Combining information from the registry and WMI objects in a fixlet

system · March 15, 2007, 9:53pm

(imported topic written by TyphonX)

Hello all,

I am attempting to inventory Storage Area Network attached disks on Windows hosts using BigFix relevance and am stuck. To correctly identify the disks and gather the information I am looking for, I need to pull information from the Win32_DiskDrive WMI object and from values in the registry. I am currently using the values I am pulling from the registry to filter my results but can’t seem to figure out how I can display the value of the key along with the values of the WMI property in the same fixlet. What I am aiming for is displaying the values of the Win32_DiskDrive WMI object (which I am currently able to do) along with the values of the “Identifier” key under “HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port x\SCSIbus x\SCSITargetID x\SCSILogicalUnit x” (which I am using to filter my results). Please excuse the format and output of the fixlet (I figure I’ll clean up the output once I get what I’m looking for).

Any input or advice would be greatly appreciated. Here is where I am at with my relevance.:

select objects (“Caption, DeviceID, InterfaceType, Model, Name, SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”) of wmi

whose

(exists values “Identifier” whose (it as string contains “OPENstorage” OR it as string contains “SYMMETRIX” OR it as string contains “DGC” OR it as string contains “HITACHI”) of keys

(

"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port " & following text of first “=” of

(

property “SCSIPort” of it as string

)

& "\Scsi Bus " & following text of first “=” of

(

property “SCSIbus” of it as string

)

& "\Target Id " & following text of first “=” of

(

property “SCSITargetID” of it as string

)

& "\Logical Unit Id " & following text of first “=” of

(

property “SCSILogicalUnit” of it as string

)

of select objects

(

“Caption, DeviceID, InterfaceType, Model, Name, SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”

)

of wmi as string

)

of registry

whose

(exists values “Driver” whose (it as string contains “ql2300”) of keys

(

"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port " & following text of first “=” of

(

property “SCSIPort” of it as string

)

) of select objects

(

“SCSIPort FROM Win32_DiskDrive”

)

of wmi as string

)

of registry

)

Please excuse this post if there is a similiar subject that has already been covered in the past.

BenKus · March 16, 2007, 11:54am

(imported comment written by BenKus)

Hey TyphonX,

Oh wow… That is quite a problem… It is unclear to me if this is possible because of the number of iterations and comparisons that need to be done at each level. I will see if I can figure out a way to do it, but this might require you write a script to pull the values back and then write them somewhere that the BES Client can read.

Might there be another way to get this information?

Ben

system · March 19, 2007, 6:26pm

(imported comment written by TyphonX)

Unfortunately, I haven’t been able to find any other area that contains the combination of information I need. I’m hoping to get the relevance to display both the “Identifier” registry key value and the properties of the Win32_DiskDrive WMI object under the same fixlet results. Let me remove some of the relevance that is peripheral for readability (the last part of the relevance just filtered out Windows hosts with an HBA):

select objects (“Caption, DeviceID, InterfaceType, Model, Name, SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”) of wmi

whose

(exists values “Identifier” whose (it as string contains “OPENstorage” OR it as string contains “SYMMETRIX” OR it as string contains “DGC” OR it as string contains “HITACHI”) of keys

(

"HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port " & following text of first “=” of

(

property “SCSIPort” of it as string

)

& "\Scsi Bus " & following text of first “=” of

(

property “SCSIbus” of it as string

)

& "\Target Id " & following text of first “=” of

(

property “SCSITargetID” of it as string

)

& "\Logical Unit Id " & following text of first “=” of

(

property “SCSILogicalUnit” of it as string

)

of select objects

(

“SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit FROM Win32_DiskDrive”

)

of wmi as string

)

of registry

Thanks for the reply. Any help on this would be greatly appreciated!

BenKus · March 20, 2007, 6:27am

(imported comment written by BenKus)

Hey TyphonX,

There are several issues that are causing you problems here… Probably the most important is what we call the “double it” problem, which is that you want to have more than one concept of “it” to refer to both the value in the registry and the wmi objects… but unfortunately, I can’t find a way to craft the relevance to get around this…

Perhaps the best way to approach this issue is to write a small script that you can run as a BES action and write the values to a registry key/file somewhere and then return the values in a property…

Ben

BenKus · March 20, 2007, 6:45am

(imported comment written by BenKus)

Actually… I can’t let this one die… This may be the most difficult client relevance query on the forum… but I like a challenge and I think I may have an answer, but it is hard for me to test because my computer only has one drive… I will step through the logic and hopefully it works for you…

First, you need to list out the wmi values:

q: ((string value of property “Caption” of it, string value of property “DeviceID” of it, string value of property “InterfaceType” of it, string value of property “Model” of it, string value of property “Name” of it, string value of property “SCSIport” of it, string value of property “SCSIbus” of it, string value of property “SCSITargetId” of it, string value of property “SCSILogicalUnit” of it) of (select objects (“Caption, DeviceID, InterfaceType, Model, Name, SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”) of wmi))
A: Hitachi HTS721080G9AT00, \.\PHYSICALDRIVE0, IDE, Hitachi HTS721080G9AT00, \.\PHYSICALDRIVE0, 0, 0, 0, 0

Then you need to get a list of all the “identifier” values in the registry that use the wmi values as input:

q: (values “Identifier” of key (("HKLM\HARDWARE\DEVICEMAP\Scsi\scsi port "& (item 0 of it) & "\Scsi Bus " & (item 1 of it) & "\Target Id " & item 2 of it & "\Logical Unit Id " & item 3 of it) of ((string value of property “SCSIport” of it, string value of property “SCSIbus” of it, string value of property “SCSITargetId” of it, string value of property “SCSILogicalUnit” of it) of (select objects (“SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”) of wmi))) of registry as string as lowercase)
A: hitachi hts721080g9at00

Now we need to combine these together. How? With “tuples” (commas) that will do cross products:

((values “Identifier” of key (("HKLM\HARDWARE\DEVICEMAP\Scsi\scsi port "& (item 0 of it) & "\Scsi Bus " & (item 1 of it) & "\Target Id " & item 2 of it & "\Logical Unit Id " & item 3 of it) of ((string value of property “SCSIport” of it, string value of property “SCSIbus” of it, string value of property “SCSITargetId” of it, string value of property “SCSILogicalUnit” of it) of (select objects (“SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”) of wmi))) of registry as string as lowercase), ((string value of property “Caption” of it, string value of property “DeviceID” of it, string value of property “InterfaceType” of it, string value of property “Model” of it, string value of property “Name” of it, string value of property “SCSIport” of it, string value of property “SCSIbus” of it, string value of property “SCSITargetId” of it, string value of property “SCSILogicalUnit” of it) of (select objects (“Caption, DeviceID, InterfaceType, Model, Name, SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”) of wmi)))

This list each of the “indentifiers” with each of the wmi return values… Now we need to filter this list for the final relevance:

q: item 1 of it whose (item 0 of it contains “openstorage” OR item 0 of it contains “symmetrix” OR item 0 of it contains “dgc” OR item 0 of it contains “hitachi” AND item 0 of it = item 0 of item 1 of it as lowercase ) of ((values “Identifier” of key (("HKLM\HARDWARE\DEVICEMAP\Scsi\scsi port "& (item 0 of it) & "\Scsi Bus " & (item 1 of it) & "\Target Id " & item 2 of it & "\Logical Unit Id " & item 3 of it) of ((string value of property “SCSIport” of it, string value of property “SCSIbus” of it, string value of property “SCSITargetId” of it, string value of property “SCSILogicalUnit” of it) of (select objects (“SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”) of wmi))) of registry as string as lowercase), ((string value of property “Caption” of it, string value of property “DeviceID” of it, string value of property “InterfaceType” of it, string value of property “Model” of it, string value of property “Name” of it, string value of property “SCSIport” of it, string value of property “SCSIbus” of it, string value of property “SCSITargetId” of it, string value of property “SCSILogicalUnit” of it) of (select objects (“Caption, DeviceID, InterfaceType, Model, Name, SCSIPort, SCSIBus, SCSITargetID, SCSILogicalUnit, Size FROM Win32_DiskDrive”) of wmi)))
A: Hitachi HTS721080G9AT00, \.\PHYSICALDRIVE0, IDE, Hitachi HTS721080G9AT00, \.\PHYSICALDRIVE0, 0, 0, 0, 0

Pretty complicated, but it looks like it has a good chance of working… let me know…

Ben

system · March 20, 2007, 9:57am

(imported comment written by JasonO91)

Let me be the first to say… GREAT GOOGLY MOOGLY!

system · March 20, 2007, 5:40pm

(imported comment written by SystemAdmin)

Ok, we’re really close here. I ran this with TyphonX and here’s what we’ve found. I had to make “values “Identifier” of key” to “keys” to make the plural work right. We’re getting the incorrect match in the final, but I think it’s possible, just not sure how.

Listed at the bottom is what we get back for one of our servers (from your 3rd step), but I’ve truncated the results and put the extra line breaks in to make it more legible.

The bad news is, item 0 of item 1 will never match item 0 itself for SAN-attached disks that we’re looking for. The good news is, it looks like it can be matched by position. It looks like we need the 1st result from WMI for the first Identifier, the second result from WMI for the 2nd Identifier, etc.

I’m not quite sure how to do this though, so we’re hoping you can figure this one out too.

DELL   VSF, ( DELL   VSF, \\.\PHYSICALDRIVE0, IDE, DELL   VSF, \\.\PHYSICALDRIVE0, 0, 0, 0, 0 ) DELL   VSF, ( PowerDevice by PowerPath, \\.\PHYSICALDRIVE6, SCSI, PowerDevice by PowerPath, \\.\PHYSICALDRIVE6, 5, 0, 0, 4 ) DELL   VSF, ( PowerDevice by PowerPath, \\.\PHYSICALDRIVE4, SCSI, PowerDevice by PowerPath, \\.\PHYSICALDRIVE4, 5, 0, 0, 2 ) DELL   VSF, ( PERC  LD  0 PERCRAID SCSI Disk Device, \\.\PHYSICALDRIVE1, SCSI, PERC  LD  0 PERCRAID SCSI Disk Device, \\.\PHYSICALDRIVE1, 4, 3, 0, 0 )   DGC     RAID 5          0207, ( DELL   VSF, \\.\PHYSICALDRIVE0, IDE, DELL   VSF, \\.\PHYSICALDRIVE0, 0, 0, 0, 0 ) DGC     RAID 5          0207, ( PowerDevice by PowerPath, \\.\PHYSICALDRIVE6, SCSI, PowerDevice by PowerPath, \\.\PHYSICALDRIVE6, 5, 0, 0, 4 ) DGC     RAID 5          0207, ( PowerDevice by PowerPath, \\.\PHYSICALDRIVE4, SCSI, PowerDevice by PowerPath, \\.\PHYSICALDRIVE4, 5, 0, 0, 2 ) DGC     RAID 5          0207, ( PERC  LD  0 PERCRAID SCSI Disk Device, \\.\PHYSICALDRIVE1, SCSI, PERC  LD  0 PERCRAID SCSI Disk Device, \\.\PHYSICALDRIVE1, 4, 3, 0, 0 )   DGC     RAID 5          0207, ( DELL   VSF, \\.\PHYSICALDRIVE0, IDE, DELL   VSF, \\.\PHYSICALDRIVE0, 0, 0, 0, 0 ) DGC     RAID 5          0207, ( PowerDevice by PowerPath, \\.\PHYSICALDRIVE6, SCSI, PowerDevice by PowerPath, \\.\PHYSICALDRIVE6, 5, 0, 0, 4 ) DGC     RAID 5          0207, ( PowerDevice by PowerPath, \\.\PHYSICALDRIVE4, SCSI, PowerDevice by PowerPath, \\.\PHYSICALDRIVE4, 5, 0, 0, 2 ) DGC     RAID 5          0207, ( PERC  LD  0 PERCRAID SCSI Disk Device, \\.\PHYSICALDRIVE1, SCSI, PERC  LD  0 PERCRAID SCSI Disk Device, \\.\PHYSICALDRIVE1, 4, 3, 0, 0 )   PERC     LD  0 PERCRAID     , ( DELL   VSF, \\.\PHYSICALDRIVE0, IDE, DELL   VSF, \\.\PHYSICALDRIVE0, 0, 0, 0, 0 ) PERC     LD  0 PERCRAID     , ( PowerDevice by PowerPath, \\.\PHYSICALDRIVE6, SCSI, PowerDevice by PowerPath, \\.\PHYSICALDRIVE6, 5, 0, 0, 4 ) PERC     LD  0 PERCRAID     , ( PowerDevice by PowerPath, \\.\PHYSICALDRIVE4, SCSI, PowerDevice by PowerPath, \\.\PHYSICALDRIVE4, 5, 0, 0, 2 ) PERC     LD  0 PERCRAID     , ( PERC  LD  0 PERCRAID SCSI Disk Device, \\.\PHYSICALDRIVE1, SCSI, PERC  LD  0 PERCRAID SCSI Disk Device, \\.\PHYSICALDRIVE1, 4, 3, 0, 0 )   Evaluation time: 1003.778 ms Evaluates to plural object of type ( string, ( string, string, string, string, string, string, string, string, string ) )

BenKus · March 21, 2007, 5:56am

(imported comment written by BenKus)

Hi jnharry,

Unforunately, you can’t rely on the ordering of results in relevance because the order isn’t guaranteed and therefore we don’t make operators to pull the first, second items from lists…

Is there any identification that we can use to tie the wmi query result to a specific registry key result?

Ben