1 answer
- 10-1
I have to say I am somewhat surprised that PowerShell doesn't return in the list of installed software.
Anyway...
I have now added it manually to the audit_windows.vbs script (as we do with other items like Codecs, ODBC Drivers, etc). You can find an updated version on GitHub, link below. This is a drop in replacement for your current audit script. Just copy it to -
Linux: /usr/local/open-audit/other/audit_windows.vbs
Windows: c:\xampp\open-audit\other\audit_windows.vbs
Please make sure you backup your original file before replacing with this new one so you can revert if anything unexpected occurs.
https://raw.githubusercontent.com/Opmantek/open-audit/master/other/audit_windows.vbs
Once an audit is performed using this new script, PowerShell should appear in the list of installed software in Open-AudIT (including it's version number).
Mark.
PS - At present there is no way to associate a custom field in the audit script to be processed by the application. This is something we are giving thought to.
PPS - One way you might have solved it is to add the complete executable path to /files in Open-AudIT (Enterprise only). The .exe would then be recorded against any machine that contains it. That does produce a different version though (the version of the actual executable).
Output from the file detection is below.
<file> <item> <name>powershell.exe</name> <full_name>c:\windows\syswow64\windowspowershell\v1.0\powershell.exe</full_name> <size>431616</size> <directory>c:\windows\syswow64\windowspowershell\v1.0\</directory> <hash>21d5224e20a4be7f303ab6c4b9f219d0d70904ee</hash> <last_changed>1/6/2017 7:24:33 PM</last_changed> <meta_last_changed></meta_last_changed> <permission>17957033</permission> <owner>TrustedInstaller@NT SERVICE</owner> <version>10.0.14393.206</version> <inode>0</inode> <group></group> </item> </file>
Output from the software detection is below.
<item> <name>PowerShell</name> <version>5.1.14393.0</version> <install_date></install_date> <publisher>Microsoft Corporation</publisher> <url>https://docs.microsoft.com/en-us/powershell/</url> </item>
I hope this helps.
Mark.
Add your comment...
We would like to capture extra information on Audit and send it to Custom Field. For example, the version of PowerShell that is running on the host.
Is this a feature or do we need to change the source code to process the additional data from an audit file?