Open-AudIT
https://www.open-audit.org/phpBB3/

Bug running Audit Script
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5855
Page 1 of 1

Author:  langtee [ Tue Apr 03, 2012 10:04 pm ]
Post subject:  Bug running Audit Script

I'm using attached Windows Audit Script and get following Error on Windows 2000 Pro Machines (german)


C:\Dokumente und Einstellungen\Administrator\Desktop\audit_windows_akt.vbs(200,
3) Laufzeitfehler in Microsoft VBScript: Das Objekt unterstützt diese Eigenschaft oder Methode nicht.: 'oProc.commandLine'.

[code]for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
if lcase(oProc.name) = "wscript.exe" _
or lcase(oProc.name) = "cscript.exe" Then
[b]sCmdLine = oProc.commandLine[/b]
if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
nPID = oProc.processId
end if
end if[/code]


Some more information. The Windows 2000 machines are all virtual VMware machines or VirtualPcs but it's the same in VMware and VPC.
Other VMware Machines with Windows XP work without problems

Attachments:
audit_windows_akt.txt [242.95 KiB]
Downloaded 394 times

Author:  jpa [ Wed Apr 04, 2012 3:10 am ]
Post subject:  Re: Bug running Audit Script

The CommandLine property of Win32_Process is only available on Windows XP/2003 and newer. It appears this code is only retrieving the process Id for display so you can just comment it out or put some error handling in to skip over the problem.

Option 1 - Remove or comment out the following:
[code]
for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
if lcase(oProc.name) = "wscript.exe" _
or lcase(oProc.name) = "cscript.exe" Then
sCmdLine = oProc.commandLine
if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
nPID = oProc.processId
end if
end if
next

if debugging > "0" then wscript.echo "My PID is : " & nPID end if
[/code]

Option 2 - Mask the error:
[code]
for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process")
if lcase(oProc.name) = "wscript.exe" _
or lcase(oProc.name) = "cscript.exe" Then
sCmdLine = ""
On error resume next
sCmdLine = oProc.commandLine
On error goto 0
if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _
or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then
nPID = oProc.processId
end if
end if
next
[/code]

Option 3 - Deal with it in some other way.

Audit_List and Audit_Domain both have the same problem and won't work under Windows 2000.

Author:  langtee [ Wed Apr 04, 2012 3:45 am ]
Post subject:  Re: Bug running Audit Script

Thx for your help.
I will try this tommorow, hope that your errorhandling get part of the next script versions.

Author:  jpa [ Wed Apr 04, 2012 6:50 am ]
Post subject:  Re: Bug running Audit Script

Seems like a simple thing for Mark to fix. Unfortunately, you have now volunteered to take up testing of ancient platforms. I don't think there's many other users running a lot of Windows 2000. Or if they are they're running the audits from a more recent Windows.

Author:  langtee [ Wed Apr 04, 2012 5:00 pm ]
Post subject:  Re: Bug running Audit Script

Absolutely no problem to volunteer with improving a already great product. I'm already happy that there is such a great project.
Your fix has helped...at least a bit.
Now I'm getting this error:
[code]
C:\audit_windows_2000.vbs(3002, 2) SWbemLocator: Der Parameter ist ungültig.
[/code]

with this code:
line 3002 is the part in the else branch
[code]
if strUser <> "" then
' Username & Password provided - assume not a domain local PC.
Set objServices = objLocator.ConnectServer(strComputer, "root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait, objCtx)
else
Set objServices = objLocator.ConnectServer(strComputer, "root\default", "", "", "", "", wbemConnectFlagUseMaxWait, objCtx)
end if
[/code]

After commenting this region out the script runs to the end. So perhaps here might me some errorhandling necessary. Even though I am a software developer I'm not a script developer and a fix would be better written by someone other ;)

ADDED:
Ok just did a quick overview of the auditing results.
Is there a known bug which prevents the system from reading the Windows 2000 Keys?
If not... it doesn't work ;)
if it's a known problem or even impossible... Is there a workaround.
Perhaps auditing from a different machine. (the VM is not part of a domain)

Author:  jpa [ Thu Apr 05, 2012 1:57 am ]
Post subject:  Re: Bug running Audit Script

You're still running into problems the script has with Windows 2000 that haven't been found because it gets no testing. This particular section is trying to retrieve a Win 64bit key. According to [url=http://msdn.microsoft.com/en-us/library/windows/desktop/aa393067%28v=vs.85%29.aspx]the documentation[/url] this should work because older operating systems are supposed to ignore the context flags if they are not implemented. From your error it looks like this is not the case with Windows 2000 (at least).

Super naive fix is to skip this test if we're on Windows 2000. So just wrap the "MS CD Keys for Windows 64bit" stuff in an exclusion test for Windows 2000.
[code]
'''''''''''''''''''''''''''''''''''''''''''''''''
' MS CD Keys for Windows 64bit '
'''''''''''''''''''''''''''''''''''''''''''''''''
if (IsOS2K <> 1) then
Subhive="SOFTWARE\Microsoft\Windows NT\CurrentVersion"
Set objCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
objCtx.Add "__ProviderArchitecture", 64
objCtx.Add "__RequiredArchitecture", TRUE
Set objLocator = CreateObject("Wbemscripting.SWbemLocator")

if strUser <> "" then
' Username & Password provided - assume not a domain local PC.
Set objServices = objLocator.ConnectServer(strComputer, "root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait, objCtx)
else
Set objServices = objLocator.ConnectServer(strComputer, "root\default", "", "", "", "", wbemConnectFlagUseMaxWait, objCtx)
end if
Set o64reg = objServices.Get("StdRegProv")
key_text = null
Set Inparams = o64reg.Methods_("GetStringValue").Inparameters
Inparams.Hdefkey = HKEY_LOCAL_MACHINE
Inparams.Ssubkeyname = Subhive
Inparams.Svaluename = "DigitalProductID"
set Outparams = o64reg.ExecMethod_("GetBinaryValue", Inparams,,objCtx)
key_text = getkey(Outparams.uValue, 1)
if (IsNull(key_text) or (win_cd_key = "y")) then
' do nothing
else
win_cd_key = "y"
result = result & " <key>" & vbcrlf
result = result & " <key_name>" & escape_xml(system_os_name) & "</key_name>" & vbcrlf
result = result & " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result = result & " <key_release>" & escape_xml(windows_build_number) & "</key_release>" & vbcrlf
result = result & " <key_edition>" & escape_xml(system_os_version) & "</key_edition>" & vbcrlf
result = result & " </key>" & vbcrlf
end if
Inparams.Svaluename = "DigitalProductID4"
set Outparams = o64reg.ExecMethod_("GetBinaryValue", Inparams,,objCtx)
if IsNull(Outparams.uValue) then
key_text = NULL
else
key_text = getkey(Outparams.uValue, 1)
end if
if (IsNull(key_text) or (win_cd_key = "y")) then
' do nothing
else
win_cd_key = "y"
result = result & " <key>" & vbcrlf
result = result & " <key_name>" & escape_xml(system_os_name) & "</key_name>" & vbcrlf
result = result & " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf
result = result & " <key_release>" & escape_xml(windows_build_number) & "</key_release>" & vbcrlf
result = result & " <key_edition>" & escape_xml(system_os_version) & "</key_edition>" & vbcrlf
result = result & " </key>" & vbcrlf
end if
end if[/code]

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/