Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 6:01 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 
Author Message
 Post subject: Help wanted (vbscript)
PostPosted: Thu Jul 14, 2011 4:13 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
I am hacking some VBScript to attempt to determine the user that installed a program.
If I can get it going, I can add this to OAv2.

The script is below.
I get an unhelpful error and haven't managed to get it going.
If anyone can help, it would be most appreciated.
You can save it as blah.vbs and run it with "cscript blah.vbs".
It should dump any software it finds an entry for in the App Log - title, who installed it and when.
It should only dump the first entry it finds. IE - if you have installed, removed and installed a given piece of software, it may well have multiple entries in the Application Event Log.

Again, any help much appreciated.

[code]strComputer = "."
const HKEY_LOCAL_MACHINE = &H80000002
set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("SELECT Message, User, TimeGenerated FROM Win32_NTLogEvent where logfile = 'Application' and eventcode = '11707'",,48)
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
oReg.EnumKey HKEY_LOCAL_MACHINE,strKeyPath,arrSubKeys
for each subkey In arrSubKeys
newpath = strKeyPath & "\" & subkey
newkey = "DisplayName"
oReg.GetStringValue HKEY_LOCAL_MACHINE, newpath, newkey, strValue
if strValue <> "" then
package_name = strValue
for each objItem in colItems
mess1 = split(objItem.Message, "--")
mess2 = split(mess1(0), " ", vbTextCompare)
mess3 = split(mess2(0), "Product:")
message_retrieved = trim(mess3(1))
if (not isNull(message_retrieved)) then
if (InStr(message_retrieved, package_name) = 1) then
package_installed_by = objItem.User
package_installed_on = WMIDateStringToDate(objItem.TimeGenerated)
wscript.echo package_name & " Installed By: " & package_installed_by & " On: " & package_installed_on
exit for
else
package_installed_by = ""
package_installed_on = ""
end if
end if
next

end if
next

function WMIDateStringToDate(dtmDate)
WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
end function[/code]

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 15, 2011 4:15 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Two things:

It's possible for objItem.Message to be Null so you need to test for that.

More importantly the 48 at the end of your ExecQuery [url=http://msdn.microsoft.com/en-us/library/aa392301%28v=vs.85%29.aspx]means something[/url]. Specifically, that you want a return immediatly, forward only query. You then proceed to loop over the results repeatedly when they were clobbered after the first run through.

So something more like this:
[code] strComputer = "."
const HKEY_LOCAL_MACHINE = &H80000002
set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("SELECT Message, User, TimeGenerated FROM Win32_NTLogEvent where logfile = 'Application' and eventcode = '11707'",,0)
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
oReg.EnumKey HKEY_LOCAL_MACHINE,strKeyPath,arrSubKeys
for each subkey In arrSubKeys
newpath = strKeyPath & "\" & subkey
newkey = "DisplayName"
oReg.GetStringValue HKEY_LOCAL_MACHINE, newpath, newkey, strValue
if strValue <> "" then
package_name = strValue
for each objItem in colItems
if objItem.Message <> "" then
mess1 = split(objItem.Message, "--")
mess2 = split(mess1(0), " ", vbTextCompare)
mess3 = split(mess2(0), "Product:")
message_retrieved = trim(mess3(1))
if (not isNull(message_retrieved)) then
if (InStr(message_retrieved, package_name) = 1) then
package_installed_by = objItem.User
package_installed_on = WMIDateStringToDate(objItem.TimeGenerated)
wscript.echo package_name & " Installed By: " & package_installed_by & " On: " & package_installed_on
exit for
else
package_installed_by = ""
package_installed_on = ""
end if
end if
end if
next

end if
next

function WMIDateStringToDate(dtmDate)
WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
end function
[/code]


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 15, 2011 9:21 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Awesome, thanks.
I knew it was related to something there... I was getting one result before it would bomb.
So, going forward, OAv2 will not only tell you when it see's new software, but WHO installed it and WHEN.
Look's like a schema change is coming to beta3...

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 15, 2011 9:26 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
While you're in there updating the schema maybe you could add the [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5731]uptime[/url]?


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 15, 2011 10:30 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Yep, sure. Done.
Expect these in Beta 3.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group