I have an analysis I did for listing printers and it works using the QnA tool on my desktop. When I create an analysis using it, my computer report comes back blank as if I had no printers installed. Only about 1/3 of our computers are reporting printers which isn’t good, but why mine isn’t working when I tested from my computer is confusing. Any ideas?
if (exists wmi) then (concatenation " , " of ((substrings after “=” of (property “Name” of it as string)) whose (it does not contain “OneNote” and it does not contain “Adobe” and it does not contain “Webex” and it does not contain “Microsoft” and it does not contain “Fax”) of select objects “* from win32_Printer” of wmi) as string) else “no_printers”
Can you post the results from your QnA tool? Are the computers that are reporting printers reporting the correct data, or is it malformed/weird in any way?
I don’t immediately have a theory about what’s going on, but I’d maybe start by trying a much simpler query and seeing if that turns up anything to go on:
selects "Name from win32_printer" of wmi
You could even just try to gather raw numbers:
number of selects "Name from win32_printer" of wmi
in an analysis it works, but omits the \\servername\printername lines and has only the printers I don’t want to see, like Adobe PDF! So the issue is only with the printers running from the print servers.
Network printers are mapped by users, not computers. So when the analysis runs, it should only return printers known to the LocalSystem account (under which the BESClient service runs).
To get per-user printers, you’d probably need to check the registry directly via something like values "something" of keys "something" of user keys of logged on users
…but understand the results can differ depending upon whether someone is logged-on when the analysis reports.
I wasn’t certain on that WMI point myself, but mapped printers are definitely a per-user thing. Same with mapped drives, which I think are also retrievable with WMI.
I suppose it could be up to the WMI provider to figure out who the caller is, and return data based on that context. No idea what it would do remotely…maybe depends on ImpersonationLevel.
Thanks Jason. I tested pulling printers from registry keys and it didn’t go well.
I am testing the override wait with runas=currentuser to get WMI output to a text file and it works. My analysis is now pointed at the text file and it is outputting correctly.
This seems like the analysis could change printers back and forth if different users on the same computer have different printers mapped, but pulling data from the most recently logged on user seems correct. If testing goes well later this week I can share what I have.
I think this should get you what you need from the registry:
keys of key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers" of keys ("HKEY_LOCAL_MACHINE" ; user keys of logged on users as string) of registry
You could even modify it to tell which user had which printer mapped.
Aside that I bet @JasonWalker will appreciate – ever since Query Channel came to the Fixlet Debugger, I’ve loved that I can finally evaluate relevance that you can only evaluate as LOCAL SYSTEM (without using psexec to open Fixlet Debugger, anyway). Just log into Query, target my own computer from my own computer, and 8 seconds later, I have my answer…
For that kind of latency though I might just try evaluating in “local client evaluation mode” and have the BESClient do the work.
I am really loving the QNA channel, it’s super useful retrieving logs and debugging relevance from literally the other side of the world…I can usually get results in eight seconds from China.
