Re: Checking if Windows was restarted after update

Sun, 08 Feb 2009 17:01:30 -0800 

Another possibility, if you are not comfortable with plugin writing, is to use 
the Nessus WMI auditing functionality available to Professional 
Feed and Security Center users. WMI stores the last boot time under root/CIMV2 
=> LastBootUpTime in the following format:

20090203100617.341500-300

It wouldn't be terribly difficult to whip up an audit to check for users who 
haven't rebooted since a particular date:

<check_type:"Windows" version:"2">
<group_policy: "Last boot audit">

<custom_item>
        type            : WMI_POLICY
        description     : "Check last boot time of remote device"
        value_type      : POLICY_TEXT
        # Will fail for users who have not rebooted since Jan 1, 2009
        value_data      : "200902.*" || "200901.*"
        wmi_namespace   : "root/CIMV2"
        wmi_request     : "select LastBootUpTime from CIM_OperatingSystem"
        wmi_attribute   : "LastBootUpTime"
        wmi_key         : "LastBootUpTime"
        check_type      : CHECK_REGEX
</item>

</group_policy>

</check_type>

This regex is oversimplified and could be modified to meet your criteria. 
You'll have a challenge with relative dates though..

Paul

andrew.co...@bt.com wrote:
> Could you not just write a plugin that issues the following command:
> 
> Net statistics Server/Workstation <-- choose whichever is relevant
> 
> The second line is "Statistics since MM/DD/YYYY M:S", where it shows the
> last time and date the machine booted. Based on what time and date the
> patch was pushed out, you should be able to tell whether the machine has
> rebooted since the patch install. 
> 
> Andrew Court 
> 
> IT Security Specialist | CEH | BT Retail - Ireland |
> E:andrew.co...@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899|
> www.btireland.com 
> 
> 
> -----Original Message-----
> From: nessus-boun...@list.nessus.org
> [mailto:nessus-boun...@list.nessus.org] On Behalf Of Bazy
> Sent: 09 January 2009 12:10
> To: nessus@list.nessus.org
> Subject: Checking if Windows was restarted after update
> 
> Hello!
> 
> We use WSUS in our company for updates, but not everyone restart's his
> workstation for days. So in some cases the computer is still vulnerable
> if not restarted. How would be the best practice to check this? I'm
> using Nessus for about 3 months, read the book but have little
> experience.
> 
> Thank you!
> 
> 

-- 
Best Regards,

Paul Davis
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Reply via email to