Workstation and User Auditing the Simple Way

Novell Cool Solutions: Trench
By Andrew White

Digg This - Slashdot This

Posted: 15 Jul 2004

Note: An alert reader sent in this little heads up for those of you who wish to use Andrew's Cool Solution. Feedback: Andrew White's solution is nice, but PSInfo is not licensed for free use when run from a file server. I nearly got burned bad by that one once. See http://www.sysinternals.com/licensing.shtml

I've seen a few requests on forums recently for people asking the best way to do some basic workstation or user auditing so I thought I'd share my solution here. I'm also on a quest to get all 8 colours of t-shirts ;-)

Being at a college, I'm often asked by lecturers to tell them who was the last user on a certain PC or what the usage stats for a particular lab has been. I started thinking that not only would it be good for our helpdesk to hold such information, but if we could do a workstation audit at the same time then the information would have some real use.

So I started looking round for free tools (hey, I'm a college, even free is too expensive) that would help and I wrote a batch file that each user calls from their container login script. (I must point out that all PC's here are Windows 2000 so this won't work for W9x users.)

The batch file uses two free utilities.

  1. Firstly, it uses HFNetChk from Shavlik, which is a command line tool that scans a Windows workstation or server and reports on any outstanding OS patches.
  2. Secondly, I use PSInfo from SysInternals which is also a command line utility that scans a windows workstation or server and performs an audit of hardware, OS versions and installed software.

Finally, I use a few system variables and pipe the results into three log files which gives me the following reports:

  • A rolling log of usage by user
  • A rolling log of usage by workstation
  • A snapshot log file by workstation that gives me the name of the current user of the workstation along with the login date and time as well as a report on the IP address of the workstation, all the OS information and patch levels and a hardware audit.

Extracting information is as easy as using Search in Explorer and using the containing text option. So, for example, searching on would produce one result, which would be the name of the workstation.

The batch file I wrote is shown below with comments and notes.

Start Batch file - info.bat
@echo off

echo Performing a quick Workstation audit - Please wait....

rem The following line creates a rolling log file of usage of
workstation by user (Thor being the server, Helpdesk being the volume)
echo %Date% %TIME% %USER% >>
rem The following line creates a rolling log file of usage by user
echo %Date% %TIME% %COMPUTERNAME% >>
rem The following line performs a OS patch audit and creates a new log
file   See Note 1 for an explanation of the switches used
z:\hfnetchk -x "z:\mssecure.xml" -f
rem The following line pipes the date, time and user ID to the above
log file
echo %Date% %TIME% %USER% >>
rem The following lines pipes in the workstation IP information to the
above log file
ipconfig /all >>
rem The following line performs a hardware and software audit of the
workstation and pipes the information into the above log file
rem See Note 2 for an explanation of the switches used.
z:\psinfo -h -d -s >>
echo Audit finished.  Continuing to load Windows 
rem See Note 3 for files used and their locations 
CD Z:\  

End batch file - info.bat

Note 1 - Command line switches for HFNetChk

HFNetChk by default tries to download a new copy of the patch database each time it loads. To stop our workstations permanently downloading the cab file, I regularly download the latest version from http://xml.shavlik.com/mssecure.xml and copy the latest xml file to all the student file servers. The -x switch is used to stop the workstation trying to download the latest file and instead specify the local location of the xml file, in my case z:\mssecure.xml The -f switch is used to redirect the output to a text file.

Note 2 - Command line switches for PSinfo

I use the following switches to gather the workstation audit.

-h     Show installed Windows hotfixes
-d     Show disk volume information
-s     Show installed software

The output is piped into the snapshot log file by using the dos >> command that appends the information into an existing file (as opposed to > which creates a new file).

Note 3 - Files used and their location

All the files needed I personally store in z:\ but as long as the workstation can see then, you can put them anywhere. The files needed are:

info.bat (my batch file from above)
pdh.dll (the psinfo support file)
winhttp.dll (the hfnetchk support file)

Hopefully all that makes some sense and someone out there may find it of use.

Andrew White
Network Manager
Salisbury College

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© Micro Focus