Open-AudIT
https://www.open-audit.org/phpBB3/

Monitor Pull information
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6496
Page 1 of 2

Author:  cburbs [ Fri Jan 22, 2016 9:20 am ]
Post subject:  Monitor Pull information

So I have a monitor report pull which is good for some info but is there a way to do the following.

I have multiple locations setup and had to put in some devices by hand - TVs, Video Cameras, etc.

So for each location I changed the "Device Details" report to include Purchase Amount so that we know location and total cost of items at each location.

Here is where I am looking for help if this is possible. I need each monitor at this location to show up on the report as well as a device with a Purchase amount.

I don't know if this is possible since they don't show up as devices?

Also on a quick side note Monitors hooked up to Surface pro 3 docking station don't show up - anyway to fix this?

Again thanks for all the help!

Author:  Mark [ Sat Jan 23, 2016 7:41 am ]
Post subject:  Re: Monitor Pull information

There's no way to allocate a cost to a monitor (as yet).
Surface Pro - I have no idea. Send me one to play with and I can take a look!
Seriously though, post a dump of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\DISPLAY\ and we'll see if we can parse it.

Author:  cburbs [ Sat Jan 23, 2016 7:56 am ]
Post subject:  Re: Monitor Pull information

Here is the file.

Attachments:
Surface.txt [13.66 KiB]
Downloaded 242 times

Author:  cburbs [ Sat Jan 30, 2016 2:42 am ]
Post subject:  Re: Monitor Pull information

Any luck on this?

Author:  jpa [ Sat Jan 30, 2016 2:24 pm ]
Post subject:  Re: Monitor Pull information

What does the <monitor> section of the audit XML look like for the computer used to get Surface.txt. Just do a "cscript audit_windows.vbs create_file=y" and post the <monitor> section of the resulting file.

Author:  cburbs [ Tue Feb 02, 2016 1:32 am ]
Post subject:  Re: Monitor Pull information

It doesn't bring anything into the XML file but looked like the info was in the other file.

Author:  jpa [ Tue Feb 02, 2016 8:57 am ]
Post subject:  Re: Monitor Pull information

After reviewing the code and your registry export I can see that audit_windows.vbs is skipping the monitors because they don't have a "Control" subkey (line 1882 in audit_windows.) It looks this is used to filter out monitors in the registry that aren't connected.

That's the reason but I don't know of a fix. Maybe just remove the "Control" filter and filter on some other detail?

Author:  cburbs [ Thu Feb 04, 2016 1:23 am ]
Post subject:  Re: Monitor Pull information

Are you talking about the line in here where it has skey3="Control"

for each sKey In arSubKeys
if sKey > "" then
' note - using the above because the key SYSTEM\CurrentControlSet\Enum\DISPLAY\Default_Monitor is not returning nay value for some reason?
sBaseKey2 = sBaseKey & sKey & "\"
iRC2 = oReg.EnumKey(HKEY_LOCAL_MACHINE, sBaseKey2, arSubKeys2)
for each sKey2 In arSubKeys2
oReg.GetMultiStringValue HKEY_LOCAL_MACHINE, sBaseKey2 & sKey2 & "\", "HardwareID", sValue
for tmpctr=0 to ubound(svalue)
if lcase (left(svalue(tmpctr),8))="monitor\" then
sBaseKey3 = sBaseKey2 & sKey2 & "\"
iRC3 = oReg.EnumKey(HKEY_LOCAL_MACHINE, sBaseKey3, arSubKeys3)
for each sKey3 In arSubKeys3
strRawEDID = ""
if skey3="Control" then
oReg.GetStringValue HKEY_LOCAL_MACHINE, sbasekey3, "DeviceDesc", temp_model(intMonitorCount)
oReg.GetStringValue HKEY_LOCAL_MACHINE, sbasekey3, "Mfg", temp_manuf(intMonitorCount)
oReg.GetBinaryValue HKEY_LOCAL_MACHINE, sbasekey3 & "Device Parameters\", "EDID", arrintEDID
if VarType(arrintedid) <> 8204 then
strRawEDID="EDID Not Available"
else
for each bytevalue in arrintedid
strRawEDID=strRawEDID & chr(bytevalue)
next
end if
'redim Preserve strarrRawEDID(intMonitorCount)
strarrRawEDID(intMonitorCount)=strRawEDID
intMonitorCount=intMonitorCount+1
end if
next
end if

Author:  jpa [ Thu Feb 04, 2016 2:43 am ]
Post subject:  Re: Monitor Pull information

Yes. I think this registry key stores all monitors that have ever been connected so we needed a filter. That if statement is used to filter out "monitor" registry keys for monitors that are not connected. This is a poor filter as you've found monitors that are active without this registry key.

Commenting out the 'if' will get you what you want along with a bunch of stuff you do not want. So to really fix the problem we need to find a better way to audit monitors. If you want to see what would happen without the filter you can comment out the if statement. No guarantees on what will happen or what you'll get in your audits.

Code:
   for each sKey In arSubKeys
      if sKey > "" then
         ' note - using the above because the key SYSTEM\CurrentControlSet\Enum\DISPLAY\Default_Monitor is not returning nay value for some reason?
         sBaseKey2 = sBaseKey & sKey & "\"
         iRC2 = oReg.EnumKey(HKEY_LOCAL_MACHINE, sBaseKey2, arSubKeys2)
         for each sKey2 In arSubKeys2
            oReg.GetMultiStringValue HKEY_LOCAL_MACHINE, sBaseKey2 & sKey2 & "\", "HardwareID", sValue
            for tmpctr=0 to ubound(svalue)
               if lcase (left(svalue(tmpctr),8))="monitor\" then
                  sBaseKey3 = sBaseKey2 & sKey2 & "\"
                  iRC3 = oReg.EnumKey(HKEY_LOCAL_MACHINE, sBaseKey3, arSubKeys3)
                  for each sKey3 In arSubKeys3
                     strRawEDID = ""
                     'if skey3="Control" then
                        oReg.GetStringValue HKEY_LOCAL_MACHINE, sbasekey3, "DeviceDesc", temp_model(intMonitorCount)
                        oReg.GetStringValue HKEY_LOCAL_MACHINE, sbasekey3, "Mfg", temp_manuf(intMonitorCount)
                        oReg.GetBinaryValue HKEY_LOCAL_MACHINE, sbasekey3 & "Device Parameters\", "EDID", arrintEDID
                        if VarType(arrintedid) <> 8204 then
                           strRawEDID="EDID Not Available"
                        else
                           for each bytevalue in arrintedid
                              strRawEDID=strRawEDID & chr(bytevalue)
                           next
                        end if
                        'redim Preserve strarrRawEDID(intMonitorCount)
                        strarrRawEDID(intMonitorCount)=strRawEDID
                        intMonitorCount=intMonitorCount+1
                     'end if
                  next
               end if
            next
         next
      end if
   next

Author:  Mark [ Thu Feb 04, 2016 4:19 pm ]
Post subject:  Re: Monitor Pull information

Just looking at this... the Surface Pro is a laptop/tablet thing right? So it has its own built in "monitor". From the registry extract you provided, there is only a Dell 24inch (which looks like it wasn't attached when the registry was dumped) and 4 other "generic" monitors (one of which I assume is the inbuilt display).

I'm assuming the Dell monitor was actually plugged in when you did the registry dump? If so, then I think we're out of luck. There is no "Control" key we can use to detect and nothing else I see there that would act as a substitute. We could hack it so that if we detect we're auditing a Surface Pro, just return all the non generic monitors, but then you'd get a hit on every monitor you have ever plugged in to it - not ideal.

We will not be able to retrieve any details from the inbuilt monitor as it's not a real device (just a generic 'thing').

Author:  cburbs [ Fri Feb 05, 2016 1:24 am ]
Post subject:  Re: Monitor Pull information

I changed the one line from

if skey3="Control" then

to

if skey3="Device Parameters" then

Ran a few tests and it seems to do the job.

It may pull extra items but that works for me. It is more important to see the dual Dell monitors than not.

Thanks again for the assistance since I have been asking alot lately.

Author:  cburbs [ Wed Mar 02, 2016 6:46 am ]
Post subject:  Re: Monitor Pull information

Mark wrote:
There's no way to allocate a cost to a monitor (as yet).
Surface Pro - I have no idea. Send me one to play with and I can take a look!
Seriously though, post a dump of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\DISPLAY\ and we'll see if we can parse it.



Will the monitor allocation happen anytime soon. We consider these an asset item and would like them listed as a device.

Author:  Mark [ Fri Mar 04, 2016 8:48 am ]
Post subject:  Re: Monitor Pull information

It's on the list - but so are other items that users are paying for.
Obviously I work on those first :-)

Author:  cburbs [ Tue Oct 04, 2016 4:23 am ]
Post subject:  Re: Monitor Pull information

Bringing this back up -

Is what I need is the Monitor section pull to be two things.

If OS = Windows 8 or windows 10
Run monitor script but with " if skey3="Device Parameters" then"

Otherwise device is windows 7 so

Run " if skey3="Control" then"

Author:  jpa [ Tue Oct 04, 2016 7:56 am ]
Post subject:  Re: Monitor Pull information

I would just replace the "if skey3="Control" then" test with a build number test where you set the key to test for as appropriate. Build numbers might not do what you want if you're worried about Win7, Server 2008, 8, etc. Check this list to see if 7601 does what you want.

Code:
if windows_build_number > 7601 then
    keyName="Device Parameters"
else
   keyName="Control"
end if
if skey3=keyName then


Not tested. Just typed this into the message box. Hopefully it works.

Page 1 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/