I created a monitor using the canned script: “Software installed or uninstalled”. I wanted to see if any new software was installed or uninstalled on any of my nodes.
Unfortunately, this script doesn’t work. And I figured out why.
The script seems to export a list of installed software on the first run.
on subsequent runs, it exports again and compares to the export of previous runs.
This has 2 negative effects:
1.) On the first run, it will always generate a false positive alert that new software has been installed.
2.) Because the comparison goes line by line instead of app by app, it will compare one app to another app from the previous files previous line number. therefore it will tall yu that one app “updated” to a new “version” or another app.
Ex:
"Endpoint Manager Communication Client 6.27.25138.19040
has Updated to Stamps.com Web Postage Plug-in 1.2.0.99
Java Auto Updater 2.8.201.9
Lower version is replaced with Intel(R) Chipset Device Software 10.1.17541.8066
Intel(R) Chipset Device Software 10.1.17541.8066
has Updated to Realtek Card Reader 10.0.17763.31244
Realtek Card Reader 10.0.17763.31244
Lower version is replaced with Google Update Helper 1.3.34.11
Google Update Helper 1.3.34.7
has Updated to Intel(R) Trusted Connect Services Client 1.48.197.0"
Here is the original ITArian canned script code:
=========================================
import os,sys,_winreg,re,socket,difflib,filecmp
workdir=os.environ[‘PROGRAMDATA’]+r’\c1_temp’
if not os.path.isdir(workdir):
os.mkdir(workdir)
path=“C:\ProgramData\c1_temp\Installed.txt”
path2=“C:\ProgramData\c1_temp\Installed2.txt”
fnd=0
fnd1=0
val=0
val1=0
def alert(arg):
sys.stderr.write("%d%d%d" % (arg, arg, arg))
def files():
file_name = “Installed.txt”
cur_dir = “C:\ProgramData\c1_temp”
file_list = os.listdir(cur_dir)
parent_dir = os.path.dirname(cur_dir)
if file_name in file_list:
global fnd
fnd=1
else:
print “File not found”
global fnd1
fnd1=1
def collectprograms(rtkey,pK,kA):
import _winreg
import os
list=[]
store=[]
oK=_winreg.OpenKey(rtkey,pK,0,kA)
i=0
if fnd==1:
File2=open(path2,“a+”)
elif fnd1==1:
File1=open(path,“a+”)
while True:
try:
bkey=_winreg.EnumKey(oK,i)
vkey=os.path.join(pK,bkey)
oK1=_winreg.OpenKey(rtkey,vkey,0,kA)
try:
DN,bla=_winreg.QueryValueEx(oK1,‘DisplayName’)
DV,bla=_winreg.QueryValueEx(oK1,‘DisplayVersion’)
inlist=[DN.strip(), DV.strip()]
if inlist[1]==“None”:
gh=0
else:
if fnd==1:
File2.write(inlist[0]+" “+inlist[1]+”
“)
elif fnd1==1:
File1.write(inlist[0]+” “+inlist[1]+”
")
except:
pass
i+=1
except:
break
_winreg.CloseKey(oK)
def swchanges():
list1=[]
ale=0
v=filecmp.cmp(path,path2)
if False==0:
with open(path) as file:
data=file.read()
with open(path2) as file:
data2=file.read()
text1Lines = data.splitlines(1)
text2Lines = data2.splitlines(1)
diffInstance = difflib.Differ()
diffList = list(diffInstance.compare(text2Lines, text1Lines))
for line in diffList:
if line[0] == ‘-’:
print “Installed softwares are :”
list1.append(line)
print line
ale=ale+1
diffList = list(diffInstance.compare(text1Lines, text2Lines))
for line in diffList:
if line[0] == ‘-’:
print “Uninstalled softwares are :”
print line
list1.append(line)
ale=ale+1
if v==True:
print "No changes in Softwares at end point "
if len(text1Lines)==len(text2Lines):
count=1
for i in range(0,len(text2Lines)):
v=cmp(text1Lines[i],text2Lines[i])
if v==0:
continue
elif v==1:
print text1Lines[i]+ " Lower version is replaced with “+text2Lines[i]
elif v== -1:
print text1Lines[i]+” has Updated to "+text2Lines[i]
k=[]
for i in list1:
j = i.replace(’- ‘,’’)
k.append(j)
for i in text1Lines:
for j in k:
if i==j:
text1Lines.remove(i)
for i in text2Lines:
for j in k:
if i==j:
text2Lines.remove(i)
if len(text1Lines)==len(text2Lines):
count=1
for i in range(0,len(text2Lines)):
v=cmp(text1Lines[i],text2Lines[i])
if v==0:
continue
elif v==1:
print text1Lines[i]+ " Lower version is replaced with "+text2Lines[i]
elif v== -1:
print text1Lines[i]+"Updated to "+text2Lines[i]
if ale>0:
alert(1)
else:
alert(0)
def programsinstalled():
print"
"
uninstallkey=‘SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall’
if ‘PROGRAMFILES(X86)’ in os.environ.keys():
rklist=[(_winreg.HKEY_LOCAL_MACHINE,uninstallkey,_winreg.KEY_WOW64_32KEY | _winreg.KEY_READ),
(_winreg.HKEY_LOCAL_MACHINE,uninstallkey,_winreg.KEY_WOW64_64KEY | _winreg.KEY_READ),
(_winreg.HKEY_CURRENT_USER,uninstallkey,_winreg.KEY_WOW64_32KEY | _winreg.KEY_READ),
(_winreg.HKEY_CURRENT_USER,uninstallkey,_winreg.KEY_WOW64_64KEY | _winreg.KEY_READ)]
else:
rklist=[(_winreg.HKEY_LOCAL_MACHINE,uninstallkey,_winreg.KEY_READ),
(_winreg.HKEY_CURRENT_USER,uninstallkey,_winreg.KEY_READ)]
collected=’’
uninstalled=’’
error=’’
blacklisted=’’
hasnoss=[]
ic=0
uc=0
ec=0
for i in rklist:
col=collectprograms(i[0], i[1], i[2])
name=os.environ[‘username’]
print 'PC-NAME : '+name
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((“8.8.8.8”, 80))
print "IP-ADDRESS : " + (s.getsockname()[0])