Controlling Software Inventory (skpswi.dat)

Sometimes you want to exclude certain folders or drives from beeing scanned to have a clean Inventory, an example you may not want to scan a server with large volues for data like home directories or the IT department Install library. This causes both load on the server /client having the drive and it causes you to get this information into the database and you need to handle it in your reports.

Simply do like this

• Create a file named skpswi.dat
• Add the attribute hidden
• Put it in the folder/drive you would like to exclude from Software Inventory

More is to be found here: http://technet.microsoft.com/en-us/library/cc180976.aspx

NO_SMS_ON_DRIVE.sms

How do I prevent Config Mgr from putting files on certain drives ? By default Config Mgr chooses the the NTFS drives that has most available space, and in many ways you dont want this behaviour. So to keep some kind of hygiene on your server you can put a file named in a specific way just like the blog title says. NO_SMS_ON_DRIVE.sms , You can read more about this its an old trick from back in the days  in this KB article http://support.microsoft.com/kb/871234

SQL Report on all BackupExec agents with version

select SYS.Netbios_Name0, SF.FileName, SF.FileDescription, SF.FileVersion, SF.FileSize, SF.FileModifiedDate, SF.FilePath

From v_GS_SoftwareFile SF

join v_R_System SYS on SYS.ResourceID = SF.ResourceID

Where SF.FileName LIKE ‘beremote.exe’

ORDER BY SYS.Netbios_Name0

Find computers without a certain file with a subselect query.

In this case I want to query all system that doesn’t have the vpc32.exe file to identify computer that doesn’t have a Symantec Antivirus installed. The following query is a subselect query. You can easily replace the “exe” file name with the one you need.

select distinct SMS_R_System.Name, SMS_R_System.ADSiteName, SMS_R_System.IPAddresses from  SMS_R_System where SMS_R_System.Name not in (select distinct SMS_R_System.Name from  SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = “vpc32.exe”)

v_HS vs v_GS

What is v_HS and v_GS when looking in the SMS/Configuration Manager database ?

First of all they are predefined views and v_HS contains Historical Data from inventory while v_GS contains the actual data from inventory.

So when you would like to compare data for an example if something has changed with the RAM of a computer you use these two.

An example could be Garths sql query on RAM changes.

SELECT Distinct

v_GS_COMPUTER_SYSTEM.Name0 AS ‘PC Name’,

v_GS_X86_PC_MEMORY.TotalPhysicalMemory0 as ‘Current RAM’,

v_HS_X86_PC_MEMORY.TotalPhysicalMemory0 as ‘Past RAM’

FROM

v_GS_COMPUTER_SYSTEM v_GS_COMPUTER_SYSTEM,

v_GS_X86_PC_MEMORY v_GS_X86_PC_MEMORY,

v_HS_X86_PC_MEMORY v_HS_X86_PC_MEMORY

WHERE

v_HS_X86_PC_MEMORY.ResourceID = v_GS_X86_PC_MEMORY.ResourceID

AND v_GS_COMPUTER_SYSTEM.ResourceID = v_GS_X86_PC_MEMORY.ResourceID

AND v_GS_COMPUTER_SYSTEM.ResourceID = v_HS_X86_PC_MEMORY.ResourceID

AND v_HS_X86_PC_MEMORY.TotalPhysicalMemory0 <> v_GS_X86_PC_MEMORY.TotalPhysicalMemory0

Identifying “spyware” with SMS or Configuration Manager

Some of you might think dont you use an antivirus to do this ? Well yes you might but SMS or Configuration Manager might help with this as well.

This query first came to me through the myITforum mailing list and after that I have added my own modifications to it. There are also some games etc in this list that may be legitimated in your environment. There are may also be some false positives as we are looking for expressions like sniff and loader etc.

NOTE: This is not something to replace spyware protection its just a method to help you identify spyware, as most of us know spyware generates exe files randomly which will give us a hard time but at least this will give you an idea of what you can do to identify spyware or other unwanted software in your environment.

select
all RSYS.Name0 AS ‘Computer’,
RSYS.User_Name0 As ‘Last User ID’,
SF.FileName As ‘File Name’,
SF.FileDescription As ‘File Description’,
SF.FilePath As ‘File Path’,
SF.FileSize As ‘File Size’,
SF.FileVersion As ‘File Version’
from
V_R_SYSTEM RSYS
LEFT OUTER JOIN V_GS_SoftwareFile SF ON RSYS.ResourceID = SF.ResourceID
where
(
SF.FileName IN
(
‘nc.exe’, — Netcat
‘hamachi.exe’, — Hamachi
‘wow.exe’, — Warcraft
‘_DLL.exe’, — Troj_Bagle.AC Trojan
‘ARR.exe’,  — Dial-up Hijacker – high cost toll number
‘asart.exe’, — ?
‘av.exe’,   — W32.Alphx.Word.A Virus
‘BackWeb.exe’,  — Spyware – BackWeb Technologies
‘Bargains.exe’,  — BargainBuddy – Adware/Spyware
‘BELT.exe’,   — Spyware – SearchV.com
‘Bling.exe’,  –  W32.SDBot-OH.Worm
‘BLSS.exe’,  — Spyware – CBlaster Trojan
‘Bootconf.exe’,  — Sypware – Homepage Hijacker
‘BonziBdy.exe’,  — Spyware
‘botzor.exe’,  — W32.ZOTOB.Worm
‘BPC.exe’,  — Spyware – Grokster
‘Bundle.exe’,  — Adware.SAHAgent
‘businessbg0002.exe’,  — Spyware – ?
‘cmesys.exe’,  — Adware.W32.Claria
‘crafty.exe’,   — ?
‘CFD.exe’,  — Spyware – Motive Cleint Foudation
‘csm.exe’,  — W32.ZOTOB.B Worm
‘Datemanager.exe’,  — Pop-Ups via Gator
‘DIVX.exe’,  — MASTAK Virus or NALDEM Trojan
‘DPPS2.exe’,  — Don’t Panic! Pop-up blocker – Spyware
‘DSSagent.exe’,  — Adware – Broderbund – Spyware?
‘eanthology.exe’,   — eAcceleration Software Station – Spyware?
‘EditSRV.exe’,  — Spyware – Email_Update.exe
‘email_Update.exe’,  — StopSign Email Scanner – eAcceleration Software – Spyware?
‘EMSW.exe’,  — Spyware – Alset Inc.
‘Gator.exe’,  — Adware.W32.Claria
‘gmt.exe’,  — Adware.W32.Claria
‘haha.exe’,  — Myet Trojan
‘Hbinst.exe’,  — Spyware – HotBar
‘HBSRV.exe’,  — Spyware – HotBar
‘Hotbar.exe’,  — Spyware – HotBar
‘HXDL.exe’,  — HXDL Spyware – Gator
‘HXIUL.exe’,  — Adware – HelpExpress – Alset Inc.
‘IDHost.exe’,  — Topicks Spyware
‘IEDll.exe’,  — Homepage Hijacker
‘IEDriver.exe’, — Peer-To-Peer File Sharing
‘INFUS.exe’,  — Dial-up Hijacker – high cost toll number
‘InfWin.exe’,  — MSView Parasite
‘INTDEL.exe’,  — Adware – Pop-ups
‘ISTSVC.exe’,  — Spyware – Integrated Search Technologies
‘KeenValue.exe’,  — Spyware – Gator
‘loader.exe’,   — Backdoor.Prorat Virus
‘lol.exe’,  — W32.HLLW.Rackus Virus
‘Lspmonitor.exe’, — Spyware – StopSign
‘mapisvc32.exe’,   — KX Virus
‘MD.exe’,  — System MD Virus
‘MDie.exe’,  — Backdoor.Win32.Rbot.Gen Virus
‘MemoryMeter.exe’,   — Grokster Peer-To-Peer File Sharing Suite
‘MFIN32.exe’,  — Adware – MyFreeInternet Update
‘MMod.exe’,  — Adware.W32.EarnBundleWare
‘MOStat.exe’,  — Spyware – Wurld Media
‘mousebm.exe’,  — W32.ESBot Virus
‘mousemm.exe’,  — W32.ESBot.A Virus
‘MSBB.exe’,   — Adware.W32.BargainBuddy – 180Solutions
‘MSCache.exe’,  — Spyware – Integrated Search Technologies
‘MSCMan.exe’,  — Spyware – Odysseus Marketing
‘msdefr.exe’,  — Spybot Worm
‘MSMACROPROTXZ.exe’,  — Spybot Worm
‘MSMGT.exe’,   — Spyware – Total Velocity
‘MSSVR.exe’,  — Spyware – 2020DownLoader – 2020 Internet Search Toolbar
‘MSUpdater.exe’,   — TrojanDownLoader.Win32.WinShow Trojan
‘MWSOEMON.exe’,  — MyWebSearch Toolbar
‘mwsvm.exe’,   — Adware – Adw.ScanPortAL.A
‘Nail.exe’,  — Trojan.Win32.Stervis.B Trojan
‘nb32ext2.exe’,  — MyDoom.BV worm
‘nbmanager.exe’,   — Spyware – eAnthology
‘netbutler.exe’,   — ?
‘onsrvr.exe’,  — Spyware – OnWebMedia
‘PC32.exe’,  –  Mastak Virus
‘per.exe’,  — Worm.ZOTOB.C Virus
‘PGMonitr.exe’,  — Adware.W32.DelFin
‘PowerScan.exe’,  — Adware.W32.PowerScan
‘PRMVR.exe’,  — Spyware – Adtomi.com
‘pnpsrv.exe’,   — W32.SDBOT.Worm Virus
‘Precisiontime.exe’,  — Adware.W32.ClariaPrecision
‘PrizeSurfer.exe’,– Spyware – PrizeSurfer
‘Prmt.exe’,  — Spyware – OpiStat
‘RAY.exe’,  — Homepage Hijacker
‘RB32.exe’,  –  Adware.W32.RapicBlaster
‘RCSync.exe’,  –  Spyware – PrizeSurfer
‘Run32DLL.exe’,  — Key Recorder – Screen Capture – PAL PC Spy
‘SAHAgent.exe’,  — Adware.W32.CyDoor – CyDoor Desktop Media
‘savenow.exe’,  — Coupons – WhenU.com
‘SBHC.exe’,   — IE Plugin – GIGATech Software
‘ShowBehind.exe’,  — Adware – MicroSmarts Enterprise
‘SLMSS.exe’,   — Spyware – 2nd Thourgh by CPM Media
‘SRNG.exe’,  — Spyware – Search Hijacker
‘STCLoader.exe’,   –  Spyware – 2nd Thourgh by CPM Media
‘SUSP.exe’,  — Spyware – ABetterInternet
‘SVCINIT.exe’,   — Backdoor.Sinit Trojan
‘svnlitup32.exe’,  — Worm.RBOT.CBJ
‘syscpy.exe’,   — Backdoor.Hogle Trojan
‘Systesm32.exe’,  — Spyware – Bling.exe
‘thefourthcoming.exe’,  — ?
‘Trickler.exe’,  — Spyware – Gator GAIN (Gator Advertising and Info Network)
‘TSADBot.exe’,  — Adware
‘TVMD.exe’,   — Spyware
‘TVTMD.exe’,  — Spyware
‘UCMWESKU.exe’, — ?
‘Updates32.exe’,  — Spyware – Bling.exe
‘uptodate.exe’,  — Adware – BrowserPal
‘veloz.exe’,   — StopSign Email Scanner – eAcceleration Software
‘velozsys.exe’,   — StopSign Email Scanner – eAcceleration Software
‘Weather.exe’,  — Adware
‘webcel.exe’,   — eAcceleration Software – Spyware – ?
‘WebDev.exe’,  — ?
‘Win32US.exe’,  — Dial-up Hijacker – high cost toll number
‘WinActive.exe’,  — Homepage Hijacker
‘windrg32.exe’,  — W32.ZOTOB.D Worm
‘WinMain.exe’,  — Trojan.KonDeli
‘WinNet.exe’,  –  Adware/Spyware – CommonName I.E. Search
‘winpnp.exe’,  — W32.SDBOT.Worm
‘WinServN.exe’,  — Adware.W32.PurityScan – ClickSpring LLC
‘WinStart.exe’,  — Homepage Hijacker – iGetNet
‘WinStart001.exe’,  — Adware
‘wintbp.exe’,  — W32.ZOTOB.E Worm
‘wintbpx.exe’,  –  W32.BOZORI.Worm.B
‘WNAD.exe’,  — Spyware – TwistedHumor.com
‘wpa.exe’,  — ESBOT Worm
‘ygpmrgsb.exe’,  — ?
‘zeus.exe’,   — Zeus:Master of Olympus game
‘zmanager.exe’  — Spyware – eAcceleration
)
)
OR
SF.FileDescription like ‘%doom%’ OR — DOOM Game
SF.FileDescription like ‘%GNUTE%’ OR  –  MP3 Resources
SF.FileDescription like ‘%l0pht%’OR   — Password cracker
SF.FileDescription like ‘Lime%’ OR   — Peer-to-Peer file sharing
SF.FileDescription like ‘%nuke%’ OR  — DOOM Game
SF.FileDescription like ‘%orafice%’ OR — Keystroke mapper
SF.FileDescription like ‘%sniff%’ OR — Network sniffer
SF.FileDescription like ‘%unreal%’ OR — Games
SF.FileDescription like ‘%warcraft%’ OR — Games
SF.FileName like ‘%as-101%’ OR
SF.FileName like ‘%babylon%’ OR
SF.FileName like ‘%bearshare%’ OR
SF.FileName like ‘%bindery%’ OR
SF.FileName like ‘%bindin%’ OR
SF.FileName like ‘%bo2k%’ OR
SF.FileName like ‘%chknull%’ OR
SF.FileName like ‘%Cracker%’ OR — Password cracker
SF.FileName like ‘%Craserv%’ OR
SF.FileName like ‘%doom%’ OR — DOOM game
SF.FileName like ‘%EbatesMoeMoney%’ OR — Spyware
SF.FileName like ‘%expolit%’ OR
SF.FileName like ‘gator%’ OR   — Gator Spyware/Adware
SF.FileName like ‘%getadmin%’ OR
SF.FileName like ‘%gnucleus%’ OR
SF.FileName like ‘%GNUTE%’ OR –  MP3 Resources
SF.FileName like ‘%GROK%’ OR
SF.FileName like ‘%hack%’ OR — Password cracker
SF.FileName like ‘%hotbar%’ OR — IE Toolbar – Spyware/Adware
SF.FileName like ‘%kazaa%’ OR   –  Peer-to-Peer file sharing
SF.FileName like ‘keygen%’OR  — Password cracker
SF.FileName like ‘%l0phtcrack%’ OR — Password cracker
SF.FileName like ‘%lc252install%’ OR   — Password cracker
SF.FileName like ‘%LIME%’ OR   — Peer-to-Peer file sharing
SF.FileName like ‘%morpheus%’ OR
SF.FileName like ‘%Napster%’ OR   — Peer-to-Peer file sharing – MP3 Resources
SF.FileName like ‘%nbsvr%’ OR
SF.FileName like ‘%nbtscan%’ OR
SF.FileName like ‘%ndssnoop%’ OR
SF.FileName like ‘%netbusr%’ OR
SF.FileName like ‘%nmapNT%’ OR
SF.FileName like ‘%nuke%’ OR   — DOOM Game
SF.FileName like ‘%nwpcrack%’ OR
SF.FileName like ‘%orafice%’ OR — Keaystroke mapper
SF.FileName like ‘%otglove%’ OR
SF.FileName like ‘%precisiontime%’ OR
SF.FileName like ‘%pwdump%’ OR  — Password cracker
SF.FileName like ‘%quake%’ OR –  DOOM game
SF.FileName like ‘%Retina%’ OR
SF.FileName like ‘%RFPoison%’ OR
SF.FileName like ‘%smbdie%’ OR
SF.FileName like ‘%smurf%’ OR
SF.FileName like ‘%unreal%’ OR
SF.FileName like ‘%XUPITER%’ OR
SF.FileName like ‘POPSRV%’

order by
RSYS.Name0

Excluding machines from Client Push installation

Sometimes you have machines that cannot be touched by anything other then manual work for legal or busniness critical applications. And then you might dont want the sms/sccm client to be installed automaticlly. So my question is: It it possible to exclude machines from getting the client via client push ?

The answer is yes !.

What you need to do is to a the computer to the following registry key HKEY_LOCAL_MACHINESoftwareMicrosoftSMSComponents SMS_DISCOVERY_DATA_MANAGER

Double click  the ExcludeServers and type in you servers in the box separated by space.

If you want a client to be installed again after it has been excluded you need to take certain actions. All information related to this is found in this KB: http://support.microsoft.com/kb/207729

Microsoft SMS 2003 SP3 Asset Intelligence Catalog Update

Yesterday the SMS 2003 Sp3 Asset intelligence update was released, this relase will keep the Asset Intelligence for SMS 2003 SP3 up to the same level as the RTM for Configuration Manager 2007 has.

It contains more software information and is ONLY intended for SMS 2003 SP3, keep in mind that there will be a update for Configuration Manager with the SP1 release.

Download it here: http://www.microsoft.com/downloads/details.aspx?FamilyID=3653e00b-6a0f-4226-87d7-02d3df2147d7&displaylang=en