Retrieving account details (WMI)

(imported topic written by everestt23)

Hi All,

I have two requirements:

  1. to determine whether accounts named Administrator and Guest exist on a box

  2. to determine whether those accounts are disabled

I have a relevance which is successfully telling me that an administrator account exists on a box -

(string values of selects (“Name, SID From Win32_UserAccount Where LocalAccount = TRUE”) of WMI) whose (first 8 of it = “S-1-5-21” and last 3 of it = “500”)

I also have another confirming that it must have been renamed - if (exists (string values of selects (“Name From Win32_UserAccount”) of WMI) whose (it = “Guest”)) then (“NOT renamed”) else (“Renamed”)

Has anyone any clever ideas of how I can combine these both, because in order to determine whether the account exists I need to look for the start type (I think?) of the account with that SID, i.e. S-1-5-21 … -500 (for Admininistrator) or … -501 (for Guest)

Thanks.

Tim.

(imported comment written by everestt23)

Not been able to combine the two entities into a single property, but an easy workaround has been a seperate check against the Guest account, without knowing its name simply by adding to the WHERE clause:

(string values of selects (“Name, SID From Win32_UserAccount Where LocalAccount = TRUE and Disabled= TRUE”) of WMI) whose (first 8 of it = “S-1-5-21” and last 3 of it = “501”)

(imported comment written by brolly3391)

Hello Tim,

This is a fun one. To combine the items you can use select objects instead of selects. This keeps the return from WMI grouped into objects and then you can pull properties from those objects. Put these into your relevance debugger to see what I am talking about. The bolding indicates where I added something new from the last line.

q: select objects (“Name,SID, Disabled from Win32_UserAccount”) of WMI

q:

string values of properties “SID” of

select objects (“Name,SID, Disabled from Win32_UserAccount”) of WMI

q: select objects (“Name,SID, Disabled from Win32_UserAccount”)

whose (exists string value of property “SID” of it)

of WMI

q: select objects (“Name,SID, Disabled from Win32_UserAccount”) whose (exists string value

whose (first 9 of it = “S-1-5-21-” and (last 4 of it ="-500" or last 4 of it = “-501”))

of property “SID” of it) of WMI

So now we have the 2 objects that are administrator and guest. You wanted their names, if they are disabled and if they were renamed so lets play with this.

q:

(property “name” of it as string & " - " & property “SID” of it as string & " - "& property “disabled” of it as string ) of

(select objects (“Name,SID, Disabled from Win32_UserAccount”) whose (exists string value whose (first 9 of it = “S-1-5-21-” and (last 4 of it ="-500" or last 4 of it = “-501”)) of property “SID” of it) of WMI)

A: name=Administrator - sid=S-1-5-21-1292428093-113007714-839522115-500 - disabled=False

A: name=Guest - sid=S-1-5-21-1292428093-113007714-839522115-501 - disabled=False

and lets add in a nested if/then/else to check for the renames on each account in turn:

q: (property “name” of it as string & "; " &

(if (string value of property “sid” of it ends with “-500” and string value of property “name” of it = “Administrator”) then (“Renamed=False”) else (if (string value of property “sid” of it ends with “-501” and string value of property “name” of it = “Guest”) then (“Renamed=False”) else (“Renamed=True”)))

& "; " & property “SID” of it as string & “; “& property “disabled” of it as string ) of (select objects (“Name,SID, Disabled from Win32_UserAccount”) whose (exists string value whose (first 9 of it = “S-1-5-21-” and (last 4 of it =”-500” or last 4 of it = “-501”)) of property “SID” of it) of WMI)

A: name=Administrator; Renamed=False; SID=S-1-5-21-1292428093-113007714-839522115-500; disabled=False

A: name=Guest; Renamed=False; SID=S-1-5-21-1292428093-113007714-839522115-501; disabled=False

Tweak it to match your display preferences and enjoy!

Cheers,

Brolly

(imported comment written by everestt23)

That’s great Brolly. I was trying to use select objects earlier myself, but couldn’t get the syntax right, so reverted to the selects, to give me my workaround. Thanks for your help, much appreciated.

(imported comment written by everestt23)

Ahh, actually discovered a significant issue on W2K3/XP boxes.

Both my workaround and Brolly’s code cause the wmiprvse network service to be invoked on the client and it then maxes out the CPU. This doesn’t occur on W2K and before, as the wmi service was run in-process from the WinMgmt.exe. Anyone got any bright ideas?

(imported comment written by brolly3391)

Hello Tim,

On My Windows XP and 2003 boxes the wmiprvse process does become active, however It does not max out my processor. Is this on a single test box or several?

Do you see this undesireable effect when running the relevance using QNA or Relevance Debugger or is it when you insert your relevance into an analysis or retrieved property that you see this effect?

Any WMI call you ask the BigFix client to make relies on the health and speed of WMI on the target box.

Cheers,

Brolly

(imported comment written by Aram_Eblighatian)

Tim,

Based on your initial requirements, you may be able to get the information you are looking for using the native BigFix inspectors rather than the WMI to help improve general efficiency, and also to avoid the WMI issues you seem to be having. For instance, the following bit of relevance will return all the local user names, along with information as to whether or not they are enabled, and whether or not they have admin privileges:

(name of it & (if (account disabled flag of it = TRUE) then " - Disabled" else " - Enabled") & (if (admin privilege of it = TRUE) then " - Admin" else “”)) of local users

You can also query local groups for users, etc. If this is of interest, check the Windows Inspector Guide (http://www.bigfix.com/support/enterprise/documents/WinInspectors-2006-08-10.pdf) for more details, and let us know if we can be of further help!

(imported comment written by everestt23)

Hi Brolly,

The boxes I was running the WMI query against were single CPU P4 2.4GHz w/ 2Gb RAM. Not the fastest thing in the world, but equally, unlikely to be put under too much strain. Even though the evaluation period was 30 days, the process once invoked would take all available CPU and not return it.

Hi Aram,

Thanks for your advice, I will give it a try and let you know how I get on.

Thanks,

Tim.

(imported comment written by jeko1791)

Old thread, I know, but here’s what I found regarding the issue you were having everstt

wmiprvse.exe pegging CPU is a bug in WMI. Microsoft has a patch for it. It’s not published in the Patches for Windows site, but the relevance is not too difficult to build your own Fixlet. See MS KB933593.

Maybe Bigfix Support will publish it?

Here’s what we use to find systems needing this patch:

((name of it = “Win2003” AND (csd version of it = “Service Pack 1” OR csd version of it = “Service Pack 2”)) of operating system) AND (product type of operating system = nt domain controller product type) AND (not exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB933593” of registry) AND ((csd version of operating system = “Service Pack 1” AND ((exists file “Cimwin32.dll” whose (version of it < ") of it) of system folder)) OR (csd version of operating system = “Service Pack 2” AND ((exists file “Cimwin32.dll” whose (version of it < “5.2.3790.4032”) of it) of system folder)) OR (csd version of operating system = “Service Pack 1” AND ((exists file “Cimwin32.dll” whose (version of it < “5.2.3790.2891”) of it) of folder “wbem” of system folder)) OR (csd version of operating system = “Service Pack 2” AND ((exists file “Cimwin32.dll” whose (version of it < “5.2.3790.4032”) of it) of folder “wbem” of system folder)))