Open-AudIT
https://www.open-audit.org/phpBB3/

[FIXED] Windows 7 Audit problem
https://www.open-audit.org/phpBB3/viewtopic.php?f=10&t=5914
Page 1 of 2

Author:  MikeS [ Mon Jul 30, 2012 9:17 pm ]
Post subject:  [FIXED] Windows 7 Audit problem

Hello,

I am using Open Audit V1 (I will upgrade to V2 but not just yet). And I have been having trouble to audit Windows 7 and W2K8(R2) machines. In my domain the windows firewall is disabled but on all PC's UAC is enabled. With a group policy we run the audit.vbs script but I think UAC is blocking the script. We see some audit information but not everything. For example a W7 machine with MS office 2010 shows this:

Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation 2012-06-22 14:51
Microsoft Office Shared 64-bit MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-06-22 14:51

But it doesn't show which program from Office 2010

Is there any way to bypass this without disabling UAC?

Thanks in advance!

Author:  jpa [ Wed Aug 01, 2012 1:53 am ]
Post subject:  Re: Windows 7 Audit problem

Just run the script as an elevated Admin user and see what the output looks like. If you still have missing applications then you probably have a different problem. Also make sure you're running the latest OAv1 from [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]SVN[/url].

Author:  MikeS [ Wed Aug 01, 2012 4:56 pm ]
Post subject:  Re: Windows 7 Audit problem

[quote="jpa"]Just run the script as an elevated Admin user and see what the output looks like. If you still have missing applications then you probably have a different problem. Also make sure you're running the latest OAv1 from [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]SVN[/url].


I'll upgrade first to see if it fixes the problem because I am on Version 09.03.17. How exactly do I upgrade, because I never did the installation a colleague of mine did so I'm kinda new to it all. Just overwrite the existing files?

Author:  jpa [ Thu Aug 02, 2012 1:22 am ]
Post subject:  Re: Windows 7 Audit problem

Make a backup of your OA MySQL database and all files or minimally openaudit\include_config.php and openaudit\scripts\audit.config. You should be doing this regularly anyway.

Download the latest [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]tarball of OAv1 from SVN[/url]. Unzip and untar the open-audit-trunk.tar.gz file that you just downloaded. Copy the new files over the existing ones. Where they go is dependent on how you have it set up.

Log in to OpenAudit and you should get a message at the top of the page that there are database updates to apply. Click the link and hopefully your database gets updated without error. If there are errors you can restore your database backup, reinstall your old version of OA base and config files.

Author:  MikeS [ Thu Aug 02, 2012 7:58 pm ]
Post subject:  Re: Windows 7 Audit problem

Jpa thank you very much! I will try to see if it solves my problem.

Author:  MikeS [ Thu Aug 02, 2012 10:06 pm ]
Post subject:  Re: Windows 7 Audit problem

Everything went great besides a few rights my user was missing on the database. Now I have another problem..

[img]http://i47.tinypic.com/530686.png[/img]

Our audit script runs when people login with a group policy. But because of the new audit.vbs script I am getting all these popups. It's asif the script is running in debug mode so I can see the values. Is there any way to turn this off?

Author:  jpa [ Fri Aug 03, 2012 1:01 am ]
Post subject:  Re: Windows 7 Audit problem

You should run the script using "cscript audit.vbs" and not using wscript.

Author:  MikeS [ Fri Aug 03, 2012 5:26 pm ]
Post subject:  Re: Windows 7 Audit problem

I fixed it. But I just don't get it why UAC is giving me a hard time.

If I run the audit.vbs script locally as an administrator it works perfect but even if I make a group policy with elevated permission the audit.vbs doesn't work like it should.

I think UAC is great and all but it also blocks too much stuff but I rather leave it on, is there another way that will let me run the audit.vbs with group policy?

Author:  jpa [ Sat Aug 04, 2012 1:59 am ]
Post subject:  Re: Windows 7 Audit problem

I don't know how you're running a logon script elevated using Group Policy but if you want everything audited you need to run the script elevated. You could run the script as a Computer Startup script in Group Policy but this will only run on computer boot. If you want to run at every user logon you could use Group Policy to create a Scheduled Task that ran "At log on" of any user and set up the permissions to run elevated.

Author:  Mark [ Sat Aug 04, 2012 9:02 am ]
Post subject:  Re: Windows 7 Audit problem

I recommend a Domain Audit - that's what we use on our ~5,000 systems.

Author:  MikeS [ Sun Aug 05, 2012 6:50 am ]
Post subject:  Re: Windows 7 Audit problem

[quote="jpa"]I don't know how you're running a logon script elevated using Group Policy but if you want everything audited you need to run the script elevated. You could run the script as a Computer Startup script in Group Policy but this will only run on computer boot. If you want to run at every user logon you could use Group Policy to create a Scheduled Task that ran "At log on" of any user and set up the permissions to run elevated.

Yes I have a Group Policy with a Scheduled Task that runs the script with Elevated Permission. I also tried running it as a Computer Start script and even this isn't working. I tried all the possible ways to bypass the UAC when executing a logon script.
If I just run the script locally as an Administrator the audit is correct.

When I let the audit script run on a Windows 7 machine with a scheduled task I see this in my software:

Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation

When I run it locally as an Administrator

Microsoft Office Excel MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-02 15:15
Microsoft Office Groove MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-02 15:15
Microsoft Office InfoPath MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office OneNote MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Outlook MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office PowerPoint MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Professional Plus 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proof (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proof (English) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proof (French) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proof (German) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proofing (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Publisher MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Shared 64-bit MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Shared MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Word MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation

[quote="Mark"]I recommend a Domain Audit - that's what we use on our ~5,000 systems.

What do you mean with Domain Audit?

Author:  jpa [ Sun Aug 05, 2012 7:39 am ]
Post subject:  Re: Windows 7 Audit problem

Maybe you're using the wrong version of cscript [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=8&t=5874&hilit=cscript&start=30#p20428]like in this earlier thread[/url] where software was mysteriously missing from an audit?

Author:  Mark [ Mon Aug 06, 2012 9:46 am ]
Post subject:  Re: Windows 7 Audit problem

[quote="MikeS"]What do you mean with Domain Audit?
In the same directory in the download as the audit_windows.vbs script, there is another called audit_domain.vbs. Check out the variable settings within it. Basically, you point it at your Domain, let it know where audit_windows.vbs is (locally on your filesystem), tell it how many audits you want to spawn at once and it audits all the Windows machines in your domain. There are options within to restrict it to certain operating systems (say, all your machines with the string "server" in the OS name).

number_of_audits == how many audits you want running at any given time. I set this to 20.
audit_run_type == whether to copy the audit_windows script to the remote PC then initiate it remotely. NOTE - this doesn't work very well. It runs these in serial - ie, one at a time. It takes a LONG time to get through a domain of any size. I am working on a script to spawn multiple instances. For now, leave this set to "local".
remote_user and remote_password == set these if your systems are not on a domain. It's a bit of a hack. I don't use this.
script_name == the full path to audit_windows.vbs
local_domain == an array of domains your wish to audit. Make sure your have Admin in each domain for the user account running audit_domain. I have three domains here and my designated account has "local admin" on all computers in these domains.
operating_system == a string that matches against the OS name pulled from Active Directory. If this string appears anywhere in the OS name, it's a match. Leave blank for ALL systems.
output_file == If you want a dump of the matched systems, provide a file name. I leave this blank...

NOTE - all these variables can be passed in from the command line at runtime (same as audit_windows.vbs). Personally, I have a couple of these scripts configured how I like - one for our servers that runs at night, another for our workstations that runs in the daytime, another for a second domain, etc.

Author:  jpa [ Mon Aug 06, 2012 10:15 am ]
Post subject:  Re: Windows 7 Audit problem

Which is all true for when you upgrade to OA v2. With version 1 you'll want to follow the [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=6&t=1464#p6324]How to Audit a Domain FAQ[/url].

Author:  MikeS [ Mon Aug 06, 2012 3:56 pm ]
Post subject:  Re: Windows 7 Audit problem

Thank you guys for your replies. Mark I have some of the settings you posted. I also tried to see if I was running the wrong version of cscript.

So on a machine I executed the audit script with cscript as a Non-Administrator. Guess what? Everything audited the way it should. So UAC doesn't block it, even a non-administrator can execute it.

So somehow the script isn't executing properly at logon with the scheduled task. The next thing I did was 5 minutes after logon I executed the scheduled task to see if that would help. It also didn't help but if use cscript/wscript audit.vbs it works like a charm. Any ideas why the scheduled task isn't working like it should?

edit: Apparently some other people are having problems with running scripts with scheduled tasks under W7 & Server 2008. But apparently UAC blocks UNC paths because I run my script from netlogon folder and it's not allowed.

Page 1 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/