PST files & modified date

(imported topic written by BenUK77791)

Hi,

I am using the relevance below to retrieve file locations and size of .pst files. Is there a way to use the output\ result, i.e the path to then report the modification date of the .pst?.. Or is there an additional HKEY_USERS key I can interrogate?.

It’s a long shot!.

if exists regapp “outlook.exe” then if version of regapp “outlook.exe” = “10” then (if (exists values whose (it as string contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) then ((pathname of it & " - " & (size of it / (10241024)) as string & “Mb”) of files ((values whose (it as string contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) as string)) else (“No archive”)) else if version of regapp “outlook.exe” >= “11” then (if (exists (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string)) then (((pathname of it & " - " & (size of it / (10241024)) as string & “MB”) of files ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose (it mod 4 = 0) of it)) of (preceding texts of lasts “0” of (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string)) as string))) else (“No Archive”)) else “Outlook < XP installed” else “Outlook not installed”

Thanks,

Ben.

(imported comment written by NoahSalzman)

((pathname of it & " - " & (size of it / (1024*1024)) as string & “Mb”)

becomes

((pathname of it & " - " & (size of it / (1024*1024)) as string & “Mb” & " - " & modification time of it)

(imported comment written by BenUK77791)

Thanks, but when I make the ammendment I get below in the Relevance debugger.

The expression could not be evaluated: class OperationNotDefined

(imported comment written by NoahSalzman)

I guess I should actually try it first next time. :slight_smile:

Here is try #2:

q: if exists regapp “outlook.exe” then if version of regapp “outlook.exe” = “10” then (if (exists values whose (it as string contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) then ((pathname of it & " - " & (size of it / (10241024)) as string & “Mb” & " - " & modification time of it as string) of files ((values whose (it as string contains “.pst”) of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of keys “HKEY_USERS” of registry) as string)) else (“No archive”)) else if version of regapp “outlook.exe” >= “11” then (if (exists (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string)) then (((pathname of it & " - " & (size of it / (10241024)) as string & “MB” & " - " & modification time of it as string) of files ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose (it mod 4 = 0) of it)) of (preceding texts of lasts “0” of (Values “001f6700” of keys of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry as string)) as string))) else (“No Archive”)) else “Outlook < XP installed” else “Outlook not installed”

A: C:\Users\Noah Salzman\AppData\Local\Microsoft\Outlook\archive.pst - 75MB - Mon, 14 Sep 2009 11:30:53 -0700

A: C:\Users\Noah Salzman\AppData\Local\Microsoft\Outlook\Outlook.pst - 0MB - Mon, 14 Sep 2009 11:30:53 -0700

(imported comment written by MBARTOSH)

Hi Noah,

Unfortunately, this code does not find all of the PST files that are configured in Outlook. I have a PST file that is located in “My Documents” (c:\users\mbartosh\My Documents), and your relevance is not finding it. Is there another registry value that contains other PST file location other thatn “001f6700”? There must be.

(imported comment written by jgstew)

I think I’ve seen a way to do this with WMI.

My analysis is based upon the relevance in this post I believe:
http://bigfix.me/analysis/details/51

I was aware that it did not catch everything, but never got around to improving it.

(imported comment written by MBARTOSH)

I will try to use the following action script to write a file, and then parse the file with an analysis. My question now is how can I parse the output file to get the path and file size for each pst on a separate line?

runhidden {pathname of system folder}\cmd.exe /C del /Q “{pathname of parent folder of regapp “besclient.exe”}\searchresults_PST.txt”

if {name of operating system as lowercase = “win7” as lowercase}

runhidden {pathname of system folder}\cmd.exe /C dir /s “c:\users*.PST” >>"{pathname of parent folder of regapp “besclient.exe”}\searchresults_PST.txt"

else

runhidden {pathname of system folder}\cmd.exe /C dir /s “c:\Documents and Settings*.PST” >>"{pathname of parent folder of regapp “besclient.exe”}\searchresults_PST.txt"

endif

Output File (SearchResults_PST

Volume in drive C has no label.

Volume Serial Number is 5882-9F93

Directory of c:\users\mbartosh\AppData\Local\Microsoft\Outlook

04/14/2014 10:04 AM 2,638,324,736 archive.pst

04/14/2014 10:02 AM 271,360 outlookl.pst

           2 File(s)  2,638,596,096 bytes

Directory of c:\users\mbartosh\AppData\Local\PGP Corporation\PGP

08/22/2012 01:03 AM 271,360 ApriaProfile_U.pst

           1 File(s)        271,360 bytes

Directory of c:\users\mbartosh\Documents

02/07/2014 09:31 AM 271,360 outlookl.pst

           1 File(s)        271,360 bytes

Directory of c:\users\mbartosh\Documents\Outlook Files

04/14/2014 10:04 AM 827,139,072 Archive20131105.pst

           1 File(s)    827,139,072 bytes

 Total Files Listed:


           5 File(s)  3,466,277,888 bytes


           0 Dir(s)  327,982,833,664 bytes free

(imported comment written by jgstew)

Try this:

if {
version of operating system >= “6.0” /* WinVista or later */
}

parameter "SearchFolder" = "C:\Users"

else

parameter "SearchFolder" = "C:\Documents and Settings"

endif

delete “{
pathname of parent folder of client
}\searchresults_PST.txt”

waithidden {
pathname of system folder
}\cmd.exe /C dir /s /b /o:N “{
parameter “SearchFolder”
}*.pst” >> “{
pathname of parent folder of client
}\searchresults_PST.txt”

See this fixlet for a template of how to write the relevance for a task like this:
http://bigfix.me/fixlet/details/3721

Analysis Property:

(pathname of it, modification time of it as string, size of it as string) of files ((it as string) of lines of files “searchresults_PST.txt” of parent folder of client)

(imported comment written by MBARTOSH)

I am not getting any output from the analysis. I am running it in the fixlet debugger.

(imported comment written by jgstew)

Did you also run the actionscript through the fixlet debugger?

pathname of parent folder of client
has a different meaning depending on the context of debugger vs client

Also, I made some edits to the above post, so check that first.

(imported comment written by MBARTOSH)

I found the problem. I was looking at the wrong file. The file was written to the fixlet debugger folder.

In the end though, the analysis is expenive. It took 17 seconds to run on my machine which is a 100 times faster than some of our user machines.

It seems more expensive than this one liner.

(pathname

of

it,

size

of

it
)

of

descendants

whose

(name

of

it

as

lowercase

contains

“.pst”
)

of

folder

“C:\Users”

(imported comment written by jgstew)

The expense of the analysis property was probably the sha1, which is added for no real reason. Remove that and it should be much faster. ( I removed it above ) On my system it is 0.5 ms but with only 1 PST file.

The analysis property being expensive is not good, but not horrible as long as you reduce the report time to something reasonable, like once every 12 hours.

(imported comment written by MBARTOSH)

Thanks jgstew. That did it! it ran in 6.018 ms without the sha1. 41 ms on an old computer.

(imported comment written by MBARTOSH)

I wonder why the following code runs much faster than the parameterized code.

runhidden {pathname of system folder}\cmd.exe /C del /Q “{pathname of parent folder of regapp “besclient.exe”}\searchresults_PST.txt”

if {name of operating system as lowercase = “win7” as lowercase}

runhidden {pathname of system folder}\cmd.exe /C dir /s /b /o:N “c:\users*.PST” >>"{pathname of parent folder of regapp “besclient.exe”}\searchresults_PST.txt"

else

runhidden dir /s /b /o:N “c:\Documents and Settings*.PST” >>"{pathname of parent folder of regapp “besclient.exe”}\searchresults_PST.txt"

endif

Now, I am answering my own question. The difference is runhidden versus waithidden.

(imported comment written by jgstew)

That code does not run faster than the parameterized code. Your code is using “run” instead of “wait”. “run” will finish instantly even though the execution is still happening in the background. “wait” will wait until the execution is finished before continuing. There aren’t very many circumstances where you should use anything but
waithidden

I guess now I’m seeing that you already got that, but the explanation is still useful to others.

Run & RunHidden do the command detached in a separate thread and do not lock up client execution. This is normally a bad thing when you want to ensure that something has completed before checking relevance or having other actions run. This could be a good thing if you are scheduling a weekly virus scan and it is going to take a while and you don’t want any other actions to wait for the virus scan to finish.

(imported comment written by BenUK77791)

Great!, thanks a lot.

(imported comment written by thesurg3on91)

This was very, very helpful. Are you aware of a way for me to put multiple values from this analysis into multiple columns for easier exporting to excel?

In the situation where there are more than 1 pst, they are just encapsulated in one line. I’d love to have multiple values go into multiple columns yet on the same line in the console. Any suggestions?

(imported comment written by BenKus)

Try the Excel Connector:

http://support.bigfix.com/labs/excelconnect.html

Ben