Workstation and User Auditing the Simple Way

Novell Cool Solutions: Trench
By Andrew White

Digg This - Slashdot This Posted: 15 Jul 2004

Note: An alert reader sent in this little heads up for those of you who wish to use Andrew's Cool Solution. Feedback: Andrew White's solution is nice, but PSInfo is not licensed for free use when run from a file server. I nearly got burned bad by that one once. See http://www.sysinternals.com/licensing.shtml

I've seen a few requests on forums recently for people asking the best way to do some basic workstation or user auditing so I thought I'd share my solution here. I'm also on a quest to get all 8 colours of t-shirts ;-)

Being at a college, I'm often asked by lecturers to tell them who was the last user on a certain PC or what the usage stats for a particular lab has been. I started thinking that not only would it be good for our helpdesk to hold such information, but if we could do a workstation audit at the same time then the information would have some real use.

So I started looking round for free tools (hey, I'm a college, even free is too expensive) that would help and I wrote a batch file that each user calls from their container login script. (I must point out that all PC's here are Windows 2000 so this won't work for W9x users.)

The batch file uses two free utilities.

1. Firstly, it uses HFNetChk from Shavlik, which is a command line tool that scans a Windows workstation or server and reports on any outstanding OS patches.
2. Secondly, I use PSInfo from SysInternals which is also a command line utility that scans a windows workstation or server and performs an audit of hardware, OS versions and installed software.

Finally, I use a few system variables and pipe the results into three log files which gives me the following reports:

• A rolling log of usage by user
• A rolling log of usage by workstation
• A snapshot log file by workstation that gives me the name of the current user of the workstation along with the login date and time as well as a report on the IP address of the workstation, all the OS information and patch levels and a hardware audit.

Extracting information is as easy as using Search in Explorer and using the containing text option. So, for example, searching on 172.19.250.8 would produce one result, which would be the name of the workstation.

The batch file I wrote is shown below with comments and notes.

Start Batch file - info.bat
@echo off

echo Performing a quick Workstation audit - Please wait....

rem The following line creates a rolling log file of usage of
workstation by user (Thor being the server, Helpdesk being the volume)
echo %Date% %TIME% %USER% >>
\\THOR\HELPDESK\LOGFILES\STUDENT\PC\%COMPUTERNAME%.log 
rem The following line creates a rolling log file of usage by user
echo %Date% %TIME% %COMPUTERNAME% >>
\\THOR\HELPDESK\LOGFILES\STUDENT\USER\%USER%.log 
rem The following line performs a OS patch audit and creates a new log
file   See Note 1 for an explanation of the switches used
z:\hfnetchk -x "z:\mssecure.xml" -f
\\THOR\HELPDESK\LOGFILES\STUDENT\CURRENT\%COMPUTERNAME%.log 
rem The following line pipes the date, time and user ID to the above
log file
echo %Date% %TIME% %USER% >>
\\THOR\HELPDESK\LOGFILES\STUDENT\CURRENT\%COMPUTERNAME%.log 
rem The following lines pipes in the workstation IP information to the
above log file
ipconfig /all >>
\\THOR\HELPDESK\LOGFILES\STUDENT\CURRENT\%COMPUTERNAME%.log 
rem The following line performs a hardware and software audit of the
workstation and pipes the information into the above log file
rem See Note 2 for an explanation of the switches used.
z:\psinfo -h -d -s >>
\\THOR\HELPDESK\LOGFILES\STUDENT\CURRENT\%COMPUTERNAME%.log 
echo Audit finished.  Continuing to load Windows 
rem See Note 3 for files used and their locations 
CD Z:\  
exit

End batch file - info.bat

Note 1 - Command line switches for HFNetChk

HFNetChk by default tries to download a new copy of the patch database each time it loads. To stop our workstations permanently downloading the cab file, I regularly download the latest version from http://xml.shavlik.com/mssecure.xml and copy the latest xml file to all the student file servers. The -x switch is used to stop the workstation trying to download the latest file and instead specify the local location of the xml file, in my case z:\mssecure.xml The -f switch is used to redirect the output to a text file.

Note 2 - Command line switches for PSinfo

I use the following switches to gather the workstation audit.

-h     Show installed Windows hotfixes
-d     Show disk volume information
-s     Show installed software

The output is piped into the snapshot log file by using the dos >> command that appends the information into an existing file (as opposed to > which creates a new file).

Note 3 - Files used and their location

All the files needed I personally store in z:\ but as long as the workstation can see then, you can put them anywhere. The files needed are:

info.bat (my batch file from above)
psinfo.exe
pdh.dll (the psinfo support file)
hfnetchk.exe
mssecure.xml
winhttp.dll (the hfnetchk support file)

Hopefully all that makes some sense and someone out there may find it of use.

Andrew White
Network Manager
Salisbury College

Reader Comments

• Looks pretty good! From a purely user auditing perspective, Condrey Consulting, makers of File System Factory (That Novell sells), has an auditing NLM called Auditlogin, that logs login/logout events, to a CSV text file. (It is used in Novell Account Managerment as well). The guys at University of New Brunswick have used it to generate this amazing web system, of tracking which computers are in use, and which are free. They are considering releasing it commercially, because it is pretty darn useful for a university! http://labdisplay.csd.unb.ca/
• How bad, that HFNetChk from Shavlik is MS network client dependent. In my enviroment I have only Novell clients on workstations. David Krotil david_dot_krotil_at_systemnet_dot_cz
• Excellent Tool for those of us that aren't using dedicated Patch Management Software. Mark D Harrison md.harrison@is.sefton.gov.uk

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com