→ 🚀What's New? Explore Lansweeper's Fall 2024 Updates! Fall Launch Blog !

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tzanardo
Engaged Sweeper

 

Hi all,

I was trying to find a report that shows where Google Chrome(any) was installed but could not find any report that gives me the information. I know Google Chrome and many other software can be installed on users's profiles without admin credentials and I need to know who installed it. 

The installation location can be taken from the Windows registry  

User's profile(user-context): 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"InstallLocation"="C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\Application"

 

Can anyone help me pull out the information from Lansweeper? All the devices have lsagent installed.

Thanks
T

1 ACCEPTED SOLUTION
jduke_halls
Engaged Sweeper III

I can say that I haven't used LSAgent in a year, but unless this behavior has changed since the last time I did use it for scanning, it is likely that the scanner is scanning possibly at the lock screen before the user has logged on. The LSAgent updates the database directly as it scans. So, if you're scanning HKEY_CURRENT_USER and no one is logged on (i.e. the computer's on the login screen, or restarting, or something logged on as system to run a job) at the same time as LSAgent Scans the computer, as far as LanSweeper is concerned, the Registry key doesn't exist.

This is because Windows hasn't loaded the Registry Hive. In Windows 10 and 11, the behavior has even changed to the point that if you click "Switch User" on the login screen, Windows unloads the logged on user's Registry Hive from HKEY_CURRENT_USER\... to HKEY_USERS\{SID}\...

If you're on-prem and have access to the SQL server running your LanSweeper instance, the best way to see what's actually happening would be to notice when something is changing and running SQL Server Profiler from SQL Server Management Studio and see what queries are actually taking place when one goes away and when it comes back into the report.

View solution in original post

4 REPLIES 4
jduke_halls
Engaged Sweeper III

I think the issue here is that if you're trying to find which user installed Chrome and LanSweeper is scanning as either the system account (with LSAgent) or a Domain Scanner account that it wouldn't be able to get to the HKCU hive. It would have to go as HKEY_USERS\{$SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome.

Another alternative is to look for Chrome.exe in the default user's install location and report on that.

Enable File Scan in the Scanned Item Interval (if it's not there already) and add File Path C:\ChromeUsers\Output.txt to the scanned items. After the deploy job has run and all has been scanned, click the "Report" button next to the file scan, and it will bring up the report.

Create/Run a Deploy to run this as PowerShell from your LanSweeper scanning server then use the File Scan report to find the computers that have Chrome installed as the user. You can then open the file on the local machine to find out which users have it installed.

New-Item -ItemType Directory -Force -Path C:\ChromeUsers
$OutFile = "C:\ChromeUsers\Output.txt"
$Output = ""
$parent = Get-Childitem "c:\users" -Directory
$found = $false
foreach($user in $parent){
    try {
        $item = Get-ChildItem -Path "$($user.FullName)\AppData\Local\Google\Chrome\Application" -Recurse -filter "chrome.exe" -File
        if ($item.Exists) {
            $found = $true;
            $Output += "$($user)`r`n"
        }
    }
    catch {
    $error[0].exception.message | Out-Null
    }
}
if ($found -eq $true) {
    $Output | Out-File -FilePath $OutFile -Force
} else {
    Remove-Item $OutFile
}

 

@jduke_halls 

Thanks for replying, but what you said is not exactly what I am experiencing.

All the Win10 laptops are used by their own user and run the lsagent.

I have been using Scanning > File & registry scanning > Registry Scanning to collect the registry below and it brings exactly the information I need, however, there is something strange happening, the number of devices fluctuates sometimes shows 100, another time 150 another time 140. 

On top of that, I managed to create a script to bring this information with more details such as IP, users and so on, but the information still fluctuates.

 

Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblAssets.Username,
  tblAssets.Userdomain,
  Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.IPAddress,
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tsysOS.OSname As OS,
  tblAssets.Version,
  tblAssets.SP,
  Case
    When TsysLastscan.Lasttime < GetDate() - 1 Then
      'Last registry scan more than 24 hours ago! Information may not be up-to-date. Try rescanning this machine.'
  End As Comment,
  Case
    When SubQuery1.Valuename Is Not Null And SubQuery1.Valuename <> ''
    Then 'Yes'
    Else 'No'
  End As ValuenameFound,
  SubQuery1.Regkey,
  SubQuery1.Valuename,
  SubQuery1.Value,
  Case
    When tblErrors.ErrorText Is Not Null Or
      tblErrors.ErrorText != '' Then
      'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
    Else ''
  End As ScanningErrors,
  TsysLastscan.Lasttime As LastRegistryScan,
  SubQuery1.Lastchanged,
  tblAssets.Firstseen,
  tblAssets.Lastseen,
  tblAssets.Lasttried
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tsysIPLocations On tsysIPLocations.LocationID =
      tblAssets.LocationID
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
      Max(tblErrors.Teller) As ErrorID
    From tblErrors
    Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
      ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
      tblErrors.ErrorType
  Inner Join TsysLastscan On tblAssets.AssetID = TsysLastscan.AssetID
  Inner Join TsysWaittime On TsysWaittime.CFGCode = TsysLastscan.CFGcode
  Left Join (Select Top 1000000 tblRegistry.AssetID,
      tblRegistry.Regkey,
      tblRegistry.Valuename,
      tblRegistry.Value,
      tblRegistry.Lastchanged
    From tblRegistry
    Where
      tblRegistry.Regkey Like
      '%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome' And
      tblRegistry.Valuename = 'InstallLocation') SubQuery1 On
      SubQuery1.AssetID = tblAssets.AssetID
Where tblAssetCustom.State = 1 And TsysWaittime.CFGname = 'registry'
Order By tblAssets.Domain,
  tblAssets.AssetName

 




jduke_halls
Engaged Sweeper III

I can say that I haven't used LSAgent in a year, but unless this behavior has changed since the last time I did use it for scanning, it is likely that the scanner is scanning possibly at the lock screen before the user has logged on. The LSAgent updates the database directly as it scans. So, if you're scanning HKEY_CURRENT_USER and no one is logged on (i.e. the computer's on the login screen, or restarting, or something logged on as system to run a job) at the same time as LSAgent Scans the computer, as far as LanSweeper is concerned, the Registry key doesn't exist.

This is because Windows hasn't loaded the Registry Hive. In Windows 10 and 11, the behavior has even changed to the point that if you click "Switch User" on the login screen, Windows unloads the logged on user's Registry Hive from HKEY_CURRENT_USER\... to HKEY_USERS\{SID}\...

If you're on-prem and have access to the SQL server running your LanSweeper instance, the best way to see what's actually happening would be to notice when something is changing and running SQL Server Profiler from SQL Server Management Studio and see what queries are actually taking place when one goes away and when it comes back into the report.

tzanardo
Engaged Sweeper

Can anyone help me with this, please?