Open-AudIT

Hi, hope someone can help.

I've been using OpenAudit for a few months now to keep track of things and it's been doing a great job.

Recently I've noticed that it is listing installs for more than one version of things like Java and Flash, which are of course updated fairly regularly, but when I go to the PC I cannot see the older versions installed anywhere and so wonder where OpenAudit is getting it's info from. I've trawled through the uninstall section of the registry but can only find the most recent version listed there.

Can anyone shed any light on where OA looks when it compiles it's list of software and updates?

Thanks,
Mark

I had the same Problem.
But if OpenAudit finds something about old Java versions its still something in the System.
So far I know, OpenAudit gets its Information out of the WMI.

If you realy want to delete all the Java Rests from previos versions use JavaRA.
It removes everything that has something to do with Java till Version 7u21.

http://singularlabs.com/software/javara ... -download/

After that you should look what OpenAudit says about old Java Versions.

Thanks for the reply. I've come across JavaRA before and it has problems recognising when Java has been installed by Group Policy and so fails to uninstall it. Also, quite a few of my machines are remote so while I can get to their registrys or file shares fairly easily, connecting to them to run a program is much trickier.

If I knew where OA got its info from, then I'm hoping I can remove the necessary files/reg entries in the background from the offending PC without the user noticing.

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
WMI Query: Select * from Win32_Product
Various other places that you probably don't care about. Look in audit script beginning around line 2830. But you can ignore these as the above locations are what you want.

Hi,

Thanks very much for the info. Running that WMI query against one of the offending machines, I can see the two errant entries - one for an old version of Java and one for an old version of Flash - neither of which appear, as far as I can see, in either of those registry locations (both would have been installed by Group Policy btw).

So my next question is

How do I get rid of those entries?

Thanks.

I don't know. I would think they'd be in the registry keys as well.

I'm not a fan of the WIN32_Product scan as it is slow and has side effects. Probably should use[url=http://csi-windows.com/toolkit/win32product-replacement]something like this[/url] instead. But that doesn't help you much right now.

I think some of my 64bit users have been experiencing the side effects of using win32_product - msi's reconfiguring each time a scan is run for instance. I've therefore removed the part of the script that uses win32_product. My scripting knowledge is a bit basic, so I just deleted what I think to be the entire section and the script seems to run OK still. Removing it has also removed the listings for the annoying older versions that were being created, so it seems to be a win-win thing.

I presume though that it was in there for a reason, so what have I lost by removing it and will simply deleting it from the script cause any issues?

Cheers,
Mark

Removing it won't cause any issues, but your audit won't be as comprehensive.
From memory there ARE some items that appear in one location but not the other and that are actually installed correctly. What they are I couldn't tell you off the top of my head

Personally I would concentrate on fixing the machines that have the errant entries, but you've said you aren't easily able to do that so.....

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.

Just finalising this....

I confirmed it is a bad implementation of this WMI class by Microsoft.

For 1.5.3 I have added an option to audit_windows.vbs called win32_product. It is set to "n" by default and will not query the win32_product WMI method.

I haven't found (in my limited tests) any software returned by this query that is not also returned by one of the other methods.

FWIW - This will likely speed up the scan as well. No more Windows checking / rebuilding packages... Also no more EventID 1035 in the event log. And less of a performance hit as a result.

Looks like nothing lost and much gained by turning off this query

For more details, background and referenced links, check here - [url]https://support.opmantek.com/browse/OA-52[/url].

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.