8.7.3 Improved Software Inventory Scan
search cancel

8.7.3 Improved Software Inventory Scan

book

Article ID: 393058

calendar_today

Updated On:

Products

IT Management Suite Inventory Solution

Issue/Introduction

You want to capture what software is installed "by user" (software applications that are installed by any user who has logged in to the computer) when you are running a "Software Inventory" scan.

Environment

ITMS 8.7.3

Resolution

With our ITMS 8.7.3 Release (see Release Notes), enhancements have been made to the Software Inventory scan process to improve reporting accuracy

In 8.7.3 and later, we can scan the Windows registry hives of all users who have logged in to given PC, rather than reviewing the Add/Remove Programs for the system as a whole.
This ensures that the inventory scan to detection process now reports on the software installed per user, regardless of which user hive is loaded at the time the scan is performed. With this, administrators are kept aware of any vulnerabilities that may exist on devices.

What was done:

  1. At ARP scan start  we load ALL the existing ntuser.dat files to registry.
    The existing ntuser.dat collection is being resolved by parsing the 

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>

    Each valid user profile is being loaded under HKU\altiris_swscan_<SID>

    At the end of ARP scan we UNLOAD all the loaded profiles. Since ARP scan typically lasts for a couple of seconds you will probably NOT find anything loaded in the registry.

    However you will see logs like: 

    "Priority","Date","Description","Source","Process","PID","TID"
    "Trace","4/10/2024 4:11:15 AM","Adding scan entry: HKU\altiris_swscan_S-1-12-1-3218416874-1200888406-2521980826-1766838755\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall  user: EXAMPLEDOMAIN\USERNAME ","ARPScanner::Scan","AeXNSAgent.exe","4792","6864"
    "Verbose","4/10/2024 4:11:15 AM","Loaded user registry profile for user S-1-12-1-3218416874-1200888406-2521980826-1766838755","ARPScanner::Scan","AeXNSAgent.exe","4792","6864"


  2. Extended a little format of software cache.xml.

    For components having ARP entries for troubleshooting purposes, we now add "RegPath" attribute like:

            <AddRemoveInfo DisplayName="Google Chrome" Hidden="false" EstimatedSize="0" UninstallPath=""C:\Users\USERNAME\AppData\Local\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --uninstall --channel=stable --verbose-logging" RegPath="HKU\altiris_swscan_S-1-5-21-4154237863-1103826488-4085783004-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome"/>



  3. This feature is configurable.
    To maintain the previous behavior, create DWORD registry key named ArpScanLoadUserHives under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\SMFAgent\Inventory\ and set value = “0”. By default registry value does not exist and considered equals 1 (ON).


Additional Information

You can review more on this topic under Methods for Gathering Software Inventory

Powered by Wolken Software