We recently faced the problem of auditing Microsoft patch compliance on systems that do not have File and Print Sharing installed. Most enterprise patch compliance tools, including Shavlik and MBSA, use F/P sharing to connect and query the registry for installed patches. An interesting way to get around this problem is WMI scripting. Using WMI, you can connect to a remote machine, provide alternate credentials, and pull system information, all without having access to F/P sharing. Additionally, all Windows hosts can natively run WMI scripts so it doesn’t require the installation of any additional libraries or frameworks.
I put together a number of scripts using WMI to pull different types of system information. The first difficulty came in feeding the target computer and credentials to the script. The following script excerpt prompts the user for the host and authentication information.
‘Get target host and credentials
Wscript.StdOut.Write “Please enter target host:”
strComputer = Wscript.StdIn.ReadLine
Wscript.StdOut.Write “Please enter your user name:”
strUser = Wscript.StdIn.ReadLine
Set objPassword = CreateObject(“ScriptPW.Password”)
Wscript.StdOut.Write “Please enter your password:”
strPassword = objPassword.GetPassword()
The second sticking point was that we needed to use local authentication for the hosts. As such, we needed a way to dynamically assign the hostname as the domain for the credentials. Alternatively, if you are using domain credentials, you would simply replace “strComputer” with the domain name.
strDomain = strComputer
After that, it’s just a matter of choosing what values to pull from the registry. I developed three scripts to pull three different sets of information that I thought would be helpful.
The first script addresses the original reason for the WMI scripts, monitoring patch compliance. It pulls a list of installed MS patches from the host, including the KB number. The full script can be found here.
The second script was an extension of patch and vulnerability monitoring and pulls a list of all applications installed on the host, including version numbers. This information can be useful if a new vulnerability is discovered for a non-MS application that may be installed in your environment and you do not have a robust application patching procedure. The full script can be found here.
The final script I created was designed to be used for incident response. It pulls a list of all services on a host, including the service name and full path of the executable. This provides a quick and free way to pull services from a machine that may be infected. The full script can be found here.
All of the scripts output the results to a tab-separated text file that incorporates the script name and target hostname into the filename for easy identification.
There are many other applications that WMI scripting can be used for, but I will not cover them all here. If you have any questions or want additional detail or examples, leave a comment.
Comments