Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Thu Mar 28, 2024 6:40 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 
Author Message
 Post subject: Bug running Audit Script
PostPosted: Tue Apr 03, 2012 10:04 pm 
Offline
Newbie

Joined: Mon Apr 02, 2012 11:48 pm
Posts: 4
I'm using attached Windows Audit Script and get following Error on Windows 2000 Pro Machines (german)


C:\Dokumente und Einstellungen\Administrator\Desktop\audit_windows_akt.vbs(200,
3) Laufzeitfehler in Microsoft VBScript: Das Objekt unterstützt diese Eigenschaft oder Methode nicht.: 'oProc.commandLine'.

[code]for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
if lcase(oProc.name) = "wscript.exe" _
or lcase(oProc.name) = "cscript.exe" Then
[b]sCmdLine = oProc.commandLine[/b]
if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
nPID = oProc.processId
end if
end if[/code]


Some more information. The Windows 2000 machines are all virtual VMware machines or VirtualPcs but it's the same in VMware and VPC.
Other VMware Machines with Windows XP work without problems


Attachments:
audit_windows_akt.txt [242.95 KiB]
Downloaded 394 times
Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 04, 2012 3:10 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
The CommandLine property of Win32_Process is only available on Windows XP/2003 and newer. It appears this code is only retrieving the process Id for display so you can just comment it out or put some error handling in to skip over the problem.

Option 1 - Remove or comment out the following:
[code]
for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
if lcase(oProc.name) = "wscript.exe" _
or lcase(oProc.name) = "cscript.exe" Then
sCmdLine = oProc.commandLine
if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
nPID = oProc.processId
end if
end if
next

if debugging > "0" then wscript.echo "My PID is : " & nPID end if
[/code]

Option 2 - Mask the error:
[code]
for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
if lcase(oProc.name) = "wscript.exe" _
or lcase(oProc.name) = "cscript.exe" Then
sCmdLine = ""
On error resume next
sCmdLine = oProc.commandLine
On error goto 0
if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
nPID = oProc.processId
end if
end if
next
[/code]

Option 3 - Deal with it in some other way.

Audit_List and Audit_Domain both have the same problem and won't work under Windows 2000.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 04, 2012 3:45 am 
Offline
Newbie

Joined: Mon Apr 02, 2012 11:48 pm
Posts: 4
Thx for your help.
I will try this tommorow, hope that your errorhandling get part of the next script versions.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 04, 2012 6:50 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Seems like a simple thing for Mark to fix. Unfortunately, you have now volunteered to take up testing of ancient platforms. I don't think there's many other users running a lot of Windows 2000. Or if they are they're running the audits from a more recent Windows.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 04, 2012 5:00 pm 
Offline
Newbie

Joined: Mon Apr 02, 2012 11:48 pm
Posts: 4
Absolutely no problem to volunteer with improving a already great product. I'm already happy that there is such a great project.
Your fix has helped...at least a bit.
Now I'm getting this error:
[code]
C:\audit_windows_2000.vbs(3002, 2) SWbemLocator: Der Parameter ist ungültig.
[/code]

with this code:
line 3002 is the part in the else branch
[code]
if strUser <> "" then
' Username & Password provided - assume not a domain local PC.
Set objServices = objLocator.ConnectServer(strComputer, "root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait, objCtx)
else
Set objServices = objLocator.ConnectServer(strComputer, "root\default", "", "", "", "", wbemConnectFlagUseMaxWait, objCtx)
end if
[/code]

After commenting this region out the script runs to the end. So perhaps here might me some errorhandling necessary. Even though I am a software developer I'm not a script developer and a fix would be better written by someone other ;)

ADDED:
Ok just did a quick overview of the auditing results.
Is there a known bug which prevents the system from reading the Windows 2000 Keys?
If not... it doesn't work ;)
if it's a known problem or even impossible... Is there a workaround.
Perhaps auditing from a different machine. (the VM is not part of a domain)


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 05, 2012 1:57 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
You're still running into problems the script has with Windows 2000 that haven't been found because it gets no testing. This particular section is trying to retrieve a Win 64bit key. According to [url=http://msdn.microsoft.com/en-us/library/windows/desktop/aa393067%28v=vs.85%29.aspx]the documentation[/url] this should work because older operating systems are supposed to ignore the context flags if they are not implemented. From your error it looks like this is not the case with Windows 2000 (at least).

Super naive fix is to skip this test if we're on Windows 2000. So just wrap the "MS CD Keys for Windows 64bit" stuff in an exclusion test for Windows 2000.
[code]
'''''''''''''''''''''''''''''''''''''''''''''''''
' MS CD Keys for Windows 64bit '
'''''''''''''''''''''''''''''''''''''''''''''''''
if (IsOS2K <> 1) then
Subhive="SOFTWARE\Microsoft\Windows NT\CurrentVersion"
Set objCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
objCtx.Add "__ProviderArchitecture", 64
objCtx.Add "__RequiredArchitecture", TRUE
Set objLocator = CreateObject("Wbemscripting.SWbemLocator")

if strUser <> "" then
' Username & Password provided - assume not a domain local PC.
Set objServices = objLocator.ConnectServer(strComputer, "root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait, objCtx)
else
Set objServices = objLocator.ConnectServer(strComputer, "root\default", "", "", "", "", wbemConnectFlagUseMaxWait, objCtx)
end if
Set o64reg = objServices.Get("StdRegProv")
key_text = null
Set Inparams = o64reg.Methods_("GetStringValue").Inparameters
Inparams.Hdefkey = HKEY_LOCAL_MACHINE
Inparams.Ssubkeyname = Subhive
Inparams.Svaluename = "DigitalProductID"
set Outparams = o64reg.ExecMethod_("GetBinaryValue", Inparams,,objCtx)
key_text = getkey(Outparams.uValue, 1)
if (IsNull(key_text) or (win_cd_key = "y")) then
' do nothing
else
win_cd_key = "y"
result = result & " <key>" & vbcrlf
result = result & " <key_name>" & escape_xml(system_os_name) & "</key_name>" & vbcrlf
result = result & " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result = result & " <key_release>" & escape_xml(windows_build_number) & "</key_release>" & vbcrlf
result = result & " <key_edition>" & escape_xml(system_os_version) & "</key_edition>" & vbcrlf
result = result & " </key>" & vbcrlf
end if
Inparams.Svaluename = "DigitalProductID4"
set Outparams = o64reg.ExecMethod_("GetBinaryValue", Inparams,,objCtx)
if IsNull(Outparams.uValue) then
key_text = NULL
else
key_text = getkey(Outparams.uValue, 1)
end if
if (IsNull(key_text) or (win_cd_key = "y")) then
' do nothing
else
win_cd_key = "y"
result = result & " <key>" & vbcrlf
result = result & " <key_name>" & escape_xml(system_os_name) & "</key_name>" & vbcrlf
result = result & " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result = result & " <key_release>" & escape_xml(windows_build_number) & "</key_release>" & vbcrlf
result = result & " <key_edition>" & escape_xml(system_os_version) & "</key_edition>" & vbcrlf
result = result & " </key>" & vbcrlf
end if
end if[/code]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group