Open-AudIT

What's on your network?
It is currently Tue Jan 16, 2018 9:33 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: New Audit Script
PostPosted: Sat Mar 03, 2012 5:11 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
This will likely be the audit script for Beta5.
It should run fine, but may cause an error on post to the application.
It has extra fields that are not in the Beta4 database.

Could someone give it a whirl and let me know how it goes?
Rename it to audit_windows.vbs, naturally...

What has changed?
More error handling and reporting.
Better detection of the last user (if they are in AD, their "company").
System Icon is now the os_family attribute.
Improved multiple monitor detection and reporting.
Monitor size (in inches) and aspect ratio (they were tricky...).
Better handling of the enumeration of "who" installed software.


Attachments:
File comment: New Audit Script
audit_windows.txt [232.25 KiB]
Downloaded 152 times

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.
Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Sun Mar 04, 2012 6:21 am 
Offline
Newbie

Joined: Wed Feb 15, 2012 1:15 am
Posts: 13
Location: Belgium
Tried it...

I get:
Code:
starting audit - IP-ADDRESS
-2147217394 - invalid namespace

Code:
starting audit - PCNAME
-2147023174 - RPC-server net available

The RPC-server is working with the previous script, using an IP-ADDRESS


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Sun Mar 04, 2012 10:31 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1223
Although not noted I assume wouter is getting the error when passing strUser to the script. The error is on line 122. I couldn't find any documentation for ConnectServer that included winmgmts info in the namespace line like you have on line 122.

You need a "Const wbemConnectFlagUseMaxWait = 128" as you use it all over and it's not defined.

Still haven't fixed the "software installed by" problem on non-English Windows. Possible fix noted here.


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Mon Mar 05, 2012 12:28 am 
Offline
Newbie

Joined: Wed Feb 15, 2012 1:15 am
Posts: 13
Location: Belgium
jpa wrote:
Although not noted I assume wouter is getting the error when passing strUser to the script.

That's correct. I used:
Code:
cscript.exe audit_windows.vbs strcomputer=IP-ADDRESS struser=IP-ADDRESS\USERNAME strpass=PASSWORD


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Mon Mar 05, 2012 6:39 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
Thanks guys - will look at these tonight (it's 6:30am here at present).

EDIT.
OK, so I couldn't help myself... new script attached.
I've included the patch for proper software detection and put in some extra error catching and details around the problem area (line 122, etc).
Give it another go and let me know...


Attachments:
File comment: audit_windows script (rename to audit_windows.vbs)
audit_windows.txt [233.98 KiB]
Downloaded 113 times

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.
Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Mon Mar 05, 2012 2:43 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1223
Haven't tested yet but I think:

Code:
objSWbemServices.Security_.ImpersonationLevel = 6
should be
wmiNameSpace.Security_.ImpersonationLevel = 3

Looks like you just missed updating the name and ImpersonationLevel on the first one as the others are correct.


The error messages on line 132, 147, 161 and 178 were probably cut-n-pasted from somewhere and the message needs changing.

Mark wrote:
I've included the patch for proper software detection ...
You do this twice in the script and you only patched the second instance.

Line 1625 has "wbemFlagReturnImmediately + wbemFlagForwardOnly" which aren't defined rather than "48" like the other ExecQueries. There are some ExecQuery calls that don't include the 48 but probably should. I know some shouldn't include the ForwardOnly stuff.

I see the following at line 2221:
Code:
' note that I have a system that fails when the below is attempted.
on error resume next
Set colItems = objWMIService.ExecQuery("SELECT Message, User, TimeGenerated FROM Win32_NTLogEvent where logfile = 'Application' and eventcode = '11707'",,0)
On Error Goto 0

It might be interesting to add some code to see what error codes are returned by ExecQuery on the failing machines. SWbemServices.ExecQuery method


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Mon Mar 05, 2012 9:24 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
OK, I've made the changes - give it another shot. I really shouldn't try to code AND get the kids ready for school at the same time :-)

Code:
It might be interesting to add some code to see what error codes are returned by ExecQuery on the failing machines. SWbemServices.ExecQuery method


Thanks for the link - am thinking a small function to examine any returned errors (after every call). Obviously not in this script though :-)

EDIT - So I wrote a quick function call to return the error name and description and I call it after every WBEM call. The script still runs in 13 seconds (locally) on my laptop, so it seem's fine.

It's now in this (new) attachment.


Attachments:
audit_windows.txt [239.07 KiB]
Downloaded 109 times

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.
Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Tue Mar 06, 2012 2:34 am 
Offline
Newbie

Joined: Wed Feb 15, 2012 1:15 am
Posts: 13
Location: Belgium
tried the last script with:
Code:
cscript.exe audit_windows.vbs strcomputer=IP-ADDRESS struser=IP-ADDRESS\USERNAME strpass=PASSWORD

The audit does start, but stops at:
Code:
local groups info
C:\audit_windows.vbs(1982, 4) Active Directory: unspecified error

None of my pc's are member of a domain. I don't use Active Directory


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Tue Mar 06, 2012 4:17 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1223
What happens if you replace the "ADS_USE_ENCRYPTION OR ADS_SECURE_AUTHENTICATION" in line 1982 in the latest script with "0".


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Tue Mar 06, 2012 6:19 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
Replace line 1943 with this:
Code:
if ((windows_domain_role <> "Backup Domain Controller") and (windows_domain_role <> "Primary Domain Controller") and (windows_part_of_domain = "True")) then


This will remove Groups from the audit result and the audit should complete. I'll investigate more when I'm not getting the kids ready for school :D

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Tue Mar 06, 2012 6:23 am 
Offline
Newbie

Joined: Wed Feb 15, 2012 1:15 am
Posts: 13
Location: Belgium
jpa wrote:
What happens if you replace the "ADS_USE_ENCRYPTION OR ADS_SECURE_AUTHENTICATION" in line 1982 in the latest script with "0".

tried your suggestion, but no success.
Same error:
Code:
local groups info
C:\audit_windows.vbs(1982, 4) Active Directory: unspecified error

Mark wrote:
Replace line 1943 with this:
Code:
if ((windows_domain_role <> "Backup Domain Controller") and (windows_domain_role <> "Primary Domain Controller") and (windows_part_of_domain = "True")) then

tried your suggestion, but no success.
New error:
Code:
CD Keys
C:\audit_windows.vbs(2992, 2) SWbemLocator: RPC-server unavailable

I'm not a coder, so there is not much I can do.
I love testing stuff though, so as long as you guys have fun coding, I'll stick around to test it.


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Tue Mar 06, 2012 7:32 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
At least you got past the Groups stage.
That next error is when determining CD Keys for 64bit Windows. Interesting. I thought we had that licked...

JPA - any thoughts?

Wouter - if you're willing to persist debugging, I'm willing to persist. Thanks for the continued input.

I'm off to work (after taking the kids to school) now, so I won't be able to post again until tonight (11 hours from now). Sorry.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Tue Mar 06, 2012 8:00 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1223
I wonder if it's DNS issues? Since wouter is using IP addresses it would be interesting to know if "nslookup COMPUTERNAME" from the computer performing the audit gives the IPADDRESS that he's using when calling the audit script.

If you pass in the IPADDRESS to the audit script it is transformed to the name of the system and used by the ConnectServer calls to remote into the target machine. Maybe this is a source of the issues if we don't have full DNS resolution.


Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Tue Mar 06, 2012 7:45 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
Quote:
I wonder if it's DNS issues? Since wouter is using IP addresses it would be interesting to know if "nslookup COMPUTERNAME" from the computer performing the audit gives the IPADDRESS that he's using when calling the audit script.


Possibly - have replaced the computer_name with StrComputer.

Try again :-)


Attachments:
audit_windows.txt [242.95 KiB]
Downloaded 131 times

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.
Top
 Profile  
Reply with quote  
 Post subject: Re: New Audit Script
PostPosted: Wed Mar 07, 2012 6:07 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
It seems my function to detect and report errors doesn't work.
After any given
Code:
set colItems = objWMIService.ExecQuery("Select * from Win32_CDROMDrive",,48)

I call
Code:
error_returned = Err.Number : if error_returned <> 0 then wscript.echo check_wbem_error(error_returned) end if

which calls the function
Code:
function check_wbem_error(error)
   if error = 2147749891 then check_wbem_error = "wbemErrAccessDenied - Current user does not have the permission to view the result set."
   if error = 2147749889 then check_wbem_error = "wbemErrFailed - Unspecified error."
   if error = 2147749896 then check_wbem_error = "wbemErrInvalidParameter - Invalid parameter was specified."
   if error = 2147749911 then check_wbem_error = "wbemErrInvalidQuery - Query syntax is not valid."
   if error = 2147749912 then check_wbem_error = "wbemErrInvalidQueryType - Requested query language is not supported."
   if error = 2147749894 then check_wbem_error = "wbemErrOutOfMemory - Not enough memory to complete the operation."
end function


Any ideas?
IE - If I replace Win32_CDROMDrive with Win32_CDROMDrive1, it doesn't throw an error where expected. Same if I replace Select * with a list of (bad) atttributes. That line actually runs and err.number is still 0 - so my function doesn't detect the error. Try and enumerate the returned collection though and of course an error is thrown - but by cscript and not my function. Nasty. any ideas? anyone, anyone, Bueller, Bueller??? :D

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group