Hey, Scripting Guy! Quick-Hits Friday: The Scripting Guys Respond to a Bunch of Questions (1/1/10)


Bookmark and Share
In this post:

 

How Can I Get Users' SIDs?

Hey, Scripting Guy! Question

Hey, Scripting Guy! First, I wanted to say that I really love the site and find it useful all the time. Maybe you can help me. After reading the How Can I Determine the SID for a User Account? Hey Scripting Guy! Blog post, I am trying to map a user account to its SID. All is well and good when I run the script against my local machine, but when I do the same against another remote machine in the same domain, the SELECT * FROM Win32_UserAccount only returns users locally defined on that machine. I am guessing this is some permissions issue, but because the user that is executing the remote calls is a domain administrator, I am dubious. What am I missing? Also is there potentially another way I can map a known user name to their SID?

-- AM

 

Hey, Scripting Guy! AnswerHello AM,

There are many ways of getting SIDs for users. And there are actually different ways that SIDs are expressed, which is a bummer.

However, if I understand you right, I do not think there is a real reason to run the script against a remote machine because if you are returning domain users and both computers are connected to the domain, the users are always the same because they are all domain users. When connecting remotely, you are interested in the local users on that computer.

As long as you are a member of the Local Administrators group on the remote computer, you have the WMI permissions needed to execute a remote query. The following illustrates how I return the SID using WMI. Note that for efficiency you must specify both the domain name and the user name in the query. The GetUserSid.vbs script illustrates how you can retrieve users’ SIDs.

GetUserSid.vbs

On Error Resume Next
strComputer = "."

Set objUserAccount = GetObject("winmgmts" _
    & "{impersonationLevel=impersonate}!\" _
    & strComputer & _
    "rootcimv2:Win32_UserAccount." _
    & "Domain='MyDomainName',Name='MyUserName' ")

If Err = 0 Then
    WScript.Echo objUserAccount.SID
Else
    WScript.Echo "No object found" & Err.Number
End If


 

How Can I Get Information About Protected Processes Running on a Local Computer? 

Hey, Scripting Guy! Question

Hey, Scripting Guy! I am using the WMI Win32_Process class to get information about all processes running on a local system (Windows Vista). However, this class is not able to pull information about protected processes such as smss.exe and audiodg.exe. I tried by enabling all privileges and cloaking the proxy. This did not fix the problem. Do you know how I can pull this information using WMI?

-- DA

 

Hey, Scripting Guy! AnswerHello DA,

I am going to guess that you actually ran the script as an administrator. Is that right? You cannot right-click a VBScript script by default and then click Run as administrator. You need to open a cmd prompt and select Run as administrator: Right-click while holding SHIFT. Then you can launch the script from within the cmd prompt. See if this helps.

DH Again: Hey Scripting Guy! I am definitely running as an administrator. I can retrieve information for some processes, while others fail. For example, executable path returns nothing for the following processes:

Smss.exe
Audiodg.exe


 

<

p style="MARGIN: 0in 0in 8pt" class="MsoNormal">

How Can I Retrieve InstallDate for Devices?

Hey, Scripting Guy! Question

I had one more question and would appreciate if you can shed some light on it. I am also not able to retrieve InstallDate for devices. I tried with Win32_PnPEntity and Win32_PnPSignedDriver, but both are returning empty values.

-DA

 

Hey, Scripting Guy! AnswerHello DA,

Thanks for writing back. If you are definitely running Windows PowerShell as an administrator, and some processes still do not expose the commandline property, it might be because the particular process is part of a larger service or driver. Consider the following results from my Windows 7 computer. The first output is run without administrator rights:

PS C:> gwmi win32_process | ft name, commandline -AutoSize

name                           commandline
----                           -----------
System Idle Process
System
smss.exe
csrss.exe
wininit.exe
csrss.exe
services.exe
lsass.exe
lsm.exe
winlogon.exe
svchost.exe
svchost.exe
MsMpEng.exe
atiesrxx.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
spoolsv.exe
svchost.exe
svchost.exe
Iap.exe
inetinfo.exe
LMS.exe
mdm.exe
svchost.exe
UNS.exe
WLIDSVC.EXE
DCPSysMgrSvc.exe
IAANTmon.exe
SearchIndexer.exe
svchost.exe
atieclxx.exe
WLIDSVCM.EXE
dwm.exe                        "C:Windowssystem32Dwm.exe"
explorer.exe                   C:WindowsExplorer.EXE
taskhost.exe                   "taskhost.exe"
ipoint.exe                     "C:Program FilesMicrosoft IntelliPointipoint.exe"
IAAnotif.exe                   "C:Program Files (x86)IntelIntel Matrix Storage ManagerIAAnotif.exe"
Dell.ControlPoint.exe          "C:Program FilesDellDell ControlPointDell.ControlPoint.exe"
msseces.exe                    "C:Program FilesMicrosoft Security Essentialsmsseces.exe" -hide
DCPSysMgr.exe                  "C:Program FilesDellDell ControlPointSystem ManagerDCPSysMgr.exe"
dpupdchk.exe                   "C:Program FilesMicrosoft IntelliPointdpupdchk.exe"
smax4pnp.exe                   "C:Program Files (x86)Analog DevicesCoresmax4pnp.exe"
apdproxy.exe                   "C:Program Files (x86)AdobePhotoshop Elements 6.0apdproxy.exe"
MOM.exe                        "C:Program Files (x86)ATI TechnologiesATI.ACECore-StaticMOM"
WmiPrvSE.exe
CCC.exe                        "C:Program Files (x86)ATI TechnologiesATI.ACECore-StaticCCC.exe" 0
mmc.exe
unsecapp.exe
splwow64.exe                   C:Windowssplwow64.exe 1
TweetDeck.exe                  "c:program files (x86)TweetDeckTweetDeck.exe"
PresentationFontCache.exe
Snagit32.exe                   "C:Program Files (x86)TechSmithSnagIt 9Snagit32.exe"
TscHelp.exe                    "C:Program Files (x86)TechSmithSnagIt 9TSCHelp.exe"
SnagPriv.exe
SnagitEditor.exe               "C:Program Files (x86)TechSmithSnagIt 9snagiteditor.exe" /X
ielowutil.exe                  "C:Program Files (x86)Internet ExplorerIELowutil.exe" -embedding
powershell_ise.exe             "C:Windowssystem32WindowsPowerShellv1.0PowerShell_ISE.exe"
conhost.exe                    ??C:Windowssystem32conhost.exe
iexplore.exe                   "C:Program Files (x86)Internet Exploreriexplore.exe"
audiodg.exe
FlashUtil10c.exe               C:WindowsSysWow64MacromedFlashFlashUtil10c.exe -Embedding
iexplore.exe                   "C:Program Files (x86)Internet Exploreriexplore.exe" SCODEF:5144
iexplore.exe                   "C:Program Files (x86)Internet Exploreriexplore.exe" SCODEF:5144
WINWORD.EXE                    "C:Program Files (x86)Microsoft OfficeOffice12WINWORD.EXE" /n /dde
OfficeLiveSignIn.exe           "C:Program Files (x86)MicrosoftOffice LiveOfficeLiveSignIn.exe"
powershell.exe                 "C:WINDOWSsystem32WindowsPowerShellv1.0powershell.exe"
conhost.exe                    ??C:Windowssystem32conhost.exe
WmiPrvSE.exe
powershell.exe
conhost.exe


PS C:>

You will notice that many of the processes do not display the commandline property value. Now, I will run the same command in a Windows PowerShell console that I launched as administrator. You will see that most (but not all) processes display a commandline property value. Interestingly enough, on my machine the smss.exe displays a commandline property value, but the audiodg.exe is one of the few that does not return any information.

PS C:> gwmi win32_process | ft name, commandline -AutoSize

name                           commandline
----                           -----------
System Idle Process
System
smss.exe                       SystemRootSystem32smss.exe
csrss.exe                      %SystemRoot%system32csrss.exe ObjectDirectory=Windows SharedSection=1024,
wininit.exe                    wininit.exe
csrss.exe                      %SystemRoot%system32csrss.exe ObjectDirectory=Windows SharedSection=1024,
services.exe                   C:Windowssystem32services.exe
lsass.exe                      C:Windowssystem32lsass.exe
lsm.exe                        C:Windowssystem32lsm.exe
winlogon.exe                   winlogon.exe
svchost.exe                    C:Windowssystem32svchost.exe -k DcomLaunch
svchost.exe                    C:Windowssystem32svchost.exe -k RPCSS
MsMpEng.exe                    "c:Program FilesMicrosoft Security EssentialsMsMpEng.exe"
atiesrxx.exe                   C:Windowssystem32atiesrxx.exe
svchost.exe                    C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
svchost.exe                    C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
svchost.exe                    C:Windowssystem32svchost.exe -k netsvcs
svchost.exe                    C:Windowssystem32svchost.exe -k LocalService
svchost.exe                    C:Windowssystem32svchost.exe -k NetworkService
spoolsv.exe                    C:WindowsSystem32spoolsv.exe
svchost.exe                    C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
svchost.exe                    C:Windowssystem32svchost.exe -k LocalServiceAndNoImpersonation
Iap.exe                        "C:Program FilesDellOpenManageClientIap.exe"
inetinfo.exe                   C:Windowssystem32inetsrvinetinfo.exe
LMS.exe                        "C:Program Files (x86)IntelAMTLMS.exe"
mdm.exe                        "C:Program Files (x86)Common Filesmicrosoft sharedVS7DEBUGmdm.exe"
svchost.exe                    C:WindowsSystem32svchost.exe -k HPZ12
UNS.exe                        "C:Program Files (x86)Common FilesIntelPrivacy IconUNSUNS.exe"
WLIDSVC.EXE                    "C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSVC.EXE"
DCPSysMgrSvc.exe               "C:Program FilesDellDell ControlPointSystem ManagerDCPSysMgrSvc.exe"
IAANTmon.exe                   "C:Program Files (x86)IntelIntel Matrix Storage ManagerIAANTMon.exe"
SearchIndexer.exe              C:Windowssystem32SearchIndexer.exe /Embedding
svchost.exe                    C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
atieclxx.exe                   atieclxx
WLIDSVCM.EXE                   WLIDSvcM.exe 1252
dwm.exe                        "C:Windowssystem32Dwm.exe"
explorer.exe                   C:WindowsExplorer.EXE
taskhost

Comments (1)

Skip to main content