&1
if !errorlevel! equ 0 (
    echo [INFO] Using wmic...
    wmic qfe get HotFixID,Description,InstalledOn /format:table >> "%OUT_FILE%" 2>&1
) else (
    echo [INFO] wmic not available, using PowerShell...
    powershell -noprofile -command "Get-HotFix | Format-Table -AutoSize HotFixID, Description, InstalledOn | Out-String" >> "%OUT_FILE%" 2>&1
)

rem 3. Verify output file has content beyond the header
for %%A in ("%OUT_FILE%") do set "fileSize=%%~zA"
if !fileSize! lss 300 (
    echo [WARNING] Report may be incomplete. Check WMI service status.
) else (
    echo [SUCCESS] Report generated: %OUT_FILE%
)

echo ============================================================
endlocal
pause

Common Pitfalls and How to Avoid Them

Unexpected Date Formats

In older versions of Windows 10, the "InstalledOn" property might return a hex-style date or a different format than your local system.

Wrong Way:

:: Assuming the date is always MM/DD/YYYY
for /f "tokens=2" %%d in ('wmic qfe get InstalledOn') do ...
:: This will break if the WMI output format changes.

Correct Way: Always treat the InstalledOn field as a string and don't try to perform mathematical operations on it within a pure Batch environment without careful parsing.

Silent Failures

If the "WMI" service is disabled on the machine, the wmic command will fail silently or return an empty list.

tip

Ensure the "Windows Management Instrumentation" service is running if you see an empty report. You can check this in services.msc.

Advanced: Sorting and Filtering

You might only want to see "Security Updates" or updates matching a specific description. You can filter the WMI query directly:

:: List only Security Updates
wmic qfe where "Description='Security Update'" get HotFixID,InstalledOn

Or with PowerShell:

powershell -noprofile -command "Get-HotFix | Where-Object { $_.Description -eq 'Security Update' } | Format-Table -AutoSize"

info

wmic qfe and Get-HotFix only list updates installed via the standard Windows Update or MSI installer. They may not list software updates for third-party applications or drivers updated through Device Manager. To list driver updates, use pnputil /enum-drivers.

Conclusion

Listing all installed Windows updates via Batch script is a critical capability for system auditing and troubleshooting. By utilizing wmic for legacy compatibility, systeminfo for quick checks, and PowerShell's Get-HotFix as the modern standard, you can maintain a clear view of your system's patch history. Whether you are generating a CSV for a compliance officer or checking for a specific patch to fix a bug, these commands provide a reliable and efficient way to interact with the Windows update database. Always remember to export your results to a file for better long-term tracking and easier cross-reference across your infrastructure.

Why Use a Batch Script to List Updates?​

Method 1: Using WMIC (Best for Formatting)​

Basic List to Console​

Exporting to a CSV File​

Method 2: Using the systeminfo Utility​

Method 3: Using PowerShell (Recommended)​

Exporting to CSV via PowerShell​

Creating a Robust Audit Script​

Common Pitfalls and How to Avoid Them​

Unexpected Date Formats​

Silent Failures​

Advanced: Sorting and Filtering​

Conclusion​

Table of Contents