Open-AudIT
https://www.open-audit.org/phpBB3/

Software name bug and proposed fix
https://www.open-audit.org/phpBB3/viewtopic.php?f=8&t=3436
Page 1 of 1

Author:  NickBrown [ Fri Oct 02, 2009 4:38 am ]
Post subject:  Software name bug and proposed fix

I looked into a long standing bug this week which I know others have reported - audited software with garbled names (see attachment). In all instances that I have come across the offending package is a component of Office 2007. There is something peculiar about the way that the "Displayname" registry value has been written to. In regedit all appears normal - the value is an empty string (REG_SZ). However, the WMI registry read method returns it as garbage. If you edit the string in regedit and save it back as an empty string the problem disappears.

The WshShell regread method behaves differently, but still unusually - it returns the value as the regkey path you're reading. So if you're reading "HKLM\blah1\blah2" the string value returned is "HKLM\blah1\blah2" - not correct but useable. So I'm proposing replacing lines 2516 to 2519:
[code] newpath = strKeyPath & "\" & subkey
newkey = "DisplayName"
oReg.GetStringValue HKEY_LOCAL_MACHINE, newpath, newkey, strValue
if strValue <> "" then
[/code]
with:
[code] newpath = strKeyPath & "\" & subkey
newkey = "DisplayName"
strValue = ""
sRegPath = "HKEY_LOCAL_MACHINE\" & newpath & "\" & newkey
strValue = oShell.Regread(sRegPath)
If ((len(strValue)>0) And (strValue<>sRegPath))then
[/code]
Essentially ignoring entries where the returned value is the same as the reg key path being queried. using this has cleaned up my database.

An example of a registry key that generates this issue is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{46C11E04-07E0-4D1A-96AF-FBFAAA0150CF}

Attachments:
oa-software.png
oa-software.png [ 17.9 KiB | Viewed 17168 times ]

Author:  Chad [ Sun Oct 04, 2009 10:06 am ]
Post subject:  Re: Software name bug and proposed fix

Nice find :) For what it's worth, that change cleared up my DB as well.

Author:  jbsclm [ Tue Oct 27, 2009 6:20 am ]
Post subject:  Re: Software name bug and proposed fix

It looks like something is not quite right with this fix, I seem to have lost most of my software, with the amended code I only had 40 items, with the original WMI read I get 113, including office 2007 which the WshShell version doesn't seem to find at all.
I did some investigation into this a while ago, the % character that appears is actually a non printable character that has been stored the the database.
I was trying to fix it by ignoring the data containing non printable characters, but ran out of time.
I will see if I can have another look.

Author:  jpa [ Fri Jan 22, 2010 5:05 am ]
Post subject:  Re: Software name bug and proposed fix

This change cleaned up my database without losing valid entries. Based on jbsclm's reservations I compared the GetStringValue and RegRead methods and the only differences were in the entries with junk registry info.

Author:  jpa [ Sat Jan 23, 2010 10:30 am ]
Post subject:  Re: Software name bug and proposed fix

I was a bit premature on the "no problems" bit of the previous post. So jbsclm's problems are not unique.

In further testing I've found that running the audit.vbs script directly on the host returns the correct number of entries. When performing a domain audit from a management machine some entries are missing. I'll need to look a bit deeper for the cause.

Author:  jpa [ Sat Jan 23, 2010 11:02 am ]
Post subject:  Re: Software name bug and proposed fix

So Wsh.Regread only works locally. Kind of obvious when you think about it. Which I obviously didn't. When performing a domain audit with this workaround you'll only get the software which exists on both the audited computer and the computer doing the auditing. It does work when performing an audit from the machine you'd like to audit.

Author:  jpa [ Tue Jan 26, 2010 5:41 am ]
Post subject:  Re: Software name bug and proposed fix

[quote="NickBrown"]There is something peculiar about the way that the "Displayname" registry value has been written to. In regedit all appears normal - the value is an empty string (REG_SZ).
It turns out the value is not an empty string but NULL. So GetStringValue is expecting a string and doesn't find one so it outputs garbage. I don't think it's possible using StdRegProv to detect this. The WshRegread method is more tolerant of the bad registry values.

At this point it's probably easier to fix the NULL registry entries than it is to fix the auditing script.

Author:  NickBrown [ Fri Sep 28, 2012 6:21 pm ]
Post subject:  Re: Software name bug and proposed fix

An old topic I know, but this issue has this has reared it's head on another project I'm working on and I came across this while investigating:

"Problem: WMI StdRegProv Class can return junk characters when using the GetStringValue on windows 2003/XP/Vista and Windows 2008"
http://blogs.msdn.com/b/dsadsi/archive/ ... -2008.aspx

Cheers, Nick.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/