Another possibility, if you are not comfortable with plugin writing, is to use the Nessus WMI auditing functionality available to Professional Feed and Security Center users. WMI stores the last boot time under root/CIMV2 => LastBootUpTime in the following format:
20090203100617.341500-300 It wouldn't be terribly difficult to whip up an audit to check for users who haven't rebooted since a particular date: <check_type:"Windows" version:"2"> <group_policy: "Last boot audit"> <custom_item> type : WMI_POLICY description : "Check last boot time of remote device" value_type : POLICY_TEXT # Will fail for users who have not rebooted since Jan 1, 2009 value_data : "200902.*" || "200901.*" wmi_namespace : "root/CIMV2" wmi_request : "select LastBootUpTime from CIM_OperatingSystem" wmi_attribute : "LastBootUpTime" wmi_key : "LastBootUpTime" check_type : CHECK_REGEX </item> </group_policy> </check_type> This regex is oversimplified and could be modified to meet your criteria. You'll have a challenge with relative dates though.. Paul andrew.co...@bt.com wrote: > Could you not just write a plugin that issues the following command: > > Net statistics Server/Workstation <-- choose whichever is relevant > > The second line is "Statistics since MM/DD/YYYY M:S", where it shows the > last time and date the machine booted. Based on what time and date the > patch was pushed out, you should be able to tell whether the machine has > rebooted since the patch install. > > Andrew Court > > IT Security Specialist | CEH | BT Retail - Ireland | > E:andrew.co...@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899| > www.btireland.com > > > -----Original Message----- > From: nessus-boun...@list.nessus.org > [mailto:nessus-boun...@list.nessus.org] On Behalf Of Bazy > Sent: 09 January 2009 12:10 > To: nessus@list.nessus.org > Subject: Checking if Windows was restarted after update > > Hello! > > We use WSUS in our company for updates, but not everyone restart's his > workstation for days. So in some cases the computer is still vulnerable > if not restarted. How would be the best practice to check this? I'm > using Nessus for about 3 months, read the book but have little > experience. > > Thank you! > > -- Best Regards, Paul Davis Tenable Network Security Inc Phone: 410.872.0555 x245 www.tenablesecurity.com Is your network TENABLE? _______________________________________________ Nessus mailing list Nessus@list.nessus.org http://mail.nessus.org/mailman/listinfo/nessus