Application Use Logging

smillin · September 18, 2017, 10:45pm

I created a task which runs in the background waiting for WhatsApp to run. If WhatsApp is opened, it creates a log file giving details about the user and version, and creates a registry entry that can be searched with an analysis. I have attempted to run this as a policy, so it will log each time WhatsApp is opened up, but it doesn’t seem to operate as I thought it should. The task goes to a “completed” state, and doesn’t re-run.

Below is the task. Is there a better way to do this that I’m overlooking? Could/Should this be done using PowerShell? I’m open to any and all suggestions!

Thanks!

//Waiting for WhatsApp to run
pause while {not exists running application whose (it as string as lowercase contains “whatsapp”)}

if {exists file “__createfile”}
delete __createfile
endif

if {exists file “WhatsApp.txt”}
delete WhatsApp.txt
endif

//Setting the registry key to be True for WhatsApp
setting “BannedApps\WhatsApp”=“1” on “{parameter “action issue date” of action}” for client

//Creating reg file to set the version and name within the registry.
Createfile until end-reg-edit-commands
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\Settings\Client\BannedApps\WhatsApp]

“DisplayVersion”=“{version of running application whose (it as string as lowercase contains “whatsapp”)}”
“DisplayName”=“{name of running application whose (it as string as lowercase contains “whatsapp”)}”
end-reg-edit-commands
move __createfile setup.reg
wait regedit /s setup.reg

//Checking for existing log file, if exists, copies current data and appends new data
if {exists file “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”}
createfile until WhatsAppUpdate
{lines of file “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”}
–WhatsApp ran on {parameter “action issue date” of action} by {name of current user}. WhatsApp version is {version of running application whose (it as string as lowercase contains “whatsapp”)}. The WhatsApp executable is located at “{location of running application whose (it as string as lowercase contains “whatsapp”)}”.
WhatsAppUpdate
copy __createfile WhatsApp.txt
delete “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”
copy WhatsApp.txt “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”
endif

//Checking for existing log file, if not, creating the log file
if {not exists file “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”}
createfile until newfile
–WhatsApp ran on {parameter “action issue date” of action} by {name of current user}. WhatsApp version is {version of running application whose (it as string as lowercase contains “whatsapp”)}. The WhatsApp executable is located at “{location of running application whose (it as string as lowercase contains “whatsapp”)}”.
newfile
copy __createfile WhatsApp.txt
if {not exists folder “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps”}
folder create “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps”
endif
copy WhatsApp.txt “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”
endif

if {exists file “setup.reg”}
delete setup.reg
endif

pause while {exists running application whose (it as string as lowercase contains “whatsapp”)}

AlanM · September 18, 2017, 11:10pm

So this action when executed will actually hog the entire bigfix system until it can run with the first line. Thats not a good side effect and you should probably hit that with relevance rather than a pause statement in the action.

smillin · September 19, 2017, 1:32am

Ahhhhh, YES!! Very good suggestion. Thanks for the quick reply! I was wondering why that thing was chewing up ~50% of the CPU. This works and is definitely a lot easier on system resources, but I still cannot get the policy to start over once WhatApp is opened/closed. It stays in a “Completed” state, instead of going back to “Not Relevant”. Here are the changes I’ve made:

Relevance within the task:

windows of operating system and exists running application whose (it as string as lowercase contains “whatsapp”)

Action of the task:

if {exists file “__createfile”}
delete __createfile
endif
if {exists file “WhatsApp.txt”}
delete WhatsApp.txt
endif

//WhatsApp
if {exists running application whose (it as string as lowercase contains “whatsapp”)}

//Setting the registry key to be True for WhatsApp
setting “BannedApps\WhatsApp”=“1” on “{parameter “action issue date” of action}” for client

//Creating reg file to set the version and name within the registry.
Createfile until end-reg-edit-commands
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\Settings\Client\BannedApps\WhatsApp]

“DisplayVersion”=“{version of running application whose (it as string as lowercase contains “whatsapp”)}”
“DisplayName”=“{name of running application whose (it as string as lowercase contains “whatsapp”)}”
end-reg-edit-commands
move __createfile setup.reg
wait regedit /s setup.reg

//Checking for existing log file, if exists, copies current data and appends new data
if {exists file “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”}
createfile until WhatsAppUpdate
{lines of file “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”}
–WhatsApp ran on {parameter “action issue date” of action} by {name of current user}. WhatsApp version is {version of running application whose (it as string as lowercase contains “whatsapp”)}. The WhatsApp executable is located at “{location of running application whose (it as string as lowercase contains “whatsapp”)}”.
WhatsAppUpdate
copy __createfile WhatsApp.txt
delete “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”
copy WhatsApp.txt “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”
endif

//Checking for existing log file, if not, creating the log file
if {not exists file “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”}
createfile until newfile
–WhatsApp ran on {parameter “action issue date” of action} by {name of current user}. WhatsApp version is {version of running application whose (it as string as lowercase contains “whatsapp”)}. The WhatsApp executable is located at “{location of running application whose (it as string as lowercase contains “whatsapp”)}”.
newfile
copy __createfile WhatsApp.txt
if {not exists folder “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps”}
folder create “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps”
endif
copy WhatsApp.txt “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData__Global\Custom\BannedApps\WhatsApp.txt”
endif

if {exists file “setup.reg”}
delete setup.reg
endif

endif

AlanM · September 19, 2017, 1:57am

When you take the action you can specify it as a “policy” action, or basically to reapply any time it becomes relevant. Its more in the take action dialog where you would control that rather than in the action itself.