38 sources. 25,000+ applications. Windows, macOS, and Linux. A portable SQLite database anyone can query — and a free scanner built on top of it. Patch management got complicated — expensive tools, vendor lock-in, cloud dependencies. PatchCured makes it a verb again: find the gaps, Cure It, move on. Works standalone or alongside Ivanti, SCCM, Intune, and any existing patching tool.
Senserva is a Microsoft security company and member of the Microsoft Intelligent Security Association (MISA) — an invite-only program for independent software vendors building best-in-class security solutions on Microsoft technology. PatchCurated is our open-source foundation. PatchCured is the free scanner built on it. More tools coming.
A single portable SQLite file updated on your schedule. Use the pre-built database, sync it yourself, or build new sources and contribute them back.
Download patches.db directly from the repo. No build step. Open with any SQLite client or point cured.exe straight at it.
Sync once, clone to a compact copy with superseded patches stripped, move the single .db file to USB. No internet required at scan time.
Open SQLite schema — query directly, integrate into your own tooling, or pipe through PowerShell. Commercial use is free with attribution to patchcurated.org.
Download cured.exe, run as administrator, read the output. Missing patches, security misconfigurations, and suspicious events in one pass. Find what's wrong — Cure It. Built on PatchCurated data.
File version probes, registry supplement, and MSI database detection. Supersedence resolved automatically — both direct (KB-to-KB) and composite (file versions already satisfied).
12 registry-based checks: WDigest, LSA Protection, SMBv1, LLMNR, UAC, firewall, RDP, auto-logon credentials, PowerShell v2, unquoted paths, and more.
8 event log queries over the last 7 days — failed logons with source IPs, lockouts, RDP sessions, admin group changes, audit log cleared, new services, new accounts.
Export with --export-ai and paste into Claude.ai, ChatGPT, or Copilot. The file includes a prompt template. Or use --ai-key for inline automated analysis.
| Check | What It Catches | Severity |
|---|---|---|
| SEC-001 | AutoAdminLogon with plaintext credentials in registry | Critical |
| SEC-002 | WDigest enabled — plaintext passwords cached in LSASS memory | Critical |
| SEC-003 | LSA Protection (RunAsPPL) disabled | Critical |
| SEC-004 | Windows Firewall disabled on any profile | Important |
| SEC-005 | SMBv1 still enabled — used by WannaCry and ransomware | Important |
| SEC-006 | UAC disabled or weakened | Important |
| SEC-007 | LLMNR enabled — name poisoning attack surface | Important |
| SEC-008 | Remote Desktop allowed without Network Level Authentication | Important |
| SEC-009 | PowerShell v2 available — bypasses constrained language mode and logging | Moderate |
| SEC-010 | Unquoted service paths — privilege escalation vector | Moderate |
| SEC-011 | Excessive credential caching (cached logon count) | Moderate |
| SEC-012 | Guest account enabled | Moderate |
The module wraps cured.exe --json and returns real PowerShell objects — filter, sort, export to CSV, or feed into Intune detection scripts.
Scan local machine. Returns object with missingPatches, securityFindings, summary, and optional aiAnalysis.
All detected applications with versions, vendor, and detection method.
Scan and export as AI-ready .md or .csv. No API key. Paste into any AI chat.
Scan plus inline AI analysis in one command. Requires Anthropic API key.
The curated binary manages the database. The cured binary scans machines. Both share the repo subcommand and the global --db flag.
cured — scanner
Scan local machine. Missing patches, security configuration, and event log analysis. Run as administrator.
Sync the patch database (init if none exists), then scan. One command to always scan with fresh data.
Export scan results as an AI-ready markdown or CSV file. No API key. Paste into Claude.ai, ChatGPT, Copilot, or any AI chat.
Inline AI analysis — adds a prioritized plain-text remediation plan directly to the scan output. Key can be env:VAR or file:path.
List all detected applications with versions and detection method. No patch check.
Scan a remote Windows machine over C$ admin shares. No agent, no WinRM, no WMI required.
curated repo — database management
Full pull from all 38 sources. Creates schema and populates from scratch. Run once.
Incremental refresh using ETags and date cursors. Only fetches what changed. Schedule daily or weekly.
Database stats: patch count, vendors, detection rules, CVEs, last sync time, and file size.
Compact scan-ready copy — superseded patches stripped. Typically 40–50% smaller. Ideal for endpoints and air-gap deployment.
CVE lookup — which patches address it, affected products, CVSS score, EPSS, and CISA KEV status.
Enrich CVEs with CVSS, CWE, EPSS, and CISA KEV from NVD, OSV, and GitHub Advisory.
Export as signed JSON for GitHub Pages hosting. Creates manifest.json + manifest.sig.
Download a hosted repository (Azure Table) into local SQLite for fully offline scanning.
Generate RSA-2048 key pair for signing exported patch data.
Implement one C# interface, add one line to the engine. Scheduling, error isolation, progress display, and sync history are all handled automatically.
Wanted data sources
Also open to contributors on:
Detection rules, platform coverage, PowerShell module, reporting
Wrong versions, missing CVEs, bad detection rules
The tools that created the patch management industry — and why a new one was overdue.
Mark Shavlik releases the first agentless patch scanner for Windows NT. Free, command-line, no agent. Downloaded by millions of administrators worldwide.
Shavlik partners with Microsoft to build MBSA — free GUI tool combining HFNetChk's engine with OS configuration checks. Part of the Windows 2000 Server Toolkit. Scanned 3M+ computers per week at peak.
HFNetChk grows into a full commercial patch management platform — scan, deploy, report, across physical and virtual environments.
Shavlik Technologies acquired by VMware, then LANDESK, then merged into Ivanti. The HFNetChk lineage lives on in Ivanti's security portfolio. Mark Shavlik is not affiliated with Ivanti.
On the 25th anniversary of launching HFNetChk, there is no public patch repository and no simple free scanner for it — and there should be. Same philosophy as the originals: open data, no agent, free to use. Patch management got complicated. PatchCured makes it a verb again — find the gaps, Cure It, move on.
"On the 25th anniversary of launching HFNetChk I'm back in patch management. The original was free, ran from a command line, and helped millions of administrators find missing patches with no agent and no vendor lock-in. That was the right idea then. It's still the right idea now."
Senserva builds Microsoft security products — 365 and Azure auditing with Siemserva, and now patch management with PatchCurated and PatchCured. Senserva is a member of the Microsoft Intelligent Security Association (MISA), an invite-only program for independent software vendors building best-in-class security solutions on Microsoft technology.
PatchCurated is the open foundation. PatchCured is the scanner. More tools from Senserva are coming — all built on the same community-maintained data layer.
Use the database, run the scanner, add a source, report bad data. Every contribution helps more systems stay patched.
An open-source project by 