How to find unwanted files on workstations
A few weeks ago I was asked to check every single workstation in the organisation for unwanted files. The types of files I was asked to look for were media files such as music and video, but also torrent files. The main objective was to identify breaches of policy and to allow removal of the unwanted files from the network. I will take you through what I did, which achieved the main objective relatively painlessly. Undoubtedly there better methods than what I'm about to describe and in fact I'm kind of counting on it, so feel free to share how you deal with the challenge. In the mean time this is what I ended up doing.
I obviously didn't really want to visit every machine in the organisation and search the hard drive. Junior has been good lately, so sending him wasn't an option either. The first challenge was to identify the machines currently on the network. Being a windows environment, I considered using dsquery to grab the machine names from AD, but that didn't really work out nicely as the company has computers in all different kinds of OUs. WMIC also had similar limitations and Powershell, well let's just say I'm no Ed, Hal or Tom. I chose the easy option and used nmap. Convenient in this environment as the workstations are quite separate from the servers on their own subnet. The following nmap command does a quick ping sweep and places the results in a grepable output file.
nmap -sP <ip-range>/<mask> -oG <filename>
The the grep output from nmap looks as follows :
Host: aaa.bbb.ccc.20 (machine1.domain.com) Status: Up Host: aaa.bbb.ccc.45 (machine45.domain.com) Status: Up Host: aaa.bbb.ccc.62 (machine62.domain.com) Status: Up … snip ... Host: aaa.bbb.ccc.100 (print01.domain.com) Status: Up Host: aaa.bbb.ccc.101 (print02.domain.com) Status: Up Host: aaa.bbb.ccc.102 (machine102.domain.com) Status: Up Host: aaa.bbb.ccc.115 (machine115.domain.com) Status: Up Host: aaa.bbb.ccc.150 (switch01.domain.com) Status: Up … snip ...
From the list I culled those devices that I was not interested in, e.g. the printers and the switch, before building the commands and creating the batch file.
To do the heavy lifting I used psexec from sysinternals, which allowed me to examine all the machines from one central machine. To create the command and resulting batch file I edited the output file from the nmap.
-
find and replace Host: with PsExec.exe
-
find and replace ( with -w C:\ cmd.exe /c "dir *.mp3 *.avi *.mkv *.mov *torrent* /s /b " > audit-
-
find and replace domain.com with .txt
-
find and replace ) Status: Up with <blank> (i.e. clear it out)
What you end up with should look something like this for each of the entries in the nmap output file.
PsExec.exe aaa.bbb.ccc.45 -w C:\ cmd.exe /c "dir *.mp3 *.avi *.mkv *.mov *torrent* /s /b " > audit-machine45.txt
Save the file as a .bat file extension, make sure psexec is in the path of the user who will be running the batch file.
What will it do? The command runs PsExec on the IP address, issues the command dir for those extensions listed and outputs the info in a local file called audit-<machinename>.txt. Because we are using a standard dir command you can easily look for any kind of file you like, or partial file names.
Each of the output files will look something like this
C:\Documents and Settings\jdoe\
Desktop\MUSAK\The Police\Greatest Hits\11 - The Police - Spirits In The Material World - Greatest H.mp3 Desktop\MUSAK\The Police\Greatest Hits\12 - The Police - Synchronicity II - Greatest Hits_120113005.mp3 Desktop\MUSAK\The Police\Greatest Hits\13 - The Police - Every Breath You Take - Greatest Hits_1201.mp3 Desktop\MUSAK\The Police\Greatest Hits\14 - The Police - King Of Pain - Greatest Hits_1201130115.mp3 Local Settings\Temporary Internet Files\Content.IE5\HKNBKI0L\novotelrestc[1].mov My Documents\private\vids\SouthPark DVDiv\X 809-814\813 - Cartman's Incredible Gift-AERiAL_mrtwig.net.avi
Someone will need to inspect each of the result files and check to see if the materials are permitted to remain on corporate machines or whether they should be removed. Sometimes the owner wil not be obvious and you might need to examine the machine a little bit closer to determine the owner of the files. Once unwanted files have been identified I usually send the person a policy reminder and a request to have the materials removed. Second/third/nth offences however are passed on to the appropriate area to deal with.
To give you an idea of the effort involved for a site of 400 plus machines (about 325 up when checking).
- Running the nmap - 15 minutes,
- Culling undesirable devices and doing the find and replace commands - 15 minutes.
- Running the batch file - 2 hrs.
- Checking the results - 1 hour,
- Sending the emails - 30 minutes (will obviously depend on how much you find I ended up sending 15).
All in all a reasonably straight forward process and easily adapted to different file types, or file names.
There are some limitations. The user running the psexec command must have privileges in the environment and the machines being checked should be part of the domain. Although you can pass alternate userid and passwords to the command if you want to. You will leave a user profile directory behind on the machine being checked. Only those machines accessible when the batch file is run will be checked, but you could make this part of a login process and write the results file to a network location instead.
Quick and dirty I know, but does the job. How do you find files on your network, including workstations, that should probably not be there?
Cheers
Mark - Shearwater
PS the diary editor seems to strip slashes so if it looks like there should be a backslash, you are probably right.
Comments
Moriah
Aug 15th 2011
1 decade ago
M
Mark
Aug 15th 2011
1 decade ago
A previous organisation that I worked for used a logon script with AIDA32 to keep an updated audit of all machines.
Ash D
Aug 15th 2011
1 decade ago
a) it only searches the current directory and any subdirectories below it (where "current" when used with psexec means user profile directory)
b) will not look for removable media or other partitions.
point (b) is especially important because often users will bring in removable media (e.g. dvds with ripped movies or flash drives/portable media players if you don't have access controls enabled for usbstor devices)
Also, (b) is important when users are told to never save important data on the c: partition and instead are told to use another location for user data. This is my case too, i configure the machines i manage to keep the "desktop" and "my documents" folders on a different partition. This way i can have a few systems with the c: partition frozen (deep freeze) while others can be re-imaged when needed without affecting user data.
A.
Aug 15th 2011
1 decade ago
A.
Aug 15th 2011
1 decade ago
Mark
Aug 15th 2011
1 decade ago
you may not detect any computer that has Windows Firewall enabled, which defaults to blocking ICMP echo.
If you continuously utilize a monitoring tool such as ARPWatch on every LAN, you might want to use the IP address database from that tool as well as the nmap results.
Mysid
Aug 15th 2011
1 decade ago
jedge
Aug 15th 2011
1 decade ago
FOR /R "%USERPROFILE%\Desktop" %%i in (*.xls *.xlsx *.xlsm *.xltx *.xltm *.xlsb *.xlam *.doc *.docx *.docm *.dotx *.dotm *.ppt *.pptx *.pptm *.potx *.potm *.ppam *.ppsx *.ppsm *.pdf *.txt *.log *.rtf *.csv *.zip) do echo deleted %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% && del %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% 2>&1
Kx499
Aug 15th 2011
1 decade ago
FOR /R "%USERPROFILE%\Desktop" %%i in (*.xls *.xlsx *.xlsm *.xltx *.xltm *.xlsb *.xlam) do echo deleted %%~si >> \\cdm-dc-01\Share\SHARED\IT\PC_Logs\%_FNAME% && del %%~si
Kx499
Aug 15th 2011
1 decade ago