Running WinAudit Remotely

Jun 11, 2015 at 2:55 PM
How could I run WinAudit on a remote machine located on my network?
Jun 15, 2015 at 9:03 AM
Hey,

Firstly you need to BUILD YOU COMMAND WITH SWITCHES

In the documentation [https://winaudit.codeplex.com/documentation] find command line switches; and ensure you know which attributes you want to log. You probably won't care about everything.. and having everything takes longer and fills the database disks up quickly... so be careful. Turn on ONLY what metrics you need.

Here is my command:
\\servername\sharename\WinAudit\WinAudit.exe /r=gosG /f=DRIVER=SQL Server;SERVER=SQLSRV.DOMAIN.LOCAL;UID=LOCALSQLUSER;PWD=PASSWORDGOESHERE;DATABASE=WinAudit; /l=%userprofile%\winaudit_log.txt
NOTE I'm using local SQL authentication as Domain-Integrated Auth was not permitted on my SQL server.



Next up... building a TARGET AUDIENCE of clients:
Which machines do you want to deploy to? I made application security groups in AD, and added the clients into it [APP_WINAUDIT] was my AD security group. But this could just as easily been [Domain Computers].


Finally you need a METHOD OF DEPLOYMENT
If you can manage the machine remotely (domain-joined machines on a VPN for example) then you can use the in-build management interface called WMI (windows management interface). This will allow you to communicate with the host - i'm ignoring firewall complexities, or even L2TP type VPNs.. it's gonna add a lot of pain if you get lost on this track.

Here are the suggested methods:
  1. Group Policy for Machine Startup or User logon
    Create a Group Policy, apply it to the OU you want, ensure the filtering is for the correct Target Audience. Finally edit the policy.. and put the command in either Computer Startup or User Logon. I chose logon...
    User Configuration > Policies > Windows Settings > Scripts > Logon
    Name = \servername\sharename\WinAudit\WinAudit.exe
    Parameters = /r=gosG /f=DRIVER=SQL Server;SERVER=SQLSRV.DOMAIN.LOCAL;UID=LOCALSQLUSER;PWD=PASSWORDGOESHERE;DATABASE=WinAudit; /l=%userprofile%\winaudit_log.txt
  2. VBScript - ask each computer to run it now..
    Email me for this file if you want it [admin at jacksonfamily dot me] - I spent weeks developing a script to do this.. and it worked perfectly.
  3. Powershell
    I've not used this method yet - but I guess it's well documented online if you hunt for 'executing a program remotely using powershell'.
Good luck.

Simon


You can use various programming languages to interact with WMI. Powershell seems to be the way to go these days. but some of the legacy methods (such as VBScript) explain it in more detail.


Simon
Coordinator
Jun 16, 2015 at 8:15 AM
Hi Jastronomy,

Excellent post. I noticed you said, Domain-Integrated Auth was not permitted. Is there a reason for that? Its really handy not to have to put the password in the connection string for scripts etc.

Note, after connection, the db returns the connection completion string. WinAudit strips out the password in the event the string gets logged.

Steven
Feb 25, 2016 at 7:54 PM
sorry for the late reply - only 9mths away :)

The company I was working for would not accept domain-integrated auth for the infrastructure database server - each service had to have specific credentials. I disagreed - but I had little persuasion over the DB guys.