Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Annoying Problem

Status
Not open for further replies.

BKearan

IS-IT--Management
Sep 27, 2007
45
US
I am needing to pull information about File/Program versions from a computer opening a intranet webpage. Of course, Internet Exploder won't allow VBScript to run WMI queries.

Basically I am needing to get something like :

Code:
<html>
<head>
<SCRIPT language="vbscript" type="text/vbscript" >
Sub window_onLoad
Dim strComputer, objDocument, objWMIService, objFile, ColFiles, strQuery, sFile, sVer
'OPEN CURRENT DOCUMENT
Set objDocument = self.Document
objDocument.open
on error resume next
'SET TITLE AND HEADING
strComputer = "."
objdocument.WriteLn "<title>My TITLE here</title>"
objdocument.WriteLn "<h2>Header for page</h2><hr>"
objdocument.WriteLn "<br>Please wait while we acquire your current configuration...<br>"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
	strComputer & "\root\cimv2")
	objDocument.WriteLn "<br>Set Service: " & err.number & " " & err.description
strQuery = "Select * FROM CIM_Datafile WHERE Drive = 'C:' AND FileName = 'acrord32' AND Extension = 'exe'"
objDocument.WriteLn "<br>Query: " & err.number & " " & err.description
objdocument.WriteLn "<p>Your current setup is:</p>"
set ColFiles = objWMIService.ExecQuery(strQuery)
  		For Each objFile In ColFiles
    		sFile = objFile.Name
    		sVer = objFile.Version
    		objdocument.WriteLn "<p>" & sFile & " is at version " & sVer
  		Next
End sub

<create links to install software here>

</Script>
</head>
<body>
</body>
</html>

To actually work instead of returning :

Code:
Please wait while we acquire your current configuration...

Set Service: 429 ActiveX component can't create object 
Query: 429 ActiveX component can't create object 
Your current setup is:

is at version

I've thought of JavaScript, but it won't read files and grab the info I need (I don't think, not good at JavaScript).
How do I get the info I need without lowering the IE security settings?? How do I get it to display in the HTML page the user will get to?


 
How do I get the info I need without lowering the IE security settings??"

I have no intention of implying that you are a hacker, but look at that statement from the perspective of someone responsible for the security on a user's machine.

[red]"... isn't sanity really just a one trick pony anyway?! I mean, all you get is one trick, rational thinking, but when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick[/red]
 
LOL.. thing is I AM responsible for the security on the computers that I am needing this information from to display. Basically security is THE reason I need to do this.
It will be a self-service software page that will tell the end-user what version of software they have and then show them the latest version, why they need to update (usually vulnerabilities) and give them a link that will install the software for them. "Adobe Reader 8.1 has vulnerabilities that could allow a malicious code to gain control of your system.
Code:
Click on "Upgrade to 8.1.2" to install the latest version and correct this issue.

I know its kind of a catch-22, but its the software delivery "solution" we are using - does everything that is 'interactive' web based. From the admin console to reporting to user-self-service.

If I were a hacker, I probably wouldn't have to be asking this question. :D
 
So you have no automated delivery system available (i.e. SMS/SCCM)?

[red]"... isn't sanity really just a one trick pony anyway?! I mean, all you get is one trick, rational thinking, but when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick[/red]
 
Yes, we have BMC Configuration Manager for software deployment. Trying to get BMC's 'User self service' working, which is total and complete access OR a custom HTML page displaying only the links to software we want them to be able to "self load". We're opting for custom.

The "What version you have now" would be very nice to have, so we wouldn't have people double and triple clicking to load something they already have.

We've had trouble with Adobe Acrobat Reader, Flash and Java not installing completely when deployed completely silently. Java needs IE to not be open, which I could auto-kill all IE processes, but any logged on user would probably get irate. Lots of little complications like that would make user self-service preferable. I can get most everything pushed out using VBScript by itself. However, having an expensive "solution" like BMC sitting doing nothing but reporting would be a waste, so they want to use the software deployment it has, which is mostly Java dependent (not javascript), but I don't know Java and the company won't ante up for any training on this expensive, complicated "solution" yet, so I'm stuck having to do the best I can manage to hack up until I get some training on Configuration Manager's little quirks that make "normal" installations and scripts not work exactly right.

So,
How do I get the info I need without lowering the IE security settings?? How do I get it to display in the HTML page the user will get to?
Or is it just not possible?
 
Yeah, I wrote an HTA that would do it, thing is, the way its called, it opens inside a browser window, not the normal way an HTA opens itself. Users will "Link" to a URL and it will open the "Default Page" which I can make a .HTA, but it won't open it as a local html application, it will be a "web page" still. I love .hta files, but this just won't do it.
Its all wrapped up in how the Agent on the computer communicates with the BMC server. So far, its fairly annoying. LOL...
 
So as a security professional, you first want there to be a way for webpages to circumvent browser security and you second want that information posted on a very public often accessed web site.

[red]"... isn't sanity really just a one trick pony anyway?! I mean, all you get is one trick, rational thinking, but when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick[/red]
 
No, an Intranet site is "internal" and limited to access from our company's network, with no outside access.

Secondly, the information gathered and displayed will be specific for the one computer currently accessing the page - dynamic content tailor made for the person/computer viewing the page via the internal url and viewable only to them. That is what the VBScript is for, to collect and display the versions on that specific computer.

The information will not be "Posted" nor stored anywhere, it will be dynamic - which means 'changing' - usually according to environmental variables - in this case the programs and versions that are or are not installed on the computer that is viewing the page

The information will certianly not available anywhere "public." This is mainly because since the information is dynamic, it 'goes away' when the user viewing information about their computer closes the browser or navigates away from that page.

Since I am having to explain these concepts to you, I don't think that you are going to be able to grasp the question, much less answer it, so please stop harassing me and go troll somewhere else - myspace.com may be a good place for you.
 
I am not harassing you simply trying to point out the security issues around what you want to do. I will happily end my participation in this thread.

[red]"... isn't sanity really just a one trick pony anyway?! I mean, all you get is one trick, rational thinking, but when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick[/red]
 
Tested on my intranet: clicking an hta file containing your script and choosing Execute in the download dialog produces the following:
Code:
Please wait while we acquire your current configuration...

Set Service: 0 
Query: 0 
Your current setup is:

c:\program files\adobe\reader 8.0\reader\acrord32.exe is at version 8.1.0.2007051100

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886
 
Yes, the .hta will work if they could doubleclick the .hta directly from their desktop.
Unfortunatly, they will probably have to access it from a url resembling : Which will use IE to open it and will not just run the .hta
and that is where my problem comes in.

... I suppose I could propose we just push the .hta out to their desktop... but updating 3000+ files (one on each computer) each time we get new info or programs would be a bit iffy... :D LOL... but I suppose its a possibility at least.
Or just not bother with getting their current file versions.
 
I clicked the hta URL inside IE6 (from a directory listing sent by IIS), clicked the Execute button and got the expected result ...
BTW, the hta file was on the server, not my desktop.

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886
 
Ah... going to and using the .hta as the default "home page" did not work.

However, if I made a default .html page and put a link to the .hta in there, clicking on that link does launch the .hta properly and throws up a nice "Security Warning" dialogue that asks the user to Run, Save or Cancel. Very nice compromise.

That did, in fact, help, thank you! :D
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top