Open-AudIT

What's on your network?
It is currently Sun Jan 21, 2018 6:51 am

All times are UTC + 10 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Bug running Audit Script
PostPosted: Tue Apr 03, 2012 10:04 pm 
Offline
Newbie

Joined: Mon Apr 02, 2012 11:48 pm
Posts: 4
I'm using attached Windows Audit Script and get following Error on Windows 2000 Pro Machines (german)


C:\Dokumente und Einstellungen\Administrator\Desktop\audit_windows_akt.vbs(200,
3) Laufzeitfehler in Microsoft VBScript: Das Objekt unterstützt diese Eigenschaft oder Methode nicht.: 'oProc.commandLine'.

Code:
for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
   if lcase(oProc.name) = "wscript.exe" _
      or lcase(oProc.name) = "cscript.exe" Then
      [b]sCmdLine = oProc.commandLine[/b]
      if  instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
         or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
         or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
            nPID = oProc.processId
      end if
   end if



Some more information. The Windows 2000 machines are all virtual VMware machines or VirtualPcs but it's the same in VMware and VPC.
Other VMware Machines with Windows XP work without problems


Attachments:
audit_windows_akt.txt [242.95 KiB]
Downloaded 102 times
Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 04, 2012 3:10 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
The CommandLine property of Win32_Process is only available on Windows XP/2003 and newer. It appears this code is only retrieving the process Id for display so you can just comment it out or put some error handling in to skip over the problem.

Option 1 - Remove or comment out the following:
Code:
for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
   if lcase(oProc.name) = "wscript.exe" _
      or lcase(oProc.name) = "cscript.exe" Then
      sCmdLine = oProc.commandLine
      if  instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
         or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
         or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
            nPID = oProc.processId
      end if
   end if
next

if debugging > "0" then wscript.echo "My PID is : " & nPID end if


Option 2 - Mask the error:
Code:
for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
   if lcase(oProc.name) = "wscript.exe" _
      or lcase(oProc.name) = "cscript.exe" Then
      sCmdLine = ""
      On error resume next
      sCmdLine = oProc.commandLine
      On error goto 0
      if  instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
         or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
         or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
            nPID = oProc.processId
      end if
   end if
next


Option 3 - Deal with it in some other way.

Audit_List and Audit_Domain both have the same problem and won't work under Windows 2000.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 04, 2012 3:45 am 
Offline
Newbie

Joined: Mon Apr 02, 2012 11:48 pm
Posts: 4
Thx for your help.
I will try this tommorow, hope that your errorhandling get part of the next script versions.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 04, 2012 6:50 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
Seems like a simple thing for Mark to fix. Unfortunately, you have now volunteered to take up testing of ancient platforms. I don't think there's many other users running a lot of Windows 2000. Or if they are they're running the audits from a more recent Windows.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 04, 2012 5:00 pm 
Offline
Newbie

Joined: Mon Apr 02, 2012 11:48 pm
Posts: 4
Absolutely no problem to volunteer with improving a already great product. I'm already happy that there is such a great project.
Your fix has helped...at least a bit.
Now I'm getting this error:
Code:
C:\audit_windows_2000.vbs(3002, 2) SWbemLocator: Der Parameter ist ungültig.


with this code:
line 3002 is the part in the else branch
Code:
if strUser <> "" then
   ' Username & Password provided - assume not a domain local PC.
   Set objServices = objLocator.ConnectServer(strComputer, "root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait, objCtx)
else
   Set objServices = objLocator.ConnectServer(strComputer, "root\default", "", "", "", "", wbemConnectFlagUseMaxWait, objCtx)
end if


After commenting this region out the script runs to the end. So perhaps here might me some errorhandling necessary. Even though I am a software developer I'm not a script developer and a fix would be better written by someone other ;)

ADDED:
Ok just did a quick overview of the auditing results.
Is there a known bug which prevents the system from reading the Windows 2000 Keys?
If not... it doesn't work ;)
if it's a known problem or even impossible... Is there a workaround.
Perhaps auditing from a different machine. (the VM is not part of a domain)


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 05, 2012 1:57 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
You're still running into problems the script has with Windows 2000 that haven't been found because it gets no testing. This particular section is trying to retrieve a Win 64bit key. According to the documentation this should work because older operating systems are supposed to ignore the context flags if they are not implemented. From your error it looks like this is not the case with Windows 2000 (at least).

Super naive fix is to skip this test if we're on Windows 2000. So just wrap the "MS CD Keys for Windows 64bit" stuff in an exclusion test for Windows 2000.
Code:
'''''''''''''''''''''''''''''''''''''''''''''''''
'   MS CD Keys for Windows 64bit                '
'''''''''''''''''''''''''''''''''''''''''''''''''
if (IsOS2K <> 1) then
   Subhive="SOFTWARE\Microsoft\Windows NT\CurrentVersion"
   Set objCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
   objCtx.Add "__ProviderArchitecture", 64
   objCtx.Add "__RequiredArchitecture", TRUE
   Set objLocator = CreateObject("Wbemscripting.SWbemLocator")

   if strUser <> "" then
      ' Username & Password provided - assume not a domain local PC.
      Set objServices = objLocator.ConnectServer(strComputer, "root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait, objCtx)
   else
      Set objServices = objLocator.ConnectServer(strComputer, "root\default", "", "", "", "", wbemConnectFlagUseMaxWait, objCtx)
   end if
   Set o64reg = objServices.Get("StdRegProv")
   key_text = null
   Set Inparams = o64reg.Methods_("GetStringValue").Inparameters
   Inparams.Hdefkey = HKEY_LOCAL_MACHINE
   Inparams.Ssubkeyname = Subhive
   Inparams.Svaluename = "DigitalProductID"
   set Outparams = o64reg.ExecMethod_("GetBinaryValue", Inparams,,objCtx)
   key_text = getkey(Outparams.uValue, 1)
   if (IsNull(key_text) or (win_cd_key = "y")) then
      ' do nothing
   else
         win_cd_key = "y"
         result = result & "      <key>" & vbcrlf
         result = result & "         <key_name>" & escape_xml(system_os_name) & "</key_name>" & vbcrlf
         result = result & "         <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
         result = result & "         <key_release>" & escape_xml(windows_build_number) & "</key_release>" & vbcrlf
         result = result & "         <key_edition>" & escape_xml(system_os_version) & "</key_edition>" & vbcrlf
         result = result & "      </key>" & vbcrlf
   end if
   Inparams.Svaluename = "DigitalProductID4"
   set Outparams = o64reg.ExecMethod_("GetBinaryValue", Inparams,,objCtx)
   if IsNull(Outparams.uValue) then
      key_text = NULL
   else
      key_text = getkey(Outparams.uValue, 1)
   end if
   if (IsNull(key_text) or (win_cd_key = "y")) then
      ' do nothing
   else
         win_cd_key = "y"
         result = result & "      <key>" & vbcrlf
         result = result & "         <key_name>" & escape_xml(system_os_name) & "</key_name>" & vbcrlf
         result = result & "         <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
         result = result & "         <key_release>" & escape_xml(windows_build_number) & "</key_release>" & vbcrlf
         result = result & "         <key_edition>" & escape_xml(system_os_version) & "</key_edition>" & vbcrlf
         result = result & "      </key>" & vbcrlf
   end if   
end if


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group