I am hacking some VBScript to attempt to determine the user that installed a program. If I can get it going, I can add this to OAv2.
The script is below. I get an unhelpful error and haven't managed to get it going. If anyone can help, it would be most appreciated. You can save it as blah.vbs and run it with "cscript blah.vbs". It should dump any software it finds an entry for in the App Log - title, who installed it and when. It should only dump the first entry it finds. IE - if you have installed, removed and installed a given piece of software, it may well have multiple entries in the Application Event Log.
Again, any help much appreciated.
[code]strComputer = "." const HKEY_LOCAL_MACHINE = &H80000002 set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv") set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("SELECT Message, User, TimeGenerated FROM Win32_NTLogEvent where logfile = 'Application' and eventcode = '11707'",,48) strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" oReg.EnumKey HKEY_LOCAL_MACHINE,strKeyPath,arrSubKeys for each subkey In arrSubKeys newpath = strKeyPath & "\" & subkey newkey = "DisplayName" oReg.GetStringValue HKEY_LOCAL_MACHINE, newpath, newkey, strValue if strValue <> "" then package_name = strValue for each objItem in colItems mess1 = split(objItem.Message, "--") mess2 = split(mess1(0), " ", vbTextCompare) mess3 = split(mess2(0), "Product:") message_retrieved = trim(mess3(1)) if (not isNull(message_retrieved)) then if (InStr(message_retrieved, package_name) = 1) then package_installed_by = objItem.User package_installed_on = WMIDateStringToDate(objItem.TimeGenerated) wscript.echo package_name & " Installed By: " & package_installed_by & " On: " & package_installed_on exit for else package_installed_by = "" package_installed_on = "" end if end if next end if next
function WMIDateStringToDate(dtmDate) WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _ Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _ & " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2)) end function[/code]
_________________ Support and Development hours available from [url=https://opmantek.com]Opmantek[/url]. Please consider a purchase to help make Open-AudIT better for everyone.
|