01/09/2018 update: added a Report and another CIR.
01/12/2018 update: added a screenshot of my device after installing the MS Patches.
                                updated the script to use the current script version of today (1.0.4)  > Download
                                Scriptchangelog from Microsoft:
                                        Added message directing users to explanation of output
                                        Addressed feedback regarding multiple CPUs when setting $cpu 


For an official statement from quest please visit: https://support.quest.com/kb/237193

Hi all, 

here a quick blog to check the hardware vulnarabilities CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 or better known as Spectre and Meltdown.
I am using the Microsoft security guidance ADV180002 as base script with KACE modifications. 

The outcome of this blog will be that you can easily see, filter, report and label all your Windows clients higher than Windows 7 SP1 or Server 2012 R2 which are vulnerable or secure against Spectre and / or Meltdown. To archive this we first need a script. 

The script looks like this and can be downloaded here
If you need assistance to import it to your KACE SMA (K1000) please feel free to contact me. 
cpu01.png

The script will create the logfile: "C:\Windows\Logs\KACE_CPU_Check.log" and rewrite it every time. 

To have the posibility to search, label and report these date we would need a CustomInventory.
Here you have a screenshot and can find the export as a download here.
cpu02.png
ShellCommandTextReturn(cmd /c type ""C:\Windows\Logs\KACE_CPU_Check.log"")

After that you should be able to filter everything like you know to do it. 
Enabled protections appear in the output as "true".

Example for filtering for vulnerable devices:
cpu03.png
If you go to the details you would see that this device is vulnerable against both.
cpu04.png


Now you want to check with one klick which devices are vulnerable and compatible to get patches through Patching. To do that we first need again a custom inventory which checks if the compatibility registry key is available. You can download the ready to use package here.

RegistryValueReturn(HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat, cadca5fe-87d3-4b96-b7fb-a231484277cc, REG_DWORD) 

The next step is to import the report which can be downloaded here


SELECT mc.NAME AS Device,
       mc.LAST_INVENTORY AS Inventory,
       mc.OS_NAME AS Operating_System,
       mc.USER_FULLNAME AS Username,
       mc.BIOS_MANUFACTURER AS 'Bios Manufacturer',
       mc.BIOS_VERSION AS 'BIOS Version'
FROM (MACHINE mc
INNER JOIN MACHINE_CUSTOM_INVENTORY mci1 ON (mc.ID = mci1.ID))
INNER JOIN MACHINE_CUSTOM_INVENTORY mci ON (mc.ID = mci.ID)
WHERE mci.STR_FIELD_VALUE LIKE '%false%' AND mci.SOFTWARE_ID = (SELECT sw.ID FROM SOFTWARE sw WHERE (sw.DISPLAY_NAME = 'Inventory: Spectre & Meltdown Analysis'))
AND mci1.SOFTWARE_ID = (SELECT sw1.ID FROM SOFTWARE sw1 WHERE (sw1.DISPLAY_NAME = 'Inventory: Spectre & Meltdown QualityCompat'))


You can modify / add / delete everything wihtin the scripts, custom inventories or SQL-Reports. 
If you rename your custom inventory rules change the names in the SQL query too.

The report should look like this:


Little Update after the installation of the Microsoft Patch for my system (KB4056890).



Cheers Timo