Open-AudIT

What's on your network?
It is currently Tue Apr 24, 2018 6:30 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Software Useage in OAv2
PostPosted: Thu Nov 10, 2011 5:26 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
I am (finally) coding the script to determine when the last time a given piece of software was used. I have most of the executables determined for MS Office (see below), but am throwing open to everyone any executables you would like examined. If you would like something else, just post here and include the FULL path including the .exe name. I will add your item to the list below and delete your post (so as not to create a LONG list of posts, is all).

The attributes I am recording are "last accessed date" - IE, the last time it was run and also the extended attributes present on .exe's (File -> Properties -> Version -> ) "Product Name", "Product Version" and "Internal Version".

These attributes will be kept in a table in the database (sys_sw_software_used) seperate from the "installed software" table (sys_sw_software). The products do not correspond to what is installed. For example, most installs of Office will show up as "Microsoft Office XP Professional" or some such. Creating entries for "Microsoft Word XP", "Microsoft Excel 2007", etc, etc in the existing installed software table would not be accurate, prone to error and cause confusion.

Therefore, I do not want actual product names - just the full path. The product name will be determined from the attribute on the file (as above). ProductName - InternalName (or some combination thereof).

So, a couple of examples are:

Code:
InternalName: Visio 2003
ProductName: Microsoft Visio
ProductVersion: 11.0
Date last accessed: 10/11/2011 4:56:17 PM

InternalName: Outlook
ProductName: Microsoft Office Outlook
ProductVersion: 11.0.8169
Date last accessed: 10/11/2011 4:26:47 PM

InternalName: WinWord
ProductName: Microsoft Office 2003
ProductVersion: 11.0.8169
Date last accessed: 10/11/2011 4:56:20 PM



Also of note is the fact that when a files attributes are read, this changes the date of "lastAccessed". Sigh. I'll have to do some clever stuff in the processing of the audit results like "If lastAccessed is within 5 minutes of the time the system was last audited, do not update this field in the DB". That way, we can read the lastAccessed date and if it set to the time of the last audit, then WE altered this by reading it last time. Disregard this timestamp and use the previous one. What a pain, but I don't see another way around this. I'm open to suggestions.


I have also attached a basic script to retrieve these details. Feel free to put some of your own path's in to it and test it out. NOTE - If you use a remote system in strComputer, make sure the user account you use to run the script has Admin access on the remote system. Rename the script to files.vbs and run it with cscript.


The different Office directories correspond to -
Code:
Office 2000    - c:\Program Files\Microsoft Office\Office\
Office XP      - c:\Program Files\Microsoft Office\Office10\
Office 2003    - c:\Program Files\Microsoft Office\OFFICE11\
               - c:\Program Files\Microsoft Office\Visio11\
Office 2007   - c:\Program Files\Microsoft Office\OFFICE12\
Office 2010   - c:\Program Files\Microsoft Office\OFFICE14\


These are the files I am examining by default.
Code:
C:\Program Files\Microsoft Office\Office\winproj.exe
C:\Program Files\Microsoft Office\Office10\msaccess.exe
C:\Program Files\Microsoft Office\Visio11\visio.exe
c:\Program Files\Microsoft Office\OFFICE11\excel.exe
c:\Program Files\Microsoft Office\OFFICE11\outlook.exe
c:\Program Files\Microsoft Office\OFFICE11\msaccess.exe
c:\Program Files\Microsoft Office\OFFICE11\powerpnt.exe
c:\Program Files\Microsoft Office\OFFICE11\winproj.exe
c:\Program Files\Microsoft Office\OFFICE11\winword.exe
c:\Program Files\Microsoft Office\OFFICE12\excel.exe
c:\Program Files\Microsoft Office\OFFICE12\outlook.exe
c:\Program Files\Microsoft Office\OFFICE12\powerpnt.exe
c:\Program Files\Microsoft Office\OFFICE12\visio.exe
c:\Program Files\Microsoft Office\OFFICE12\winword.exe
c:\Program Files\Microsoft Office\OFFICE14\excel.exe
c:\Program Files\Microsoft Office\OFFICE14\outlook.exe
c:\Program Files\Microsoft Office\OFFICE14\powerpnt.exe
c:\Program Files\Microsoft Office\OFFICE14\visio.exe
c:\Program Files\Microsoft Office\OFFICE14\winword.exe


Attachments:
files.txt [12.63 KiB]
Downloaded 129 times

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.
Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 11, 2011 2:13 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Last accessed timestamp updating is disabled by default in Vista and newer. So if you want to track this stuff in modern Windows you'll need to enable it.


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 11, 2011 6:56 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
Thanks JPA - well crap.
Anyone have any other suggestions for how to accomplish this?
Enabling this in Vista and newer isn't really an option (for OAv2).

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 11, 2011 7:21 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
I don't think you can do what you want without turning on file system auditing or creating a file system driver. However, I'm not an authority on this.


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 11, 2011 9:11 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
Damn - I've done some reading and I don't know that the lastAccessed attribute is really suitable for determining when a program was last run. If anyone would like this feature, I am open to suggestions as to how to accomplish it, but it has to work "out of the box" on Win2000 and up and also 64bit versions...

It also seem's a bit weird... This morning I HAVE NOT STARTED Word, Excel, PowerPoint or Access, yet when I ran the script it showed that the lastAccessed date for those files was 8:50:xx this morning. This was not when I signed on (that was earlier), it was not when I ran the script (that was later). Seem's it just is not reliable enough :-(

For now I think I'll leave this out of OAv2 - unless we can create a suitable solution. A shame because it would be very useful.

Quote:
That all changed with Windows 95. When listing files Windows Explorer, part of Windows 95 and later, opens each file to extract icons for the directory display and in the process updates the last accessed attribute, rendering it useless as a file management tool. This problem has existed in Windows at least up to and including Windows XP.
Windows Vista turned off the updating of the last accessed attribute to save system resources. In Windows 7 it is also off by default, but can be re-enabled from the command line with the following command:

fsutil behavior se disablelastaccess 0

When enabled on Windows 7, Windows Explorer seems to handle the last accessed attribute correctly.

To take advantage of this attribute you need to make sure Windows XP and earlier versions are removed from your networks. You also need to make sure your applications handle this attribute correctly. A few antivirus, anti-malware and backup software packages still reset this attribute. By making sure your utility software, applications and client operating systems don’t interfere you can regain the value this attribute offers.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 15, 2011 6:36 pm 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
Hi Mark, you cannot rely on that file attribute. *Any* type of file access causes this property to be updated - that could be anti-virus scanning for example. Even opening the file properties in Explorer can cause the last accessed date to be updated.

_________________
Cheers, Nick.

OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group