NiVZ Posted July 28, 2010 Share Posted July 28, 2010 (edited) Hello, We image our PC's to a standard image and then run a 'postbuild' script to install software. The postbuild script and the install packages are held on a remote server which must be authenticated against. The postbuild script is always run as local administrator. What I'm trying to do is catch the username credentials from the security log of the server and add this to the registry (so we can identify who built each PC). I do have this working, but it's taking around 30 seconds to 5 minutes to scan the logs. I just wondered if anyone could help me speed up this WMI query: Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND TimeWritten >= '" & $objSWbemDateTime.Value & "' AND EventCode = 540 AND Message LIKE '%" & "10.30.3.64" & "%'" , "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly I would normally use a function like MAX but WMI doesn't seem to like this. here is the code I'm using: expandcollapse popup; WMI Constants Const $wbemFlagForwardOnly = 0x20 Const $wbemFlagReturnImmediately = 0x10 $RecordNo = 0 ; Put server name below $strComputer = 'server' ; Create a Date object for WMI Query $objSWbemDateTime = ObjCreate("WbemScripting.SWbemDateTime") $objSWbemDateTime.SetVarDate(@MDAY & "/" & @MON & "/" & @YEAR, True) ; Variable to hold username and date of Postbuild $Username = "Unknown" $PostbuildDate = ObjCreate("WbemScripting.SWbemDateTime") $PostBuildDate.SetVarDate('01/01/1970') $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & $strComputer & "\root\CIMV2") ; WMI Autoit Note must use {(Security)} for Security logs $colItems = $objWMIService.ExecQuery("Select * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND TimeWritten >= '" & $objSWbemDateTime.Value & "' AND EventCode = 540 AND Message LIKE '%" & @IPAddress1 & "%'" , "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly) ;$i = 0 For $obj in $colItems ;ConsoleWrite("*** " & $i & " ***" & @CRLF) ;ConsoleWrite($obj.TimeWritten & @CRLF) ;ConsoleWrite($obj.RecordNumber & @CRLF) ;ConsoleWrite($obj.Message & @CRLF) ;ConsoleWrite($obj.User & @CRLF) ;ConsoleWrite(@CRLF) If $obj.RecordNumber > $RecordNo Then $RecordNo = $obj.RecordNumber $Pattern = 'User Name:' & @TAB & '(.*?)' & @CR $TempUsername = StringRegExp($obj.Message, $Pattern, 1) ;_ArrayDisplay($Username) If StringStripWS($TempUsername[0], 8) <> "" Then $Username = $TempUsername[0] $PostbuildDate.Value = $obj.TimeWritten EndIf EndIf ;$i += 1 Next ; Extract the Date $PostBuildDate = $PostbuildDate.GetVarDate(False) ; Sort out the date If $PostBuildDate = '19700101000000' Then ; If date wasn't found set to unknown $PostbuildDate = "Unknown" Else ; Format the date $PostBuildDate = StringMid($PostbuildDate, 7, 2) & "/" & StringMid($PostbuildDate, 5, 2) & "/" & StringLeft($PostbuildDate, 4) & " " & StringMid($PostbuildDate, 9, 2) & ":"& StringMid($PostbuildDate, 11, 2) & ":" & StringMid($PostbuildDate, 13, 2) EndIf ; Show the output ConsoleWrite("Postbuild By: " & $Username & @CRLF) ConsoleWrite("Postbuild Date: " & $PostbuildDate & @CRLF) Thanks, NiVZ Edited July 28, 2010 by NiVZ Link to comment Share on other sites More sharing options...
PsaltyDS Posted July 28, 2010 Share Posted July 28, 2010 You might simplify your life by looking at _Net_Share_SessionEnum() in the help file. Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
NiVZ Posted July 29, 2010 Author Share Posted July 29, 2010 (edited) You might simplify your life by looking at _Net_Share_SessionEnum() in the help file. Thanks PsaltyDS,That function is a lot easier and much quicker, but I'm getting mixed results. I compiled the example provided in the help and copied it to the postbuild directory on the server and asked a few people to test by entering the unc path, \\server\postbuild and then double click the .exeMost people got the correct result with their ComputerName and UserName returned, but a few people got no entries returned.Any ideas? I tried changing @ComputerName for @IPAddress1 but still got the same results Thanks,NiVZ Edited July 29, 2010 by NiVZ Link to comment Share on other sites More sharing options...
PsaltyDS Posted July 29, 2010 Share Posted July 29, 2010 From the help file under _Net_Share_SessionEnum(): RemarksOnly members of the Administrators or Server Operators local group can execute this functionThose required perms are on the target machine (your server). Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
NiVZ Posted July 30, 2010 Author Share Posted July 30, 2010 Hi PsaltyDS, I'm 99% sure everyone who ran the program has admin rights on the server. Only other factor is I compiled on Windows 7 machine and it seems to be the Windows 7 users that work (but could be coincidence) Thanks, NiVZ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now