Patch management got complicated — expensive tools, vendor lock-in, cloud dependencies. PatchCured makes it a verb again. Download, run as administrator, read the output. Missing patches, security misconfigurations, and suspicious events in one pass.
File version probes, registry supplement, and MSI database detection across 25,000+ applications. Supersedence resolved automatically — direct KB-to-KB and composite file version chains.
12 registry-based checks — WDigest, LSA Protection, SMBv1, LLMNR, UAC, firewall, RDP NLA, auto-logon credentials, PowerShell v2, unquoted service paths, credential caching, guest account.
8 event log queries over the last 7 days — failed logons with source IPs, account lockouts, RDP sessions, admin group changes, audit log cleared, new services, new local accounts.
Three ways to scan. Pick the one that fits your workflow.
Download cured.exe and patches.db from the repo. Point the scanner at the database. No build step, no sync required. Ideal for getting started immediately.
Run cured --refresh to pull the latest data from all 38 sources, then scan. One command. Always current. Requires internet on first run.
Sync once on an internet-connected machine, clone to a compact copy with superseded patches stripped, move the single .db file to USB. No internet at scan time. Use cured-local.exe — remote scanning code compiled out.
Registry-based checks run on every scan. No agents, no WMI, no external calls.
| Check | What It Catches | Severity |
|---|---|---|
| SEC-001 | AutoAdminLogon with plaintext credentials stored in registry | Critical |
| SEC-002 | WDigest enabled — plaintext passwords cached in LSASS memory | Critical |
| SEC-003 | LSA Protection (RunAsPPL) disabled — LSASS unprotected | Critical |
| SEC-004 | Windows Firewall disabled on any profile (domain, private, public) | Important |
| SEC-005 | SMBv1 still enabled — exploited by WannaCry and most ransomware | Important |
| SEC-006 | UAC disabled or set to never notify | Important |
| SEC-007 | LLMNR enabled — susceptible to name poisoning / credential capture | Important |
| SEC-008 | Remote Desktop allowed without Network Level Authentication | Important |
| SEC-009 | PowerShell v2 available — bypasses constrained language mode and logging | Moderate |
| SEC-010 | Unquoted service paths — local privilege escalation vector | Moderate |
| SEC-011 | Excessive cached logon count — credential exposure risk offline | Moderate |
| SEC-012 | Guest account enabled | Moderate |
Everything cured.exe can do. Most flags can be combined.
Scan local machine. Missing patches, SEC-001–012 checks, and 7-day event log analysis. Run as administrator.
Sync patch database from all 38 sources then scan immediately. One command to always scan with fresh data.
Export scan results as an AI-ready markdown file with a prompt template. No API key required. Paste into any AI chat.
Inline AI analysis — adds a prioritized plain-text remediation plan directly to the scan output.
Output results as JSON for scripting, SIEM ingestion, or piping into PowerShell with ConvertFrom-Json.
List all detected applications with versions and detection method. No patch check performed.
Scan a remote Windows machine over C$ admin shares. No agent, no WinRM, no WMI required.
Incremental patch database refresh. Only fetches what changed since last sync using ETags and date cursors.
Wraps cured.exe --json and returns real PowerShell objects. Filter, sort, export to CSV, or feed into Intune detection scripts.
Scan local machine. Returns object with missingPatches, securityFindings, eventFindings, and summary.
All detected applications with versions, vendor, and detection method used.
Scan and export as AI-ready .md or .csv. No API key needed. Paste into any AI chat.
Scan plus inline AI analysis in one command. Requires Anthropic API key.
PatchCured can analyze your scan results with AI two ways — free with no setup, or automated with an API key. Either way you get a plain-English remediation plan ranked by risk.
Download Free →Built by the creator of HFNetChk and MBSA. Free, agentless, command-line patch scanning — the way it was always meant to be.
"On the 25th anniversary of launching HFNetChk I'm back in patch management. The original was free, ran from a command line, and helped millions of administrators find missing patches with no agent and no vendor lock-in. That was the right idea then. It's still the right idea now."
Senserva builds Microsoft 365 and Azure security products. PatchCured is built on PatchCurated.org — the open-source patch database maintained by the community. Senserva is a member of the Microsoft Intelligent Security Association (MISA), an invite-only program for ISVs building security solutions on Microsoft technology.
PatchCured scans against PatchCurated — an open SQLite database covering 25,000+ applications across 38 sources. Use the pre-built database, sync it yourself, or contribute new sources back to the community.
Download cured.exe, run as administrator, read the output. That's it.
Open-source data by