Open-AudIT https://www.open-audit.org/phpBB3/ |
|
[FIXED] Windows 7 Audit problem https://www.open-audit.org/phpBB3/viewtopic.php?f=10&t=5914 |
Page 2 of 2 |
Author: | jpa [ Mon Aug 06, 2012 4:17 pm ] |
Post subject: | Re: Windows 7 Audit problem |
Non-admin audits are missing a very few things in OA v2. Not much but they're not complete. Some stuff might be missed in OA v1 as well. Diff a run as admin and non and you'll see what, if anything, is missing. |
Author: | MikeS [ Mon Aug 06, 2012 5:51 pm ] |
Post subject: | Re: Windows 7 Audit problem |
Well if I run the script with scheduled task as a non admin user I get this [code] VNC Viewer 5.0.1 5.0.1 RealVNC Ltd 2012-08-03 11:16 VNC Server 5.0.1 5.0.1 RealVNC Ltd 2012-08-03 11:16 VNC Printer Driver 1.8.0 1.8.0 RealVNC Ltd. 2012-08-03 11:16 Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation 2012-07-20 10:01 Microsoft Office Shared 64-bit MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-07-20 10:01 Conexant HD Audio 8.50.5.0 Conexant 2012-07-20 09:08 DW WLAN Card Utility 5.60.48.35 Dell Inc. 2012-07-20 09:08 Microsoft Visual C 2005 Redistributable (x64) 8.0.56336 Microsoft Corporation 2012-07-20 09:08 Microsoft Visual C 2008 Redistributable - x64 9.0.30729.17 9.0.30729 Microsoft Corporation 2012-07-20 09:08 Codec - Audio - l3codeca 1.9.0.401 Fraunhofer Institut Integrierte Schaltungen IIS 2012-07-20 09:08 MDAC 6.1.7601.17514 Microsoft Corporation 2012-07-20 09:08 DirectX 9c 4.09.00.0904 Microsoft Corporation 2012-07-20 09:08 Windows Media Player 12,0,7601,17514 Microsoft Corporation 2012-07-20 09:08 Internet Explorer 9.0.8112.16421 Microsoft Corporation 2012-07-20 09:08 Microsoft Windows 7 Professional 6.1.7601 Microsoft Corporation 2012-07-20 09:08[/code] When I run it the script as a non admin user with cscript I get this [code]7-Zip 9.20 9.20.00.0 Igor Pavlov 2012-08-06 09:49 Adobe Reader 9.3 9.3.0 Adobe Systems Incorporated 2012-08-06 09:49 Cisco EAP-FAST Module 2.2.14 Cisco Systems, Inc. 2012-08-06 09:49 Cisco LEAP Module 1.0.19 Cisco Systems, Inc. 2012-08-06 09:49 Cisco PEAP Module 1.1.6 Cisco Systems, Inc. 2012-08-06 09:49 Codec - Audio - l3codeca 1.9.0.401 Fraunhofer Institut Integrierte Schaltungen IIS 2012-07-20 09:08 Conexant HD Audio 8.50.5.0 Conexant 2012-07-20 09:08 DirectX 9c 4.09.00.0904 Microsoft Corporation 2012-07-20 09:08 DW WLAN Card Utility 5.60.48.35 Dell Inc. 2012-07-20 09:08 Intel(R) Management Engine Components 7.0.0.1144 Intel Corporation 2012-08-06 09:49 Intel(R) Processor Graphics 8.15.10.2418 Intel Corporation 2012-08-06 09:49 Internet Explorer 9.0.8112.16421 Microsoft Corporation 2012-07-20 09:08 MDAC 6.1.7601.17514 Microsoft Corporation 2012-07-20 09:08 Microsoft Office Access MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Excel MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Groove MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office InfoPath MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation 2012-07-20 10:01 Microsoft Office OneNote MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Outlook MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office PowerPoint MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Professional Plus 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Proof (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Proof (English) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Proof (French) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Proof (German) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Proofing (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Publisher MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Shared 64-bit MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-07-20 10:01 Microsoft Office Shared MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Office Word MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-06 09:49 Microsoft Visual C 2005 Redistributable (x64) 8.0.56336 Microsoft Corporation 2012-07-20 09:08 Microsoft Visual C 2008 Redistributable - x64 9.0.30729.17 9.0.30729 Microsoft Corporation 2012-07-20 09:08 Microsoft Windows 7 Professional 6.1.7601 Microsoft Corporation 2012-07-20 09:08 Realtek Ethernet Controller All-In-One Windows Driver 1.12.0019 Realtek 2012-08-06 09:49 SUNIX Multi-IO Controller 7.2.0.0 SUNIX Co., Ltd. 2012-08-06 09:49 VNC Printer Driver 1.8.0 1.8.0 RealVNC Ltd. 2012-08-03 11:16 VNC Server 5.0.1 5.0.1 RealVNC Ltd 2012-08-03 11:16 VNC Viewer 5.0.1 5.0.1 RealVNC Ltd 2012-08-03 11:16 Windows Media Player 12,0,7601,17514 Microsoft Corporation 2012-07-20 09:08[/code] But I find it weird the scheduled task still show a little information but not all. edit: I just put the script in the startup folder of a user and that works but that's not the way I want to do it because users can manually execute it then. |
Author: | jpa [ Tue Aug 07, 2012 1:14 am ] |
Post subject: | Re: Windows 7 Audit problem |
The audit code basically steps through these two keys for the installed software:[code]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall[/code]Review these keys for expected software entries and maybe check the permissions to these keys as well. |
Author: | MikeS [ Wed Aug 08, 2012 9:00 pm ] |
Post subject: | Re: Windows 7 Audit problem |
The permissions are ok. I give it up. I tried about everything I don't get how people get it working on W7 & W2K8 with UAC turned on. Those 2 OS's are just flawed when it comes to executing a script. I don't see why it would let me execute it manually but with a GPO as a scheduled task it doesn't. |
Author: | Mark [ Wed Aug 08, 2012 10:39 pm ] |
Post subject: | Re: Windows 7 Audit problem |
I just audit ours from a PC that uses Domain Admin creds... I don't use logon scripts. That's just me though. |
Author: | MikeS [ Wed Aug 08, 2012 11:18 pm ] |
Post subject: | Re: Windows 7 Audit problem |
You don't use logon scripts how do you audit then? Somehow you have to run the audit.vbs script right? |
Author: | jpa [ Thu Aug 09, 2012 1:26 am ] |
Post subject: | Re: Windows 7 Audit problem |
I linked to the [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=6&t=1464#p6324]Howto[/url] earlier. Read that. Basically you make sure the Windows Firewall on the clients allows remote admin, set the local_domain property in audit.vbs as appropriately and run "cscript audit.vbs" using and account with admin credentials on the target computers. |
Author: | MikeS [ Thu Aug 09, 2012 2:03 am ] |
Post subject: | Re: Windows 7 Audit problem |
Ah yes I see that way. Anyways I found the problem. It's a really stupid mistake I made, I'm ashamed Because I upgrade OpenAudit there was a new audit.vbs script. I created a Test OU in my Active Directory to test the script on a single PC. I set block inheritance so no other GPO would conflict. But I only placed the Computer Object in that test OU and not my User Object. The GPO applied to the test OU contained User setting instead of a Computer. Because my User account wasn't in the OU the inheritance block wouldn't apply and it would still execute my old audit.vbs. I guess the old script wouldn't collect all the information because I didn't see all the software and when I executed the new script manually it would. So thank you guys for helping I hope I didn't waste your time too much Soon I will upgrade to OAV2 too |
Page 2 of 2 | All times are UTC + 10 hours |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |