Windows – How to check, which files are changed by specific Windows Update

Every Windows update is associated with a KB article that contains a list of updated or created files. That KB article is accessible at https://support.microsoft.com/en-us/kb/####### with all those #s replaced by the update number. (You can change en-us to your language code if you want.) For example, here's one that updates a bunch of timezone-related stuff. Some articles have the table in the article itself; others (like the linked one) have a link to download a CSV with the information.

If you don't trust that, you can download the standalone version of the update from the KB article. Extract it with the Windows Update Standalone Installer: wusa FULL_PATH_TO_MSU /extract:FULL_PATH_TO_DEST_FOLDER. For example:

wusa C:\Users\Ben\Downloads\Windows8.1-KB2693643-x64.msu /extract:C:\suspiciousUpdate

(For the curious, that "update" is the Remote Server Administration Tools package for Windows 8.1.)

Navigate to the destination folder. There might be a PkgInstallOrder.txt, which indicates that the update will run an executable in addition to doing the normal Component-Based Servicing stuff; you can look at that file to see exactly what will be done in what order. There will also be an XML document that lists the CAB packages that will be installed.

To get at the full list of files, you'll need to extract the .cabs. This can be done with WinRAR, but Windows Explorer can at least look into them. Inside each .cab is an XML document that lists the files that will be created in WinSxS. Use any web browser's search function to look for the names of suspicious files. The .cab will also contain a bunch of .manifest files, some of which have <file> entries, which create hardlinks outside of WinSxS.

You can torch the WUSA extraction folder when you're done looking around inside it.