Scan Win32 Machines in domain for P2P software

Category:	Win32 Stuff
Author/Contact Info	/msg davis
Description:	More or less in response to Tracking Kazaa?, I built a quick-n-dirty script that searches machines' registries in the domain for common P2P software. The initial idea was suggested by zengargoyle. I'm sure there's a better way to search through the registry than this - suggestions welcome. Thanks to benn for suggesting that I add other P2P software to the mix. Update: The software now looks in the HKEY_LOCAL_MACHINE/Software key, and a couple more programs have been added. Thanks to Marza for the suggestions below
use warnings; use strict; use Win32::NetAdmin qw(GetServers SV_TYPE_ALL ); use Win32::TieRegistry qw(KEY_READ); use Data::Dumper; use Fcntl; my %bad_stuff = ( KaZaA => qr/kazaa/i, Gnucleus => qr/gnucleus/i, Napster => qr/napster/i, #Most of these are guessw +ork, BearShare => qr/bearshare/i, #pulled from http://www.g +nutelliums.com/ LimeWire => qr/limewire/i, Morpheus => qr/morpheus/i, Phex => qr/phex/i, Swapper => qr/swapper/i, XoloX => qr/xolox/i, eDonkey => qr/edonkey/i, BitTorrent => qr/bittorrent/i, iMesh => qr/imesh/i, "Comet Systems" => qr/comet\s*systems/i, "Gator.com" => qr/gator/i, ); $Registry->Delimiter("/"); my $domain; ($domain = Win32::DomainName) or die "Unable to obtain the domain name +"; my %machines; my %installed_software; GetServers("", $domain, SV_TYPE_ALL, \%machines) or die "GetServers fa +iled: $!\n"; foreach my $machine (sort keys %machines) { #print "Attempting to connect to registry on $machine\n"; my $remKey= $Registry->Connect($machine, "HKEY_USERS/", { Acce +ss=>KEY_READ, Delimiter=>"/" } ); unless($remKey) { warn "Couldn't connect to $machine: $^E\n"; next; } foreach my $user_sid ($remKey->SubKeyNames) { next if($user_sid =~ /_classes$/i); #There's always +a sid....._classes key - skip it. my $user_key = $Registry->Connect($machine, "HKEY_USER +S/$user_sid/SOFTWARE/", { Access=>KEY_READ, Delimiter=>"/" } ); unless($user_key) { warn "Couldn't get a software key for sid $use +r_sid on machine $machine\n"; next; } my $software_key = $Registry->Connect($machine, "HKEY_ +LOCAL_MACHINE/SOFTWARE/", { Access=>KEY_READ, Delimiter=>"/" } ); unless($software_key) { warn "Couldn't get a software key from HKEY_LO +CAL_MACHINE on machine $machine\n"; next; } foreach my $subkey ($user_key->SubKeyNames, $software_ +key->SubKeyNames) { foreach my $software (keys %bad_stuff) { if($subkey =~ $bad_stuff{$software}) { next if($installed_software{$m +achine.$software}++); print "Machine $machine could +have $software installed\n"; } } } } }

Comment on Scan Win32 Machines in domain for P2P software Download Code

Replies are listed 'Best First'.
Re: Scan Win32 Machines in domain for P2P software by Marza (Vicar) on May 28, 2003 at 23:38 UTC
Played around with the code and found an instance were LimeWire is missed. It did not load in the SID area, only the programs area of Local_machine. Right now I am going to try out a mixture of the two. It is not bulletproof as people tend to leave trash around(ie napster entries when the program was uninstalled) Also for your list: eDonkey and BitTorrent, and iMesh These were suggestions from an NT admin board.	[reply]
Re: Scan Win32 Machines in domain for P2P software by Marza (Vicar) on Jun 13, 2003 at 19:00 UTC
Cool thanks for the mods! Another thing I noticed is that if you make use of the exists command, you can eliminate this loop `foreach my $software (keys %bad_stuff) { if($subkey =~ $bad_stuff{$software}) { next if($installed_software{$machine.$software}++); print "Machine $machine could have $software installed\n"; } }` [download] So it would be something like: `foreach my $subkey ($user_key->SubKeyNames,$software_key->SubKeyNames) + { if ( exists $bad_stuff{$subkey} ) { print "Machine $computer could have $subkey installed\n"; } }` [download] Finally, one other thing concerning the getservers option: GetServers("", $domain, SV_TYPE_ALL, \%machines) or die "GetServers failed: $!\n"; This will pick up samba servers which will error off since they don't have a registry. If make use of SV_TYPE_SERVER_UNIX you could build an exclusion section to keep them out. Otherwise, you add to the run time as it tries to open a non-existent registry. I had to do that as I have about 20 of them. There are other issues such as a network appliance box but not everybody has those. I can post code if you are intersted. I figured you like to play so I didn't ;-)	[reply] [d/l] [select]
Re: Re: Scan Win32 Machines in domain for P2P software by davis (Vicar) on Jun 16, 2003 at 08:43 UTC
`if ( exists $bad_stuff{$subkey} ) {` [download] Careful. That line would only match if the target machine's registry contained the exact string that I used to key the `$bad_stuff` hash. I used the hash so that I use a regular expression match to increase flexibility in what the code would catch. E.g.: If the registry contained "LimeWireInstallDate" (Made up example), your version wouldn't catch it. I also assumed that it would be possible that software would install registry keys unrelated to the software name (it could use the software vendor's name instead, for example). The point about SV_TYPE_ is a good one though, thanks. davis It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.	[reply] [d/l]
Re: Re: Re: Scan Win32 Machines in domain for P2P software by Marza (Vicar) on Jun 18, 2003 at 19:51 UTC
Interesting. But is there a case where you only have "LimeWireInstallDate" and not the others? As to Gator. He is in the software directory of Lmachine" I would also add Comet System's comet cursor as it does massive tracking and all the women think it is SO cool! At least they are "honest" and give an uninstaller" Note: most spyware progs like SpyBot will take care of these two. `"Comet Systems" => qr/comet systems/i, "Gator.com" => qr/gator.com/i,` [download] UPDATE Change that! I ran the uninstaller and surprise, the tracking stuff remained. Your spyware cleaner will fix it!	[reply] [d/l]