How can I tell if a KB or newer has been installed for Windows?

I have a Windows system that I need to audit. The requirements is that (for example) KB2160329 has been installed onto the system. I know from lots of digging that KB2731847 that we have installed in the environment superseded the earlier KB.

MSkbfiles.com works if you know the file name such as TCPIP.SYS. Doesn't do anything if you are just looking for KB Hotfixes.

How can I say feed in a script that I'm looking for KB2160329 and it can check for superseded patches? Or is there a website somewhere that I'm missing?

[Edited 7 May 2014 8:54am CST]

I'm looking for a way to say that KB2731847 which is on the system does fix the same issue (plus more fixes) as KB2160329 which is not in the list as being installed on the system.

I think that you would have to create your own database of superceded hotfixes.

The following PowerShell will tell you if you have a specific hotfix installed:

get-hotfix | where HotfixID -eq 'KB2160329'

You would need to walk through your manually created list checking for the superceded fix. Shouldn't be that hard to do.

You can download this spreasheet from Microsoft : http://go.microsoft.com/fwlink/?LinkID=245778

It includes all the published security bulletins/KB since June 1998 : severity, impact, title, affected product and also information on superseded bulletins/KB.

Then you just have to script a little bit to smartly compare the installed KB to this list :)

Have you eventually found an easier way ? I'm interested too !

Julian Knight's answer shows a way to do this with PowerShell, for regular old CMD, you can try [wmic qfe list full][2]. There are several formatting options and you could parse this in your script.

You may also want to look into some vulnerability scanners, like Nessus, if that will address your root problem of knowing if systems are vulnerable to specific exploits.