Open-AudIT

I have a problem where the bootable flag is always false in the partition section. This fixed the problem. Can anyone verify this?

Change:
[code]Set colItems = objWMIService.ExecQuery("Select * from Win32_DiskPartition WHERE DriveType=3",,48)][/code]
to:
[code]Set colItems = objWMIService.ExecQuery("Select * from Win32_DiskPartition",,48)][/code]

Maybe this was broken while trying to fix the floppy drive noise issue. The key DriveType doesn't exist so it always returns an empty query.

You're right, those key doesn't exist in Win32_DiskPartition and every partition is reported as not bootable. But your fix isn't working for me: the bootable flag is always false and the reported index is always the same (Last Disk #, Last Partition #). Thank you

And the old version of audit.vbs (I tried restoring it now) doesn't list Index, Boot partition, nor Bootable flags at all... (with floppy noise too). There should be something to fix...

I was able to fix all the issues you mentioned. Win32_LogicalDisk depends on Win32_DiskPartition, so I've nested the calls to Win32_LogicalDisk inside the section that calls Win32_DiskPartition. Unfortunately, the fix brings back the floppy drive noise. Maybe someone here can help. Replace the entire "partition information" section with the following code:

[code]
'''''''''''''''''''''''''''
' Partition Information '
'''''''''''''''''''''''''''
comment = "Partition Info"
if verbose = "y" then
wscript.echo comment
end if


On Error Resume Next

Set colItems = objWMIService.ExecQuery("Select * from Win32_DiskPartition",,48)
'Set colItems = objWMIService.ExecQuery("Select * from Win32_DiskPartition WHERE DriveType=3",,48)
For Each objItem in colItems
wscript.echo "objItem:" & objItem
partition_bootable = objItem.Bootable
if ((partition_bootable <> "True") OR isnull(partition_bootable)) then partition_bootable = "False" end if
partition_boot_partition = objItem.BootPartition
if ((partition_boot_partition <> "True") OR isnull(partition_boot_partition)) then partition_boot_partition = "False" end if
partition_device_id = objItem.DeviceID
partition_disk_index = objItem.DiskIndex
partition_index = objItem.Index
partition_primary_partition = objItem.PrimaryPartition
Set colItems2 = objWMIService.ExecQuery("ASSOCIATORS OF {Win32_DiskPartition=""" & partition_device_id & """} WHERE " & "AssocClass = Win32_LogicalDiskToPartition",,48)
for each objItem2 in colItems2
'On Error Resume Next
Set colItems3 = objWMIService.ExecQuery("Select * from Win32_LogicalDisk WHERE DeviceID='" & objItem2.DeviceID & "'" & " AND DriveType='3'",,48)
For Each objItem3 in colItems3
partition_caption = objItem3.Caption
partition_file_system = objItem3.FileSystem
partition_free_space = 0
partition_free_space = int(objItem3.FreeSpace /1024 /1024)
partition_size = 0
partition_size = int(objItem3.Size /1024 /1024)
partition_volume_name = objItem3.VolumeName
partition_percent = 0
partition_percent = round(((partition_size - partition_free_space) / partition_size) * 100 ,0)
form_input = "partition^^^" & partition_bootable & "^^^" & partition_boot_partition & "^^^" _
& partition_device_id & "^^^" & partition_disk_index & "^^^" _
& partition_percent & "^^^" & partition_primary_partition & "^^^" _
& partition_caption & "^^^" & partition_file_system & "^^^" _
& partition_free_space & "^^^" & partition_size & "^^^" _
& partition_volume_name & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Next
next
Next
[/code]


The line that brings back the floppy drive noise is:
[code]Set colItems2 = objWMIService.ExecQuery("ASSOCIATORS OF {Win32_DiskPartition=""" & partition_device_id & """} WHERE " & "AssocClass = Win32_LogicalDiskToPartition",,48)
[/code]

Sorry, but for me it isn't working correctly, even auditing boxes with different HDD configurations (1 drive/1 partition, 1 drive/2 partitions, 3 drives/3 partitions, 1 RAID 5 array/2 partitions).

Try deleting the system from the database and auditing again. I have found that is needed in some cases.

I have rewritten the partition section to list the information correctly and eliminate the floppy seek noise. To see the effect of this code, you may have to first delete the system with incorrect partition information from open-audit. For some reason the Open-Audit database retains the information generated by the original partition code.

Add the following function to the bottom of audit.vbs:

[code]
Function FixPath(ByRef sPathDisk, ByRef sPathPart)
Fixpath = "Win32_LogicalDiskToPartition.Antecedent=" & chr(34) & _
Replace(sPathPart,chr(34), "\" & chr(34)) & chr(34) & "," & _
"Dependent=" & chr(34) & Replace(sPathDisk,chr(34), "\" & _
chr(34)) & chr(34)
End Function
[/code]

Replace the entire partition section in audit.vbs with the following code:

[code]

'''''''''''''''''''''''''''
' Partition Information '
'''''''''''''''''''''''''''
comment = "Partition Info"
if verbose = "y" then
wscript.echo comment
end if

' Get the LogicalDisk's Path
strQueryFields = "DeviceID,Caption,FileSystem,FreeSpace,Size,VolumeName"
Set objEnumLogicalDisk = objWMIService.ExecQuery _
("Select " & strQueryFields & " from Win32_LogicalDisk where DriveType = 3", "WQL", 0)
' Get the DiskPartition's path
strQueryFields = "Bootable,BootPartition,DeviceID,DiskIndex,Index,PrimaryPartition"
Set objEnumDiskPartition = objWMIService.ExecQuery _
("Select " & strQueryFields & " from Win32_DiskPartition", "WQL", 0)
For Each objDiskPartition in objEnumDiskPartition
partition_bootable = objDiskPartition.Bootable
if ((partition_bootable <> "True") OR isnull(partition_bootable)) then partition_bootable = "False" end if
partition_boot_partition = objDiskPartition.BootPartition
if ((partition_boot_partition <> "True") OR isnull(partition_boot_partition)) then partition_boot_partition = "False" end if
partition_device_id = objDiskPartition.DeviceID
partition_disk_index = objDiskPartition.DiskIndex
partition_index = objDiskPartition.Index
partition_primary_partition = objDiskPartition.PrimaryPartition
For Each objLogicalDisk in objEnumLogicalDisk
' This is expected to fail once in a while since we are
' concatonating a possible path to avoid hitting the floppy
On Error Resume Next
' Associate the two sets
Set objLogicalDiskToPartition = objWMIService.Get _
(Fixpath(objLogicalDisk.Path_.relpath,objDiskPartition.path_.relpath), 0)
If Err.Number = 0 Then
'wscript.echo objLogicalDiskToPartition.path_.relpath
splitpath = split(objLogicalDiskToPartition.path_.relpath,"=")
LogicalDisk_DeviceID = ""
LogicalDisk_DeviceID = splitpath(ubound(splitpath))
LogicalDisk_DeviceID = replace(LogicalDisk_DeviceID,"\","")
LogicalDisk_DeviceID = replace(LogicalDisk_DeviceID,"""","")
For Each objItem in objEnumLogicalDisk
If objItem.DeviceID = LogicalDisk_DeviceID Then
partition_caption = objItem.Caption
partition_file_system = objItem.FileSystem
partition_free_space = 0
partition_free_space = int(objItem.FreeSpace /1024 /1024)
partition_size = 0
partition_size = int(objItem.Size /1024 /1024)
partition_volume_name = objItem.VolumeName
partition_percent = 0
partition_percent = round(((partition_size - partition_free_space) / partition_size) * 100 ,0)
form_input = "partition^^^" & partition_bootable & "^^^" & partition_boot_partition & "^^^" _
& partition_device_id & "^^^" & partition_disk_index & "^^^" _
& partition_percent & "^^^" & partition_primary_partition & "^^^" _
& partition_caption & "^^^" & partition_file_system & "^^^" _
& partition_free_space & "^^^" & partition_size & "^^^" _
& partition_volume_name & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Exit For
End If
Next
Else
Err.Clear
End If
On Error Goto 0:
Next
Next
[/code]

Well the above code seems to require admin rights. Does anyone have any ideas about how to get around the permission limitation?

For now, I've disabled the Win32_DiskPartition section, since it can't be properly associated to Win32_LogicalDisk without admin rights.

[code]
' On Error Resume Next
' Set colItems = objWMIService.ExecQuery("Select * from Win32_DiskPartition",,48)
' For Each objItem in colItems
' partition_bootable = objItem.Bootable
' if ((partition_bootable <> "True") OR isnull(partition_bootable)) then partition_bootable = "False" end if
' partition_boot_partition = objItem.BootPartition
' if ((partition_boot_partition <> "True") OR isnull(partition_boot_partition)) then partition_boot_partition = "False" end if
' partition_device_id = objItem.DeviceID
' partition_disk_index = objItem.DiskIndex
' partition_index = objItem.Index
' partition_primary_partition = objItem.PrimaryPartition
' Next

[/code]

I deleted previous audits from DB, but your code works fine only on a RAID 5 array with 2 partitions. On other systems, it lists correct partition info but it doesn't update boot flags (always false).
About admin rights, what's the problem running the script with admin privileges on the machine to audit? Correct me if it's wrong, but I think it should be a must or WMI doesn't get you connected to the local/remote machine to gather info.

I'm running it at logon, so it needs to run as a regular user. The existing code runs fine that way.

Change the code to echo form_input.

[code]
entry form_input,comment,objTextFile,oAdd,oComment
wscript.echo form_input
form_input = ""
[/code]

This will let you see the information before it's posted. Is it correct there? Can you post the output?

These are the hard drive and partition info from an offline audit of a Windows server with a RAID 1 array and 2 partitions (C: bootable):

harddrive^^^\\.\PHYSICALDRIVE0^^^0^^^SCSI^^^MYLEX^^^^^^2^^^3^^^0^^^1^^^8675^^^^^^
partition^^^False^^^False^^^Disk #0, Partition #0^^^0^^^58^^^Vero^^^C:^^^NTFS^^^862^^^2047^^^^^^
partition^^^False^^^False^^^Disk #0, Partition #1^^^0^^^69^^^Falso^^^D:^^^NTFS^^^2045^^^6628^^^^^^

partition_bootable & partition_boot_partition flags are false...

Using WMI object browser, are these set correctly?

Is this hardware RAID?

From a WMI browser, related to the previously audited machine:
Disk #0, Partition #0 --> Bootable=True, BootPartition=True
Disk #0, Partition #1 --> Bootable=Null, BootPartition=False

Yes, it's a hardware RAID 1 array.

Other machines (no RAID) have also other partitions bootable and wmi browser reports them in the correct way (Bootable=True, BootPartition=True), but OA doesn't.

jpmorgan,
I fixed the issue with the following changes to your code (please, check if it's OK for you too):

if (isnull(partition_bootable)) then partition_bootable = "False" end if

instead of

if ((partition_bootable <> "True") OR isnull(partition_bootable)) then partition_bootable = "False" end if

and

if (isnull(partition_boot_partition)) then partition_boot_partition = "False" end if

instead of

if ((partition_boot_partition <> "True") OR isnull(partition_boot_partition)) then partition_boot_partition = "False" end if

Now, boot flags are correctly reported.
The only thing could be enhanced is that, when there is a partition without assigned caption/drive letter (i.e. a recovery partition), it's correctly enumerated into the Fixed Disks section (Partitions #) from Win32_DiskDrive.Partitions, but it's not listed in Partitions section (Win32_LogicalDisk can't find it).

Unless this code can be modified to work as a regular user, it isn't of use to me. The audit.vbs script reports information correctly as a regular user. This particular code only seems to work for administrators. I wouldn't want it included in the SVN audit.vbs. You can try the following code to address the issue with the unlisted partitions. It relocates the form_input statement so that partitions without logical drives are reported. Maybe we can figure a way to get this to run without admin rights. It seems any time you query Win32_LogicalDiskToPartition it requires admin rights.

[code]

'''''''''''''''''''''''''''
' Partition Information '
'''''''''''''''''''''''''''
comment = "Partition Info"
if verbose = "y" then
wscript.echo comment
end if

' Get the LogicalDisk's Path
strQueryFields = "DeviceID,Caption,FileSystem,FreeSpace,Size,VolumeName"
Set objEnumLogicalDisk = objWMIService.ExecQuery _
("Select " & strQueryFields & " from Win32_LogicalDisk where DriveType = 3", "WQL", 0)
' Get the DiskPartition's path
strQueryFields = "Bootable,BootPartition,DeviceID,DiskIndex,Index,PrimaryPartition"
Set objEnumDiskPartition = objWMIService.ExecQuery _
("Select " & strQueryFields & " from Win32_DiskPartition", "WQL", 0)
For Each objDiskPartition in objEnumDiskPartition
partition_bootable = objDiskPartition.Bootable
if ((partition_bootable <> "True") OR isnull(partition_bootable)) then partition_bootable = "False" end if
partition_boot_partition = objDiskPartition.BootPartition
if ((partition_boot_partition <> "True") OR isnull(partition_boot_partition)) then partition_boot_partition = "False" end if
partition_device_id = objDiskPartition.DeviceID
partition_disk_index = objDiskPartition.DiskIndex
partition_index = objDiskPartition.Index
partition_primary_partition = objDiskPartition.PrimaryPartition
For Each objLogicalDisk in objEnumLogicalDisk
' This is expected to fail once in a while since we are
' concatonating a possible path to avoid hitting the floppy
On Error Resume Next
' Associate the two sets
Set objLogicalDiskToPartition = objWMIService.Get _
(Fixpath(objLogicalDisk.Path_.relpath,objDiskPartition.path_.relpath), 0)
If Err.Number = 0 Then
'wscript.echo objLogicalDiskToPartition.path_.relpath
splitpath = split(objLogicalDiskToPartition.path_.relpath,"=")
LogicalDisk_DeviceID = ""
LogicalDisk_DeviceID = splitpath(ubound(splitpath))
LogicalDisk_DeviceID = replace(LogicalDisk_DeviceID,"\","")
LogicalDisk_DeviceID = replace(LogicalDisk_DeviceID,"""","")
For Each objItem in objEnumLogicalDisk
If objItem.DeviceID = LogicalDisk_DeviceID Then
partition_caption = objItem.Caption
partition_file_system = objItem.FileSystem
partition_free_space = 0
partition_free_space = int(objItem.FreeSpace /1024 /1024)
partition_size = 0
partition_size = int(objItem.Size /1024 /1024)
partition_volume_name = objItem.VolumeName
partition_percent = 0
partition_percent = round(((partition_size - partition_free_space) / partition_size) * 100 ,0)
Exit For
Else
partition_caption = ""
partition_file_system = ""
partition_free_space = 0
partition_size = 0
partition_volume_name = ""
partition_percent = 0
End If
Next
Else
Err.Clear
End If
On Error Goto 0:
Next
form_input = "partition^^^" & partition_bootable & "^^^" & partition_boot_partition & "^^^" _
& partition_device_id & "^^^" & partition_disk_index & "^^^" _
& partition_percent & "^^^" & partition_primary_partition & "^^^" _
& partition_caption & "^^^" & partition_file_system & "^^^" _
& partition_free_space & "^^^" & partition_size & "^^^" _
& partition_volume_name & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Next[/code]