There is also a Nessus plugin (35453) which checks for this : http://nessus.org/plugins/index.php?view=single&id=35453
- Mehul > -----Original Message----- > From: nessus-boun...@list.nessus.org > [mailto:nessus-boun...@list.nessus.org] On Behalf Of Paul Davis > Sent: Sunday, February 08, 2009 2:44 PM > To: nessus@list.nessus.org > Subject: Re: Checking if Windows was restarted after update > > Another possibility, if you are not comfortable with plugin > writing, is to use the Nessus WMI auditing functionality > available to Professional Feed and Security Center users. WMI > stores the last boot time under root/CIMV2 => LastBootUpTime > in the following format: > > 20090203100617.341500-300 > > It wouldn't be terribly difficult to whip up an audit to > check for users who haven't rebooted since a particular date: > > <check_type:"Windows" version:"2"> > <group_policy: "Last boot audit"> > > <custom_item> > type : WMI_POLICY > description : "Check last boot time of remote device" > value_type : POLICY_TEXT > # Will fail for users who have not rebooted since Jan 1, 2009 > value_data : "200902.*" || "200901.*" > wmi_namespace : "root/CIMV2" > wmi_request : "select LastBootUpTime from > CIM_OperatingSystem" > wmi_attribute : "LastBootUpTime" > wmi_key : "LastBootUpTime" > check_type : CHECK_REGEX > </item> > > </group_policy> > > </check_type> > > This regex is oversimplified and could be modified to meet > your criteria. You'll have a challenge with relative dates though.. > > Paul > > andrew.co...@bt.com wrote: > > Could you not just write a plugin that issues the following command: > > > > Net statistics Server/Workstation <-- choose whichever is relevant > > > > The second line is "Statistics since MM/DD/YYYY M:S", where > it shows > > the last time and date the machine booted. Based on what > time and date > > the patch was pushed out, you should be able to tell whether the > > machine has rebooted since the patch install. > > > > Andrew Court > > > > IT Security Specialist | CEH | BT Retail - Ireland | > > E:andrew.co...@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432 > > 5899| www.btireland.com > > > > > > -----Original Message----- > > From: nessus-boun...@list.nessus.org > > [mailto:nessus-boun...@list.nessus.org] On Behalf Of Bazy > > Sent: 09 January 2009 12:10 > > To: nessus@list.nessus.org > > Subject: Checking if Windows was restarted after update > > > > Hello! > > > > We use WSUS in our company for updates, but not everyone > restart's his > > workstation for days. So in some cases the computer is still > > vulnerable if not restarted. How would be the best practice > to check > > this? I'm using Nessus for about 3 months, read the book but have > > little experience. > > > > Thank you! > > > > > > -- > Best Regards, > > Paul Davis > Tenable Network Security Inc > Phone: 410.872.0555 x245 > www.tenablesecurity.com > > Is your network TENABLE? > _______________________________________________ > Nessus mailing list > Nessus@list.nessus.org > http://mail.nessus.org/mailman/listinfo/nessus > > _______________________________________________ Nessus mailing list Nessus@list.nessus.org http://mail.nessus.org/mailman/listinfo/nessus