Open-AudIT

What's on your network?
It is currently Fri Apr 27, 2018 1:34 am

All times are UTC + 10 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Help wanted (vbscript)
PostPosted: Thu Jul 14, 2011 4:13 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
I am hacking some VBScript to attempt to determine the user that installed a program.
If I can get it going, I can add this to OAv2.

The script is below.
I get an unhelpful error and haven't managed to get it going.
If anyone can help, it would be most appreciated.
You can save it as blah.vbs and run it with "cscript blah.vbs".
It should dump any software it finds an entry for in the App Log - title, who installed it and when.
It should only dump the first entry it finds. IE - if you have installed, removed and installed a given piece of software, it may well have multiple entries in the Application Event Log.

Again, any help much appreciated.

Code:
strComputer = "."
const HKEY_LOCAL_MACHINE    = &H80000002
set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("SELECT Message, User, TimeGenerated FROM Win32_NTLogEvent where logfile = 'Application' and eventcode = '11707'",,48)
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
oReg.EnumKey HKEY_LOCAL_MACHINE,strKeyPath,arrSubKeys
for each subkey In arrSubKeys
   newpath = strKeyPath & "\" & subkey
   newkey = "DisplayName"
   oReg.GetStringValue HKEY_LOCAL_MACHINE, newpath, newkey, strValue
   if strValue <> "" then
      package_name = strValue
      for each objItem in colItems
         mess1 = split(objItem.Message, "--")
         mess2 = split(mess1(0), " ", vbTextCompare)
         mess3 = split(mess2(0), "Product:")
         message_retrieved = trim(mess3(1))
         if (not isNull(message_retrieved)) then
            if (InStr(message_retrieved, package_name) = 1) then
               package_installed_by = objItem.User
               package_installed_on = WMIDateStringToDate(objItem.TimeGenerated)
               wscript.echo package_name & " Installed By: " & package_installed_by & " On: " & package_installed_on
               exit for
            else
               package_installed_by = ""
               package_installed_on = ""
            end if
         end if
      next
   
   end if
next

function WMIDateStringToDate(dtmDate)
   WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
   Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
   & " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
end function

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 15, 2011 4:15 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Two things:

It's possible for objItem.Message to be Null so you need to test for that.

More importantly the 48 at the end of your ExecQuery means something. Specifically, that you want a return immediatly, forward only query. You then proceed to loop over the results repeatedly when they were clobbered after the first run through.

So something more like this:
Code:
    strComputer = "."
    const HKEY_LOCAL_MACHINE    = &H80000002
    set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
    set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colItems = objWMIService.ExecQuery("SELECT Message, User, TimeGenerated FROM Win32_NTLogEvent where logfile = 'Application' and eventcode = '11707'",,0)
    strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    oReg.EnumKey HKEY_LOCAL_MACHINE,strKeyPath,arrSubKeys
    for each subkey In arrSubKeys
       newpath = strKeyPath & "\" & subkey
       newkey = "DisplayName"
       oReg.GetStringValue HKEY_LOCAL_MACHINE, newpath, newkey, strValue
       if strValue <> "" then
          package_name = strValue
          for each objItem in colItems
         if objItem.Message <> "" then
             mess1 = split(objItem.Message, "--")
             mess2 = split(mess1(0), " ", vbTextCompare)
             mess3 = split(mess2(0), "Product:")
             message_retrieved = trim(mess3(1))
             if (not isNull(message_retrieved)) then
                if (InStr(message_retrieved, package_name) = 1) then
                   package_installed_by = objItem.User
                   package_installed_on = WMIDateStringToDate(objItem.TimeGenerated)
                   wscript.echo package_name & " Installed By: " & package_installed_by & " On: " & package_installed_on
                   exit for
                else
                   package_installed_by = ""
                   package_installed_on = ""
                end if
             end if
         end if
          next
       
       end if
    next

    function WMIDateStringToDate(dtmDate)
       WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
       Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
       & " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
    end function


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 15, 2011 9:21 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
Awesome, thanks.
I knew it was related to something there... I was getting one result before it would bomb.
So, going forward, OAv2 will not only tell you when it see's new software, but WHO installed it and WHEN.
Look's like a schema change is coming to beta3...

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 15, 2011 9:26 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
While you're in there updating the schema maybe you could add the uptime?


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 15, 2011 10:30 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
Yep, sure. Done.
Expect these in Beta 3.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group