PC Auditing - Deploying machine auditing agents
Top  Previous  Next

In order to audit computers using EntAudit.exe we have to be able to run this on the actual PC that we want to audit – which means we have to get EntAudit.exe to that machine somehow.

This generally means either sending it via email or copying it to a disk that can be made accessible to the PC that we want to audit. You could, for example, copy it to a floppy disk, USB storage device or CD and wander over to the physical machine that you want to audit. For one or two machines that you don't need to audit regularly, this might be acceptable. Most likely you'll want to implement something a little more sophisticated than this however.

Another way, if you wanted to audit PCs that were not always connected to the network (like notebooks, for example) would be to copy EntAudit.exe to a shared location somewhere on your network file system.

Whether you email, physically carry or simply place EntAudit.exe on a shared drive that is available to the machines that you want to audit is probably not critical. Any of these methods (some more than others) would require a certain amount of initial effort, but nothing compared to the amount of effort required to physically walk around to each of these machines every time that you want to audit them. As such, the main thing that you will want to focus on is how to configure EntAudit.exe to run automatically, on a fairly regular basis.

Now, given that EntAudit.exe is a command line program, there are a couple of different ways you could do this:
 
1.You could configure EntAudit.exe to be run as part of a startup script each time the user logs on to the network  
2.You could configure EntAudit.exe to be run as a scheduled task in the control panel of Windows.  

If you are operating a windows domain then you can configure startup scripts using the group policy editor. Start up scripts run as part of the boot up process before the user logs in. The advantage of this is that they will be run under the security context of the system administrator, so EntAudit.exe should have all of the permissions that it needs to access the WMI service on the machine if you run it from a startup script (rather than a logon script, which will run in the context of the user logging on).

The other possibility is to run EntAudit.exe as a Scheduled Task in windows scheduler. Scheduled tasks, of course, you can configure to run as whomever you like. In the case of EntAudit.exe you'd probably provide the same credentials for the scheduled task that you use to audit the rest of your network (or the username of an administrator on the local machine if the machine is not part of a domain).

Unlike startup scripts, you can't schedule tasks on remote computers using the group policy editor. You can use GPO (group policy objects) to ensure that the scheduling service is enabled and running on all of the computers in a domain – which is a good start. To actually schedule the tasks on remote computers, on computers running Windows XP you could run schtasks from the command line (or in a startup script for that matter). You could use something like Soon (a free tool from the Windows resource kit) to schedule EntAudit.exe to run as a task on remote windows 2000 workstations.