Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 1:43 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 
Author Message
PostPosted: Fri Oct 02, 2009 4:38 am 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
I looked into a long standing bug this week which I know others have reported - audited software with garbled names (see attachment). In all instances that I have come across the offending package is a component of Office 2007. There is something peculiar about the way that the "Displayname" registry value has been written to. In regedit all appears normal - the value is an empty string (REG_SZ). However, the WMI registry read method returns it as garbage. If you edit the string in regedit and save it back as an empty string the problem disappears.

The WshShell regread method behaves differently, but still unusually - it returns the value as the regkey path you're reading. So if you're reading "HKLM\blah1\blah2" the string value returned is "HKLM\blah1\blah2" - not correct but useable. So I'm proposing replacing lines 2516 to 2519:
[code] newpath = strKeyPath & "\" & subkey
newkey = "DisplayName"
oReg.GetStringValue HKEY_LOCAL_MACHINE, newpath, newkey, strValue
if strValue <> "" then
[/code]
with:
[code] newpath = strKeyPath & "\" & subkey
newkey = "DisplayName"
strValue = ""
sRegPath = "HKEY_LOCAL_MACHINE\" & newpath & "\" & newkey
strValue = oShell.Regread(sRegPath)
If ((len(strValue)>0) And (strValue<>sRegPath))then
[/code]
Essentially ignoring entries where the returned value is the same as the reg key path being queried. using this has cleaned up my database.

An example of a registry key that generates this issue is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{46C11E04-07E0-4D1A-96AF-FBFAAA0150CF}


Attachments:
oa-software.png
oa-software.png [ 17.9 KiB | Viewed 17150 times ]

_________________
Cheers, Nick.

[size=85]OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory[/size]
Top
 Profile  
Reply with quote  
PostPosted: Sun Oct 04, 2009 10:06 am 
Offline
Contributor

Joined: Fri Jul 04, 2008 6:46 am
Posts: 153
Location: USA - WI
Nice find :) For what it's worth, that change cleared up my DB as well.

_________________
OA Server: Debian Squeeze w/ Apache2
Auditing: 700 Workstations, 250 or so Retail Terminals, about 75 Servers
OS's: Windows XP/2003/2008/2008 R2/Vista/7, Debian
LDAP: Active Directory 2008 R2


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 27, 2009 6:20 am 
It looks like something is not quite right with this fix, I seem to have lost most of my software, with the amended code I only had 40 items, with the original WMI read I get 113, including office 2007 which the WshShell version doesn't seem to find at all.
I did some investigation into this a while ago, the % character that appears is actually a non printable character that has been stored the the database.
I was trying to fix it by ignoring the data containing non printable characters, but ran out of time.
I will see if I can have another look.


Top
  
Reply with quote  
PostPosted: Fri Jan 22, 2010 5:05 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
This change cleaned up my database without losing valid entries. Based on jbsclm's reservations I compared the GetStringValue and RegRead methods and the only differences were in the entries with junk registry info.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 23, 2010 10:30 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
I was a bit premature on the "no problems" bit of the previous post. So jbsclm's problems are not unique.

In further testing I've found that running the audit.vbs script directly on the host returns the correct number of entries. When performing a domain audit from a management machine some entries are missing. I'll need to look a bit deeper for the cause.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 23, 2010 11:02 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
So Wsh.Regread only works locally. Kind of obvious when you think about it. Which I obviously didn't. When performing a domain audit with this workaround you'll only get the software which exists on both the audited computer and the computer doing the auditing. It does work when performing an audit from the machine you'd like to audit.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 26, 2010 5:41 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
[quote="NickBrown"]There is something peculiar about the way that the "Displayname" registry value has been written to. In regedit all appears normal - the value is an empty string (REG_SZ).

It turns out the value is not an empty string but NULL. So GetStringValue is expecting a string and doesn't find one so it outputs garbage. I don't think it's possible using StdRegProv to detect this. The WshRegread method is more tolerant of the bad registry values.

At this point it's probably easier to fix the NULL registry entries than it is to fix the auditing script.

Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 28, 2012 6:21 pm 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
An old topic I know, but this issue has this has reared it's head on another project I'm working on and I came across this while investigating:

"Problem: WMI StdRegProv Class can return junk characters when using the GetStringValue on windows 2003/XP/Vista and Windows 2008"
http://blogs.msdn.com/b/dsadsi/archive/ ... -2008.aspx

Cheers, Nick.

_________________
Cheers, Nick.

[size=85]OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group