Another solution I'm just thinking about is to leverage the
registry property provider to expose the registry hive containing the list of
Add/Remove Programs in WMI.
#pragma
namespace("\\\\.\\ROOT\\CIMV2")
[dynamic: ToInstance, provider("RegProv"),
ClassContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall")]
class Win32Reg_InstalledPrograms
{
[key] string ProdID;
[PropertyContext("DisplayName")] string DisplayName;
[PropertyContext("InstallDate")] string InstallDate;
[PropertyContext("Publisher")] string Publisher;
[PropertyContext("DisplayVersion")] string Version;
};
class Win32Reg_InstalledPrograms
{
[key] string ProdID;
[PropertyContext("DisplayName")] string DisplayName;
[PropertyContext("InstallDate")] string InstallDate;
[PropertyContext("Publisher")] string Publisher;
[PropertyContext("DisplayVersion")] string Version;
};
Another solution is to monitor that registry key with ther event
registry provider.
See http://www.lissware.net , Sample 6.17 -
GenericEventAsyncConsumer.wsf and use a WQL query like:
To detect any change made on that key value, the following WQL
event query can be used (to watch the Schema Update allows of the NTDS
parameters for instance ... as we have another thread related to schema
changes)
Select *
FROM RegistryValueChangeEvent Where Hive='HKEY_LOCAL_MACHINE'
AND
KeyPath='SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters' AND
ValueName='Schema Update Allowed'
KeyPath='SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters' AND
ValueName='Schema Update Allowed'
Now, if you want to detect all changes made to any key values
below the same registry key hive, the following WQL Event query must be
used:
Select *
FROM RegistryKeyChangeEvent Where Hive='HKEY_LOCAL_MACHINE'
AND
KeyPath='SYSTEMX\CurrentControlSet\\Services\\NTDS\\Parameters
KeyPath='SYSTEMX\CurrentControlSet\\Services\\NTDS\\Parameters
If you want to detect all changes made to any key values under the
following registry key hive and all child registry entries, use the
following:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS
The following WQL event query must be used:
Select *
FROM RegistryTreeChangeEvent Where Hive='HKEY_LOCAL_MACHINE'
AND
RootPath='SYSTEM\\CurrentControlSet\\Services\\NTDS'
RootPath='SYSTEM\\CurrentControlSet\\Services\\NTDS'
Just use the registry hive for the Add/Remove Programs instead!
:)
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall
More details in the books ;)
/Alain
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, October 07, 2005 7:35 AM
To: [email protected]
Subject: RE: [ActiveDir] Monitor software installation using WMI
If the application is installed as an MSI package, you can track
it. If not, WMI will not help as WMI only surfaces MSI installed
applications
Leverage the Win32_Product WMI class in a WQL query such
as:
Select * From __InstanceCreationEvent Within 10 Where
TargetInstance ISA 'Win32_Product'
You can use Sample 6.17 - GenericEventAsyncConsumer.wsf from
volume 1 at http://www.lissware.net
The Sample 3.15 to 3.17 - WMIMSI (JScript).wsf, volume 2 at http://www.lissware.net shows how to use that
class as well.
HTH.
/Alain
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavan Hotha
Sent: Friday, October 07, 2005 7:09 AM
To: [email protected]
Subject: [ActiveDir] Monitor software installation using WMI
Hi,
I am trying to write a script to monitor the new
software installation on windows XP Prof system. The objective is to
receive a email notification from the system once a new software is installed on
the system. Is it possible to do this ?
Pavan Hotha
This message is confidential and may also be legally privileged. If you are not the intended recipient, please notify [EMAIL PROTECTED] immediately. You should not copy it or use it for any purpose, nor disclose its contents to any other person. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of ADP.
