Open-AudIT
https://www.open-audit.org/phpBB3/

[FIXED] Windows 7 Audit problem
https://www.open-audit.org/phpBB3/viewtopic.php?f=10&t=5914
Page 2 of 2

Author:  jpa [ Mon Aug 06, 2012 4:17 pm ]
Post subject:  Re: Windows 7 Audit problem

Non-admin audits are missing a very few things in OA v2. Not much but they're not complete. Some stuff might be missed in OA v1 as well. Diff a run as admin and non and you'll see what, if anything, is missing.

Author:  MikeS [ Mon Aug 06, 2012 5:51 pm ]
Post subject:  Re: Windows 7 Audit problem

Well if I run the script with scheduled task as a non admin user I get this

[code]
VNC Viewer 5.0.1 5.0.1 RealVNC Ltd 2012-08-03 11:16
VNC Server 5.0.1 5.0.1 RealVNC Ltd 2012-08-03 11:16
VNC Printer Driver 1.8.0 1.8.0 RealVNC Ltd. 2012-08-03 11:16
Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation 2012-07-20 10:01
Microsoft Office Shared 64-bit MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-07-20 10:01
Conexant HD Audio 8.50.5.0 Conexant 2012-07-20 09:08
DW WLAN Card Utility 5.60.48.35 Dell Inc. 2012-07-20 09:08
Microsoft Visual C 2005 Redistributable (x64) 8.0.56336 Microsoft Corporation 2012-07-20 09:08
Microsoft Visual C 2008 Redistributable - x64 9.0.30729.17 9.0.30729 Microsoft Corporation 2012-07-20 09:08
Codec - Audio - l3codeca 1.9.0.401 Fraunhofer Institut Integrierte Schaltungen IIS 2012-07-20 09:08
MDAC 6.1.7601.17514 Microsoft Corporation 2012-07-20 09:08
DirectX 9c 4.09.00.0904 Microsoft Corporation 2012-07-20 09:08
Windows Media Player 12,0,7601,17514 Microsoft Corporation 2012-07-20 09:08
Internet Explorer 9.0.8112.16421 Microsoft Corporation 2012-07-20 09:08
Microsoft Windows 7 Professional 6.1.7601 Microsoft Corporation 2012-07-20 09:08[/code]

When I run it the script as a non admin user with cscript I get this

[code]7-Zip 9.20 9.20.00.0 Igor Pavlov 2012-08-06 09:49
Adobe Reader 9.3 9.3.0 Adobe Systems Incorporated 2012-08-06 09:49
Cisco EAP-FAST Module 2.2.14 Cisco Systems, Inc. 2012-08-06 09:49
Cisco LEAP Module 1.0.19 Cisco Systems, Inc. 2012-08-06 09:49
Cisco PEAP Module 1.1.6 Cisco Systems, Inc. 2012-08-06 09:49
Codec - Audio - l3codeca 1.9.0.401 Fraunhofer Institut Integrierte Schaltungen IIS 2012-07-20 09:08
Conexant HD Audio 8.50.5.0 Conexant 2012-07-20 09:08
DirectX 9c 4.09.00.0904 Microsoft Corporation 2012-07-20 09:08
DW WLAN Card Utility 5.60.48.35 Dell Inc. 2012-07-20 09:08
Intel(R) Management Engine Components 7.0.0.1144 Intel Corporation 2012-08-06 09:49
Intel(R) Processor Graphics 8.15.10.2418 Intel Corporation 2012-08-06 09:49
Internet Explorer 9.0.8112.16421 Microsoft Corporation 2012-07-20 09:08
MDAC 6.1.7601.17514 Microsoft Corporation 2012-07-20 09:08
Microsoft Office Access MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Excel MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Groove MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office InfoPath MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation 2012-07-20 10:01
Microsoft Office OneNote MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Outlook MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office PowerPoint MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Professional Plus 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Proof (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Proof (English) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Proof (French) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Proof (German) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Proofing (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Publisher MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Shared 64-bit MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-07-20 10:01
Microsoft Office Shared MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Office Word MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49
Microsoft Visual C 2005 Redistributable (x64) 8.0.56336 Microsoft Corporation 2012-07-20 09:08
Microsoft Visual C 2008 Redistributable - x64 9.0.30729.17 9.0.30729 Microsoft Corporation 2012-07-20 09:08
Microsoft Windows 7 Professional 6.1.7601 Microsoft Corporation 2012-07-20 09:08
Realtek Ethernet Controller All-In-One Windows Driver 1.12.0019 Realtek 2012-08-06 09:49
SUNIX Multi-IO Controller 7.2.0.0 SUNIX Co., Ltd. 2012-08-06 09:49
VNC Printer Driver 1.8.0 1.8.0 RealVNC Ltd. 2012-08-03 11:16
VNC Server 5.0.1 5.0.1 RealVNC Ltd 2012-08-03 11:16
VNC Viewer 5.0.1 5.0.1 RealVNC Ltd 2012-08-03 11:16
Windows Media Player 12,0,7601,17514 Microsoft Corporation 2012-07-20 09:08[/code]

But I find it weird the scheduled task still show a little information but not all.

edit: I just put the script in the startup folder of a user and that works but that's not the way I want to do it because users can manually execute it then.

Author:  jpa [ Tue Aug 07, 2012 1:14 am ]
Post subject:  Re: Windows 7 Audit problem

The audit code basically steps through these two keys for the installed software:[code]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall[/code]Review these keys for expected software entries and maybe check the permissions to these keys as well.

Author:  MikeS [ Wed Aug 08, 2012 9:00 pm ]
Post subject:  Re: Windows 7 Audit problem

The permissions are ok.

I give it up. I tried about everything I don't get how people get it working on W7 & W2K8 with UAC turned on. Those 2 OS's are just flawed when it comes to executing a script. I don't see why it would let me execute it manually but with a GPO as a scheduled task it doesn't.

Author:  Mark [ Wed Aug 08, 2012 10:39 pm ]
Post subject:  Re: Windows 7 Audit problem

I just audit ours from a PC that uses Domain Admin creds...
I don't use logon scripts.
That's just me though.

Author:  MikeS [ Wed Aug 08, 2012 11:18 pm ]
Post subject:  Re: Windows 7 Audit problem

You don't use logon scripts how do you audit then? Somehow you have to run the audit.vbs script right?

Author:  jpa [ Thu Aug 09, 2012 1:26 am ]
Post subject:  Re: Windows 7 Audit problem

I linked to the [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=6&t=1464#p6324]Howto[/url] earlier. Read that.

Basically you make sure the Windows Firewall on the clients allows remote admin, set the local_domain property in audit.vbs as appropriately and run "cscript audit.vbs" using and account with admin credentials on the target computers.

Author:  MikeS [ Thu Aug 09, 2012 2:03 am ]
Post subject:  Re: Windows 7 Audit problem

Ah yes I see that way.

Anyways I found the problem. It's a really stupid mistake I made, I'm ashamed :oops:

Because I upgrade OpenAudit there was a new audit.vbs script. I created a Test OU in my Active Directory to test the script on a single PC.
I set block inheritance so no other GPO would conflict. But I only placed the Computer Object in that test OU and not my User Object. The GPO applied to the test OU contained User setting instead of a Computer. Because my User account wasn't in the OU the inheritance block wouldn't apply and it would still execute my old audit.vbs. I guess the old script wouldn't collect all the information because I didn't see all the software and when I executed the new script manually it would.

So thank you guys for helping I hope I didn't waste your time too much :P


Soon I will upgrade to OAV2 too :twisted:

Page 2 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/