Hey, Scripting Guy! Quick-Hits Friday: The Scripting Guys Respond to a Bunch of Questions (1/1/10)

Hey, Scripting Guy! Quick-Hits Friday: The Scripting Guys Respond to a Bunch of Questions (1/1/10)

  • Comments 1
  • Likes
Bookmark and Share

In this post:

 

How Can I Get Users' SIDs?

Hey, Scripting Guy! Question

Hey, Scripting Guy! First, I wanted to say that I really love the site and find it useful all the time. Maybe you can help me. After reading the How Can I Determine the SID for a User Account? Hey Scripting Guy! Blog post, I am trying to map a user account to its SID. All is well and good when I run the script against my local machine, but when I do the same against another remote machine in the same domain, the SELECT * FROM Win32_UserAccount only returns users locally defined on that machine. I am guessing this is some permissions issue, but because the user that is executing the remote calls is a domain administrator, I am dubious. What am I missing? Also is there potentially another way I can map a known user name to their SID?

-- AM

 

Hey, Scripting Guy! AnswerHello AM,

There are many ways of getting SIDs for users. And there are actually different ways that SIDs are expressed, which is a bummer.

However, if I understand you right, I do not think there is a real reason to run the script against a remote machine because if you are returning domain users and both computers are connected to the domain, the users are always the same because they are all domain users. When connecting remotely, you are interested in the local users on that computer.

As long as you are a member of the Local Administrators group on the remote computer, you have the WMI permissions needed to execute a remote query. The following illustrates how I return the SID using WMI. Note that for efficiency you must specify both the domain name and the user name in the query. The GetUserSid.vbs script illustrates how you can retrieve users’ SIDs.

GetUserSid.vbs

On Error Resume Next
strComputer = "."

Set objUserAccount = GetObject("winmgmts" _
    & "{impersonationLevel=impersonate}!\\" _
    & strComputer & _
    "\root\cimv2:Win32_UserAccount." _
    & "Domain='MyDomainName',Name='MyUserName' ")

If Err = 0 Then
    WScript.Echo objUserAccount.SID
Else
    WScript.Echo "No object found" & Err.Number
End If


 

How Can I Get Information About Protected Processes Running on a Local Computer? 

Hey, Scripting Guy! Question

Hey, Scripting Guy! I am using the WMI Win32_Process class to get information about all processes running on a local system (Windows Vista). However, this class is not able to pull information about protected processes such as smss.exe and audiodg.exe. I tried by enabling all privileges and cloaking the proxy. This did not fix the problem. Do you know how I can pull this information using WMI?

-- DA

 

Hey, Scripting Guy! AnswerHello DA,

I am going to guess that you actually ran the script as an administrator. Is that right? You cannot right-click a VBScript script by default and then click Run as administrator. You need to open a cmd prompt and select Run as administrator: Right-click while holding SHIFT. Then you can launch the script from within the cmd prompt. See if this helps.

DH Again: Hey Scripting Guy! I am definitely running as an administrator. I can retrieve information for some processes, while others fail. For example, executable path returns nothing for the following processes:

Smss.exe
Audiodg.exe


 

How Can I Retrieve InstallDate for Devices?

Hey, Scripting Guy! Question

I had one more question and would appreciate if you can shed some light on it. I am also not able to retrieve InstallDate for devices. I tried with Win32_PnPEntity and Win32_PnPSignedDriver, but both are returning empty values.

-DA

 

Hey, Scripting Guy! AnswerHello DA,

Thanks for writing back. If you are definitely running Windows PowerShell as an administrator, and some processes still do not expose the commandline property, it might be because the particular process is part of a larger service or driver. Consider the following results from my Windows 7 computer. The first output is run without administrator rights:

PS C:\> gwmi win32_process | ft name, commandline -AutoSize

name                           commandline
----                           -----------
System Idle Process
System
smss.exe
csrss.exe
wininit.exe
csrss.exe
services.exe
lsass.exe
lsm.exe
winlogon.exe
svchost.exe
svchost.exe
MsMpEng.exe
atiesrxx.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
spoolsv.exe
svchost.exe
svchost.exe
Iap.exe
inetinfo.exe
LMS.exe
mdm.exe
svchost.exe
UNS.exe
WLIDSVC.EXE
DCPSysMgrSvc.exe
IAANTmon.exe
SearchIndexer.exe
svchost.exe
atieclxx.exe
WLIDSVCM.EXE
dwm.exe                        "C:\Windows\system32\Dwm.exe"
explorer.exe                   C:\Windows\Explorer.EXE
taskhost.exe                   "taskhost.exe"
ipoint.exe                     "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
IAAnotif.exe                   "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe"
Dell.ControlPoint.exe          "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
msseces.exe                    "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
DCPSysMgr.exe                  "C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe"
dpupdchk.exe                   "C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe"
smax4pnp.exe                   "C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe"
apdproxy.exe                   "C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\apdproxy.exe"
MOM.exe                        "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM"
WmiPrvSE.exe
CCC.exe                        "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe" 0
mmc.exe
unsecapp.exe
splwow64.exe                   C:\Windows\splwow64.exe 1
TweetDeck.exe                  "c:\program files (x86)\TweetDeck\TweetDeck.exe"
PresentationFontCache.exe
Snagit32.exe                   "C:\Program Files (x86)\TechSmith\SnagIt 9\Snagit32.exe"
TscHelp.exe                    "C:\Program Files (x86)\TechSmith\SnagIt 9\TSCHelp.exe"
SnagPriv.exe
SnagitEditor.exe               "C:\Program Files (x86)\TechSmith\SnagIt 9\snagiteditor.exe" /X
ielowutil.exe                  "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
powershell_ise.exe             "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe"
conhost.exe                    \??\C:\Windows\system32\conhost.exe
iexplore.exe                   "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
audiodg.exe
FlashUtil10c.exe               C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe -Embedding
iexplore.exe                   "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:5144
iexplore.exe                   "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:5144
WINWORD.EXE                    "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
OfficeLiveSignIn.exe           "C:\Program Files (x86)\Microsoft\Office Live\OfficeLiveSignIn.exe"
powershell.exe                 "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
conhost.exe                    \??\C:\Windows\system32\conhost.exe
WmiPrvSE.exe
powershell.exe
conhost.exe


PS C:\>

You will notice that many of the processes do not display the commandline property value. Now, I will run the same command in a Windows PowerShell console that I launched as administrator. You will see that most (but not all) processes display a commandline property value. Interestingly enough, on my machine the smss.exe displays a commandline property value, but the audiodg.exe is one of the few that does not return any information.

PS C:\> gwmi win32_process | ft name, commandline -AutoSize

name                           commandline
----                           -----------
System Idle Process
System
smss.exe                       \SystemRoot\System32\smss.exe
csrss.exe                      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,
wininit.exe                    wininit.exe
csrss.exe                      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,
services.exe                   C:\Windows\system32\services.exe
lsass.exe                      C:\Windows\system32\lsass.exe
lsm.exe                        C:\Windows\system32\lsm.exe
winlogon.exe                   winlogon.exe
svchost.exe                    C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe                    C:\Windows\system32\svchost.exe -k RPCSS
MsMpEng.exe                    "c:\Program Files\Microsoft Security Essentials\MsMpEng.exe"
atiesrxx.exe                   C:\Windows\system32\atiesrxx.exe
svchost.exe                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
svchost.exe                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
svchost.exe                    C:\Windows\system32\svchost.exe -k netsvcs
svchost.exe                    C:\Windows\system32\svchost.exe -k LocalService
svchost.exe                    C:\Windows\system32\svchost.exe -k NetworkService
spoolsv.exe                    C:\Windows\System32\spoolsv.exe
svchost.exe                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
svchost.exe                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Iap.exe                        "C:\Program Files\Dell\OpenManage\Client\Iap.exe"
inetinfo.exe                   C:\Windows\system32\inetsrv\inetinfo.exe
LMS.exe                        "C:\Program Files (x86)\Intel\AMT\LMS.exe"
mdm.exe                        "C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe"
svchost.exe                    C:\Windows\System32\svchost.exe -k HPZ12
UNS.exe                        "C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe"
WLIDSVC.EXE                    "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"
DCPSysMgrSvc.exe               "C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe"
IAANTmon.exe                   "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe"
SearchIndexer.exe              C:\Windows\system32\SearchIndexer.exe /Embedding
svchost.exe                    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
atieclxx.exe                   atieclxx
WLIDSVCM.EXE                   WLIDSvcM.exe 1252
dwm.exe                        "C:\Windows\system32\Dwm.exe"
explorer.exe                   C:\Windows\Explorer.EXE
taskhost.exe                   "taskhost.exe"
ipoint.exe                     "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
IAAnotif.exe                   "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe"
Dell.ControlPoint.exe          "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
msseces.exe                    "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
DCPSysMgr.exe                  "C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe"
dpupdchk.exe                   "C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe"
smax4pnp.exe                   "C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe"
apdproxy.exe                   "C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\apdproxy.exe"
MOM.exe                        "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM"
WmiPrvSE.exe                   C:\Windows\system32\wbem\wmiprvse.exe
CCC.exe                        "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe" 0
mmc.exe                        "C:\Windows\system32\mmc.exe" "C:\Users\ed.NWTRADERS\Desktop\AdminToolz.msc"
unsecapp.exe                   C:\Windows\system32\wbem\unsecapp.exe -Embedding
splwow64.exe                   C:\Windows\splwow64.exe 1
TweetDeck.exe                  "c:\program files (x86)\TweetDeck\TweetDeck.exe"
PresentationFontCache.exe      C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
Snagit32.exe                   "C:\Program Files (x86)\TechSmith\SnagIt 9\Snagit32.exe"
TscHelp.exe                    "C:\Program Files (x86)\TechSmith\SnagIt 9\TSCHelp.exe"
SnagPriv.exe                   "C:\Program Files (x86)\TechSmith\SnagIt 9\SnagPriv.exe"
SnagitEditor.exe               "C:\Program Files (x86)\TechSmith\SnagIt 9\snagiteditor.exe" /X
ielowutil.exe                  "C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
powershell_ise.exe             "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe"
conhost.exe                    \??\C:\Windows\system32\conhost.exe
iexplore.exe                   "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
audiodg.exe
FlashUtil10c.exe               C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe -Embedding
iexplore.exe                   "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:5144
iexplore.exe                   "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:5144
WINWORD.EXE                    "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
OfficeLiveSignIn.exe           "C:\Program Files (x86)\Microsoft\Office Live\OfficeLiveSignIn.exe"
powershell.exe                 "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
conhost.exe                    \??\C:\Windows\system32\conhost.exe
WmiPrvSE.exe                   C:\Windows\system32\wbem\wmiprvse.exe
powershell.exe                 "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
conhost.exe                    \??\C:\Windows\system32\conhost.exe


PS C:\>

The InstallDate property is derived from the CIM_ManagedSystemElement WMI class, and as such is present in a large number of WMI classes. This is seen here:

Image of InstallDate

 

This is because all WMI classes that are derived from CIM_ManagedSystemElement will have this property present. However, most of the WMI classes that are derived from CIM_ManagedSystemElement do not report this information. For the value to be exposed, something on the system would have to report the information to WMI. The way WMI works is by inheriting properties and methods from various classes. However, there is no way of blocking the inheritance of properties or methods we do not want to expose. Therefore, everything that derives from CIM_ManagedSystemElement will have a certain set of properties and methods. I use WbemTest to explore classes, or the Scriptomatic to see what information is actually reported by a class. By selecting instances in WbemTest, you can view data that is reported by a specific instance of the WMI class. This is shown here:

Image of data reported by a specific instance of the WMI class
 

 

An Example of a Parsed Out File Name of a Monitored File

Hey, Scripting Guy! Question

Hey, Scripting Guy! In the article, How Can I Monitor for Different Types of Events With Just One Script?, you mention that you can parse out the file name of the monitored file but did not provide an example. Could you please supply an example?

-- RH

 

Hey, Scripting Guy! AnswerHello RH,

I am glad you liked the article. The easiest way to obtain the file name and path is to use string manipulation. You will see that I commented out portions of the original script and added back the string manipulation portion. I used the instr, len, mid, and replace functions to parse out the file name and path. If you want only the file name and not the path, you need to use the same techniques and functions to look for the “\” in the file name.

GetFileName.vbs

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
    ("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _
        & "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
            & "TargetInstance.GroupComponent= " _
                & "'Win32_Directory.Name=""c:\\\\fso""'")
 
Do While True
    Set objEventObject = colMonitoredEvents.NextEvent()

    Select Case objEventObject.Path_.Class
        Case "__InstanceCreationEvent"
           '  Wscript.Echo "A new file was just created: " & _
'                 objEventObject.TargetInstance.PartComponent
        cimFile =  objEventObject.TargetInstance.PartComponent
        startPos = InStr(cimFile, """")
        length = Len(cimFile) - startPos
        cimFile =  Mid(cimFile, startPos+1,length -1)
        WScript.Echo "A new file was just created: " & _
           Replace(cimFile,"\\","\")
        Case "__InstanceDeletionEvent"
'             Wscript.Echo "A file was just deleted: " & _
'                 objEventObject.TargetInstance.PartComponent
        cimFile =  objEventObject.TargetInstance.PartComponent
        startPos = InStr(cimFile, """")
        length = Len(cimFile) - startPos
        cimFile =  Mid(cimFile, startPos+1,length -1)
        WScript.Echo "A file was just deleted: " & _ 
           replace(cimFile,"\\","\")
    End Select
Loop

 

How Do I Re-install Windows Script 5.7 on Windows Vista?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How do I reinstall Windows Script 5.7 on a Windows Vista computer?  I am getting an “Automation Server Can’t Create Object” every time I try to create a new project with Visual Studio 2005. I am also getting the error “Microsoft Jscript runtime error” every time I launch the text editor PSPad.  Is there some way to fix the script components without reinstalling all of Windows Vista?

-- DS

 

Hey, Scripting Guy! AnswerHello DS,

To reinstall Windows Script 5.7 on Windows Vista, right-click the wsh.inf file (%windir%\inf\wsh.inf) and then click Install. This resets most of the WSH information.
 

 

 

How Can I Read from a Specific Line Number to the End of a File?

Hey, Scripting Guy! Question

Hey, Scripting Guy! I would like to read from line 5 until I reach the end of the file by using Windows PowerShell. How can I do that? I tried the following code but it does not work:

(Get-Content C:\Scripts\Test.txt)[0 .. EOF]

-- AL

 

Hey, Scripting Guy! AnswerHello AL,

The name EOF is not defined. You will need to access the end of the file directly. This can be done in one line, as seen here:

(Get-Content C:\Scripts\Test.txt)[5..(Get-Content C:\Scripts\Test.txt).length]


Well, this concludes another edition of Quick-Hits Friday. It also concludes another exciting week on the Script Center. Join us next week as we delve into the mysteries of…well, we will let that remain a mystery for now.

If you want to know exactly what we will be discussing on Monday, follow us on Twitter or Facebook. If you have any questions, send e-mail to us at scripter@microsoft.com or post your questions on the Official Scripting Guys Forum. See you on Monday. Until then, have an awesome weekend. 
 

Ed Wilson and Craig Liebendorfer, Scripting Guys 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment