Open-AudIT :: View topic - Software Useage in OAv2

Open-AudIT https://www.open-audit.org/phpBB3/

Software Useage in OAv2 https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5793	Page 1 of 1

Author:

Mark [ Thu Nov 10, 2011 5:26 pm ]

Post subject:

Software Useage in OAv2

I am (finally) coding the script to determine when the last time a given piece of software was used. I have most of the executables determined for MS Office (see below), but am throwing open to everyone any executables you would like examined. If you would like something else, just post here and include the FULL path including the .exe name. I will add your item to the list below and delete your post (so as not to create a LONG list of posts, is all).

The attributes I am recording are "last accessed date" - IE, the last time it was run and also the extended attributes present on .exe's (File -> Properties -> Version -> ) "Product Name", "Product Version" and "Internal Version".

These attributes will be kept in a table in the database (sys_sw_software_used) seperate from the "installed software" table (sys_sw_software). The products do not correspond to what is installed. For example, most installs of Office will show up as "Microsoft Office XP Professional" or some such. Creating entries for "Microsoft Word XP", "Microsoft Excel 2007", etc, etc in the existing installed software table would not be accurate, prone to error and cause confusion.

Therefore, I do not want actual product names - just the full path. The product name will be determined from the attribute on the file (as above). ProductName - InternalName (or some combination thereof).

So, a couple of examples are:

[code]InternalName: Visio 2003
ProductName: Microsoft Visio
ProductVersion: 11.0
Date last accessed: 10/11/2011 4:56:17 PM

InternalName: Outlook
ProductName: Microsoft Office Outlook
ProductVersion: 11.0.8169
Date last accessed: 10/11/2011 4:26:47 PM

InternalName: WinWord
ProductName: Microsoft Office 2003
ProductVersion: 11.0.8169
Date last accessed: 10/11/2011 4:56:20 PM[/code]

Also of note is the fact that when a files attributes are read, this changes the date of "lastAccessed". Sigh. I'll have to do some clever stuff in the processing of the audit results like "If lastAccessed is within 5 minutes of the time the system was last audited, do not update this field in the DB". That way, we can read the lastAccessed date and if it set to the time of the last audit, then WE altered this by reading it last time. Disregard this timestamp and use the previous one. What a pain, but I don't see another way around this. I'm open to suggestions.

I have also attached a basic script to retrieve these details. Feel free to put some of your own path's in to it and test it out. NOTE - If you use a remote system in strComputer, make sure the user account you use to run the script has Admin access on the remote system. Rename the script to files.vbs and run it with cscript.

The different Office directories correspond to -
[code]Office 2000 - c:\Program Files\Microsoft Office\Office\
Office XP - c:\Program Files\Microsoft Office\Office10\
Office 2003 - c:\Program Files\Microsoft Office\OFFICE11\
- c:\Program Files\Microsoft Office\Visio11\
Office 2007 - c:\Program Files\Microsoft Office\OFFICE12\
Office 2010 - c:\Program Files\Microsoft Office\OFFICE14\[/code]

These are the files I am examining by default.
[code]C:\Program Files\Microsoft Office\Office\winproj.exe
C:\Program Files\Microsoft Office\Office10\msaccess.exe
C:\Program Files\Microsoft Office\Visio11\visio.exe
c:\Program Files\Microsoft Office\OFFICE11\excel.exe
c:\Program Files\Microsoft Office\OFFICE11\outlook.exe
c:\Program Files\Microsoft Office\OFFICE11\msaccess.exe
c:\Program Files\Microsoft Office\OFFICE11\powerpnt.exe
c:\Program Files\Microsoft Office\OFFICE11\winproj.exe
c:\Program Files\Microsoft Office\OFFICE11\winword.exe
c:\Program Files\Microsoft Office\OFFICE12\excel.exe
c:\Program Files\Microsoft Office\OFFICE12\outlook.exe
c:\Program Files\Microsoft Office\OFFICE12\powerpnt.exe
c:\Program Files\Microsoft Office\OFFICE12\visio.exe
c:\Program Files\Microsoft Office\OFFICE12\winword.exe
c:\Program Files\Microsoft Office\OFFICE14\excel.exe
c:\Program Files\Microsoft Office\OFFICE14\outlook.exe
c:\Program Files\Microsoft Office\OFFICE14\powerpnt.exe
c:\Program Files\Microsoft Office\OFFICE14\visio.exe
c:\Program Files\Microsoft Office\OFFICE14\winword.exe[/code]

Attachments:

files.txt [12.63 KiB]
Downloaded 456 times

Author:	jpa [ Fri Nov 11, 2011 2:13 am ]
Post subject:	Re: Software Useage in OAv2
Last accessed timestamp updating [url=http://blogs.technet.com/b/filecab/archive/2006/11/07/disabling-last-access-time-in-windows-vista-to-improve-ntfs-performance.aspx]is disabled[/url] by default in Vista and newer. So if you want to track this stuff in modern Windows you'll need to enable it.

Author:	Mark [ Fri Nov 11, 2011 6:56 am ]
Post subject:	Re: Software Useage in OAv2
Thanks JPA - well crap. Anyone have any other suggestions for how to accomplish this? Enabling this in Vista and newer isn't really an option (for OAv2).

Author:	jpa [ Fri Nov 11, 2011 7:21 am ]
Post subject:	Re: Software Useage in OAv2
I don't think you can do what you want without turning on file system auditing or creating a file system driver. However, I'm not an authority on this.

Author:	Mark [ Fri Nov 11, 2011 9:11 am ]
Post subject:	Re: Software Useage in OAv2
Damn - I've done some reading and I don't know that the lastAccessed attribute is really suitable for determining when a program was last run. If anyone would like this feature, I am open to suggestions as to how to accomplish it, but it has to work "out of the box" on Win2000 and up and also 64bit versions... It also seem's a bit weird... This morning I HAVE NOT STARTED Word, Excel, PowerPoint or Access, yet when I ran the script it showed that the lastAccessed date for those files was 8:50:xx this morning. This was not when I signed on (that was earlier), it was not when I ran the script (that was later). Seem's it just is not reliable enough For now I think I'll leave this out of OAv2 - unless we can create a suitable solution. A shame because it would be very useful. [quote]That all changed with Windows 95. When listing files Windows Explorer, part of Windows 95 and later, opens each file to extract icons for the directory display and in the process updates the last accessed attribute, rendering it useless as a file management tool. This problem has existed in Windows at least up to and including Windows XP. Windows Vista turned off the updating of the last accessed attribute to save system resources. In Windows 7 it is also off by default, but can be re-enabled from the command line with the following command: fsutil behavior se disablelastaccess 0 When enabled on Windows 7, Windows Explorer seems to handle the last accessed attribute correctly. To take advantage of this attribute you need to make sure Windows XP and earlier versions are removed from your networks. You also need to make sure your applications handle this attribute correctly. A few antivirus, anti-malware and backup software packages still reset this attribute. By making sure your utility software, applications and client operating systems donâ€™t interfere you can regain the value this attribute offers.

Author:	NickBrown [ Tue Nov 15, 2011 6:36 pm ]
Post subject:	Re: Software Useage in OAv2
Hi Mark, you cannot rely on that file attribute. Any type of file access causes this property to be updated - that could be anti-virus scanning for example. Even opening the file properties in Explorer can cause the last accessed date to be updated.

Page 1 of 1	All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/