Open-AudIT https://www.open-audit.org/phpBB3/ |
|
Bug running Audit Script https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5855 |
Page 1 of 1 |
Author: | langtee [ Tue Apr 03, 2012 10:04 pm ] | ||
Post subject: | Bug running Audit Script | ||
I'm using attached Windows Audit Script and get following Error on Windows 2000 Pro Machines (german) C:\Dokumente und Einstellungen\Administrator\Desktop\audit_windows_akt.vbs(200, 3) Laufzeitfehler in Microsoft VBScript: Das Objekt unterstützt diese Eigenschaft oder Methode nicht.: 'oProc.commandLine'. [code]for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process") if lcase(oProc.name) = "wscript.exe" _ or lcase(oProc.name) = "cscript.exe" Then [b]sCmdLine = oProc.commandLine[/b] if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _ or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _ or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then nPID = oProc.processId end if end if[/code] Some more information. The Windows 2000 machines are all virtual VMware machines or VirtualPcs but it's the same in VMware and VPC. Other VMware Machines with Windows XP work without problems
|
Author: | jpa [ Wed Apr 04, 2012 3:10 am ] |
Post subject: | Re: Bug running Audit Script |
The CommandLine property of Win32_Process is only available on Windows XP/2003 and newer. It appears this code is only retrieving the process Id for display so you can just comment it out or put some error handling in to skip over the problem. Option 1 - Remove or comment out the following: [code] for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process") if lcase(oProc.name) = "wscript.exe" _ or lcase(oProc.name) = "cscript.exe" Then sCmdLine = oProc.commandLine if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _ or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _ or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then nPID = oProc.processId end if end if next if debugging > "0" then wscript.echo "My PID is : " & nPID end if [/code] Option 2 - Mask the error: [code] for each oProc in getObject( "winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2").instancesOf("Win32_Process") if lcase(oProc.name) = "wscript.exe" _ or lcase(oProc.name) = "cscript.exe" Then sCmdLine = "" On error resume next sCmdLine = oProc.commandLine On error goto 0 if instr(1, sCmdLine, "\" & sScriptName, vbTextCompare) > 0 _ or instr(1, sCmdLine, " " & sScriptName, vbTextCompare) > 0 _ or instr(1, sCmdLine, """" & sScriptName, vbTextCompare) > 0 then nPID = oProc.processId end if end if next [/code] Option 3 - Deal with it in some other way. Audit_List and Audit_Domain both have the same problem and won't work under Windows 2000. |
Author: | langtee [ Wed Apr 04, 2012 3:45 am ] |
Post subject: | Re: Bug running Audit Script |
Thx for your help. I will try this tommorow, hope that your errorhandling get part of the next script versions. |
Author: | jpa [ Wed Apr 04, 2012 6:50 am ] |
Post subject: | Re: Bug running Audit Script |
Seems like a simple thing for Mark to fix. Unfortunately, you have now volunteered to take up testing of ancient platforms. I don't think there's many other users running a lot of Windows 2000. Or if they are they're running the audits from a more recent Windows. |
Author: | langtee [ Wed Apr 04, 2012 5:00 pm ] |
Post subject: | Re: Bug running Audit Script |
Absolutely no problem to volunteer with improving a already great product. I'm already happy that there is such a great project. Your fix has helped...at least a bit. Now I'm getting this error: [code] C:\audit_windows_2000.vbs(3002, 2) SWbemLocator: Der Parameter ist ungültig. [/code] with this code: line 3002 is the part in the else branch [code] if strUser <> "" then ' Username & Password provided - assume not a domain local PC. Set objServices = objLocator.ConnectServer(strComputer, "root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait, objCtx) else Set objServices = objLocator.ConnectServer(strComputer, "root\default", "", "", "", "", wbemConnectFlagUseMaxWait, objCtx) end if [/code] After commenting this region out the script runs to the end. So perhaps here might me some errorhandling necessary. Even though I am a software developer I'm not a script developer and a fix would be better written by someone other ADDED: Ok just did a quick overview of the auditing results. Is there a known bug which prevents the system from reading the Windows 2000 Keys? If not... it doesn't work if it's a known problem or even impossible... Is there a workaround. Perhaps auditing from a different machine. (the VM is not part of a domain) |
Author: | jpa [ Thu Apr 05, 2012 1:57 am ] |
Post subject: | Re: Bug running Audit Script |
You're still running into problems the script has with Windows 2000 that haven't been found because it gets no testing. This particular section is trying to retrieve a Win 64bit key. According to [url=http://msdn.microsoft.com/en-us/library/windows/desktop/aa393067%28v=vs.85%29.aspx]the documentation[/url] this should work because older operating systems are supposed to ignore the context flags if they are not implemented. From your error it looks like this is not the case with Windows 2000 (at least). Super naive fix is to skip this test if we're on Windows 2000. So just wrap the "MS CD Keys for Windows 64bit" stuff in an exclusion test for Windows 2000. [code] ''''''''''''''''''''''''''''''''''''''''''''''''' ' MS CD Keys for Windows 64bit ' ''''''''''''''''''''''''''''''''''''''''''''''''' if (IsOS2K <> 1) then Subhive="SOFTWARE\Microsoft\Windows NT\CurrentVersion" Set objCtx = CreateObject("WbemScripting.SWbemNamedValueSet") objCtx.Add "__ProviderArchitecture", 64 objCtx.Add "__RequiredArchitecture", TRUE Set objLocator = CreateObject("Wbemscripting.SWbemLocator") if strUser <> "" then ' Username & Password provided - assume not a domain local PC. Set objServices = objLocator.ConnectServer(strComputer, "root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait, objCtx) else Set objServices = objLocator.ConnectServer(strComputer, "root\default", "", "", "", "", wbemConnectFlagUseMaxWait, objCtx) end if Set o64reg = objServices.Get("StdRegProv") key_text = null Set Inparams = o64reg.Methods_("GetStringValue").Inparameters Inparams.Hdefkey = HKEY_LOCAL_MACHINE Inparams.Ssubkeyname = Subhive Inparams.Svaluename = "DigitalProductID" set Outparams = o64reg.ExecMethod_("GetBinaryValue", Inparams,,objCtx) key_text = getkey(Outparams.uValue, 1) if (IsNull(key_text) or (win_cd_key = "y")) then ' do nothing else win_cd_key = "y" result = result & " <key>" & vbcrlf result = result & " <key_name>" & escape_xml(system_os_name) & "</key_name>" & vbcrlf result = result & " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf result = result & " <key_release>" & escape_xml(windows_build_number) & "</key_release>" & vbcrlf result = result & " <key_edition>" & escape_xml(system_os_version) & "</key_edition>" & vbcrlf result = result & " </key>" & vbcrlf end if Inparams.Svaluename = "DigitalProductID4" set Outparams = o64reg.ExecMethod_("GetBinaryValue", Inparams,,objCtx) if IsNull(Outparams.uValue) then key_text = NULL else key_text = getkey(Outparams.uValue, 1) end if if (IsNull(key_text) or (win_cd_key = "y")) then ' do nothing else win_cd_key = "y" result = result & " <key>" & vbcrlf result = result & " <key_name>" & escape_xml(system_os_name) & "</key_name>" & vbcrlf result = result & " <key_text>" & escape_xml(key_text) & "</key_text>" & vbcrlf result = result & " <key_release>" & escape_xml(windows_build_number) & "</key_release>" & vbcrlf result = result & " <key_edition>" & escape_xml(system_os_version) & "</key_edition>" & vbcrlf result = result & " </key>" & vbcrlf end if end if[/code] |
Page 1 of 1 | All times are UTC + 10 hours |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |