Date filtering of WMI results

ttheierl · April 1, 2016, 7:18pm

I have an analysis that is pulling installed Windows patches from WMI. I believe I used the sample relevance from here or bigfix.me. Anyway, this part is working fine:

((string value of property "InstalledOn" of it), (string value of property "HotFixID" of it), (string value of property "Description" of it)) of select objects "* from Win32_QuickFixEngineering" of WMI

It returns all installed Windows patches and hotfixes however, I cannot figure out how to filter this result for just the last years worth of data for an audit report.

Using the “InstalledOn” property in the debugger the ‘string value’ results show as “1/5/2016” format. If I change the query to “time value” it returns as universal time, “Tue, 05 Jan 2016 00:00:00 -0400”

I’m only filtering on the date so:

(“Tue, 05 Jan 2016 00:00:00 -0400” as universal time) >= (now - 8760*hour)
= True

AND

((time value of property "InstalledOn" of it) whose(it >= (now - 8760*hour)) of select objects "InstalledOn, HotFixID, Description from Win32_QuickFixEngineering" of WMI)

filters on the date correctly. But when I put it all together:

( ( (time value of property "InstalledOn" of it) whose(it >= (now - 8760*hour) ), string value of property "Description" of it, string value of property "HotFixID" of it ) of select objects "InstalledOn, HotFixID, Description from Win32_QuickFixEngineering" of WMI)

I get “Singular expression refers to nonexistent object.” All of the pieces work individually I just don’t see where the problem is.

Any guidance would be appreciated.

Thanks,
Ty

strawgate · April 1, 2016, 7:20pm

It looks like we got this question earlier today. Does this help?

strawgate · April 1, 2016, 7:21pm

Although it looks like your relevance uses a more compact date version – for what it’s worth your relevance does work for me:

Q: ( ( (time value of property "InstalledOn" of it) whose(it >= (now - 8760*hour) ), string value of property "Description" of it, string value of property "HotFixID" of it ) of select objects "InstalledOn, HotFixID, Description from Win32_QuickFixEngineering" of WMI)
A: ( Thu, 18 Feb 2016 00:00:00 -0500 ), Update, KB2693643
A: ( Thu, 17 Mar 2016 00:00:00 -0500 ), Update, KB3102495
A: ( Mon, 15 Feb 2016 00:00:00 -0500 ), Update, KB3106932
A: ( Fri, 18 Mar 2016 00:00:00 -0500 ), Update, KB3116097
A: ( Fri, 18 Mar 2016 00:00:00 -0500 ), Update, KB3118714
A: ( Fri, 18 Mar 2016 00:00:00 -0500 ), Update, KB3119598
A: ( Thu, 18 Feb 2016 00:00:00 -0500 ), Security Update, KB3135174
A: ( Thu, 10 Mar 2016 00:00:00 -0500 ), Security Update, KB3140745
A: ( Wed, 09 Mar 2016 00:00:00 -0500 ), Update, KB3141032
A: ( Sat, 12 Mar 2016 00:00:00 -0500 ), Security Update, KB3144756
T: 254.962 ms
I: plural ( time, string, string )

You may wish to introduce error handling to your relevance. Something like

Q: ( ( (time value of property "InstalledOn" of it) whose(it >= (now - 8760*hour) ), string value of property "Description" of it | "none", string value of property "HotFixID" of it | "None") of select objects "InstalledOn, HotFixID, Description from Win32_QuickFixEngineering" of WMI)

ttheierl · April 1, 2016, 7:45pm

Wow, thanks for the quick response…

I’ve been beating my head against a wall trying to get results . Something must be wrong with WMI or QnA on my test box then. I had some error handling written but I stripped it out while doing my debugging.

I tried it on another server and I did get results so I am not crazy.

Thank you, strawgate!

strawgate · April 1, 2016, 7:54pm

Something like this would be a good base:

(select objects "* from Win32_QuickFixEngineering" of WMI) whose (date (local time zone) of (time value of property "InstalledOn" of it) | january 1 of 1601 > january 1 of 2015)

And then you could do:

(time value of property "InstalledOn" of it, string value of property "Description" of it | "None" , string value of property "HotFixID" of it | "None"  ) of (select objects "* from Win32_QuickFixEngineering" of WMI) whose (date (local time zone) of (time value of property "InstalledOn" of it) | january 1 of 1601 > january 1 of 2015)

and you could replace january 1 of 2015 with:

date (local time zone) of now - 365*day

ttheierl · April 1, 2016, 8:00pm

That is perfect and so much simpler than how I was doing it.

Is there an easy was to convert the universal time to just the date in the output?

strawgate · April 1, 2016, 8:00pm

Probably just

date (local time zone) of (time value of property....