Quickly audit software on a Windows network using the command line

We recently received a notice from one of our Vendors that we must provide them with a software audit of all machines on our network, but we did not have a reliable system in place at the time.

My first thought was to scrape the registry, but I had not played with that too much. Next idea was WMI, or specifically WMIC, teamed with a NMAP scan to get a list of online machines.

To enumerate the computers that are actually online I used the basic NMAP command, from that a quick FOR loop to extract the IP address. The TYPE command is used to “convert” the ANSI text into ASCII text

nmap -sP 10.1.1.0/24 | find “report for ” >> online.tmp && type online.tmp >> online.log

for /F “tokens=5 delims= ” %i in (online.log) DO wmic /node:%i PRODUCT LIST BRIEF > software_%i.txt

Assuming you are using static IP’s you can easily skip the machines already scanned by running NMAP with the –excludefile option. If you are going to do this you may want to change script to something like this:

nmap -sP 10.1.1.0/24 –excludefile scanned.log | find “report for ” >> online.tmp

for /F “tokens=5 delims= ” %i in (online.tmp) do @echo %i >> online2.tmp && type online2.tmp >> online.log && type online2.tmp>> scanned.log

for /F “tokens=5 delims= ” %i in (online.log) DO wmic /node:%i PRODUCT LIST BRIEF > software_%i.txt

At this stage you should have a set of text files that are TAB seperated, one for each computer scanned. If you want a single file you can change the wmic command to

for /F “tokens=5 delims= ” %i in (online.log) DO wmic /node:%i PRODUCT LIST BRIEF >> software.txt

For those that do not want to install software you can also use the PING command to do a ping sweep

FOR /L %i in (1,1,255) do @ping -n 1 10.1.1.%i | find “time=” >> online.tmp

Compared to using NMAP, which in my testing took from 30-120 seconds, a ping sweep takes a significantly longer time to scan a class C network. If you are planning on scanning larger networks it is a really good idea to consider using NMAP.

Remember if you use variables in a batch file you will need to use %%i instead of %i.

Command Reference

NMAP

WMIC

FIND

FOR

TYPE

Thanks to the guys at the COMMAND LINE KUNG FU blog for the ideas that brought this post and concept about.