cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Getting File Version of SysMon64 or other Executable

Jump to solution

I'm trying to get the version of a file (SysMon64.exe). Unfortunately, there's no canned way of doing this. With a bit of research, I built the following powershell script which I thought was working perfectly.

 

 

[reflection.assembly]::LoadWithPartialName("System.Version")
$os = Get-WmiObject -class Win32_OperatingSystem
$osName = $os.Caption
$s = "%systemroot%\sysmon64.exe"
$v = [System.Environment]::ExpandEnvironmentVariables($s)
If (Test-Path "$v")
    {
    Try
        {
        $versionInfo = (Get-Item $v).VersionInfo
        $versionString = "$($versionInfo.FileMajorPart).$($versionInfo.FileMinorPart).$($versionInfo.FileBuildPart).$($versionInfo.FilePrivatePart)"
        $fileVersion = New-Object System.Version($versionString)
        Write-Host "Message.Version: $fileVersion"
        }
    Catch
        {
        Write-Host "Unable to retrieve file version info, please verify vulnerability state manually." -ForegroundColor Yellow
        exit 1
        Return
        }
    }

$c = "C:\Tools\sysmonfiles\sysmonconfig_attk.xml"
$cv = [System.Environment]::ExpandEnvironmentVariables($c)
If (Test-Path "$cv")
    {
    Try
        {
        $cLastModDate = (Get-Item $cv).LastWriteTime
        Write-Host "Message.ConfigDate: $cLastModDate" -ForegroundColor Cyan
        }
    Catch
        {
        Write-Host "Unable to retrieve file version info, please verify vulnerability state manually." -ForegroundColor Yellow
        exit 1
        Return
        }
    }

Write-Host "Statistic.Version: 0"
Write-Host "Statistic.ConfigDate: 0"
exit 0;

 

 

The output of that script looks like the following:

mbutler756_1-1597949900344.png

 

However, when I run the exact same script on the local machine, it spits out different results.

mbutler756_2-1597949929983.png

 

I have this powershell script on 75 nodes currently. I'm not sure why it is spitting out different results when I run it from the SolarWinds box vs when I run it on the local server itself. Any guidance you can provide/offer would be much appreciated. Thank you!!

 

Labels (3)
1 Solution

Okay, after some work - I finally figured out how to make this work.

First off, there's a cool little checkbox that you have to change to make the script run on the remote machine vs the local machine. When you do that, you will also need to choose your transport method (HTTP or HTTPS).

mbutler756_0-1598302215186.png

Once I figured out that I had goofed that up, I was met by another challenge. There was no HTTPS listener on the box, but winrm was saying that one existed. I had to remove the winrm config for the HTTPS transport and build a new one. I also set my SolarWinds server as a trusted host.

mbutler756_1-1598302295530.png

If you are having difficulty with SSL initially, you can use this command to turn it off.

 

winrm set winrm/config/client @{AllowUnencrypted="true"}

 

mbutler756_2-1598302347678.png

When you are happy with everything and it's working, I would highly recommend switching it back to an SSL transport using the following command

 

winrm set winrm/config/client @{AllowUnencrypted="false"}

 

A big thank you to those that chimed in! Kudos given!

View solution in original post

3 Replies

Looks like this should work, but something is clearly happening to the date in $cLastModDate when run remotely. Is your output more consistent if you ToString() that variable before dropping it into Message.ConfigDate?

I modified the variables and added the .ToString() before the write-host, unfortunately no change in character when running them from the SolarWinds box.

 

[reflection.assembly]::LoadWithPartialName("System.Version")
$os = Get-WmiObject -class Win32_OperatingSystem
$osName = $os.Caption
$s = "%systemroot%\sysmon64.exe"
$v = [System.Environment]::ExpandEnvironmentVariables($s)
If (Test-Path "$v")
    {
    Try
        {
        $versionInfo = (Get-Item $v).VersionInfo
        $versionString = "$($versionInfo.FileMajorPart).$($versionInfo.FileMinorPart).$($versionInfo.FileBuildPart).$($versionInfo.FilePrivatePart)"
        $fileVersion = New-Object System.Version($versionString.ToString())
        Write-Host "Message.SysMonVersion: $fileVersion" -ForegroundColor Cyan
        Write-Host "Statistic.SysMonVersion: 0"
        }
    Catch
        {
        Write-Host "Unable to retrieve file version info, please verify state manually." -ForegroundColor Yellow
        exit 1
        Return
        }
    }

$c = "C:\Tools\sysmonfiles\sysmonconfig_attk.xml"
$cv = [System.Environment]::ExpandEnvironmentVariables($c)
If (Test-Path "$cv")
    {
    Try
        {
        $cLastModDate = (Get-Item $cv).LastWriteTime
        Write-Host "Message.SysMonConfigDate: $cLastModDate.ToString()" -ForegroundColor Cyan
        Write-Host "Statistic.SysMonConfigDate: 0"
        }
    Catch
        {
        Write-Host "Unable to retrieve file write time, please verify manually." -ForegroundColor Yellow
        exit 1
        Return
        }
    }

exit 0

 

0 Kudos

Okay, after some work - I finally figured out how to make this work.

First off, there's a cool little checkbox that you have to change to make the script run on the remote machine vs the local machine. When you do that, you will also need to choose your transport method (HTTP or HTTPS).

mbutler756_0-1598302215186.png

Once I figured out that I had goofed that up, I was met by another challenge. There was no HTTPS listener on the box, but winrm was saying that one existed. I had to remove the winrm config for the HTTPS transport and build a new one. I also set my SolarWinds server as a trusted host.

mbutler756_1-1598302295530.png

If you are having difficulty with SSL initially, you can use this command to turn it off.

 

winrm set winrm/config/client @{AllowUnencrypted="true"}

 

mbutler756_2-1598302347678.png

When you are happy with everything and it's working, I would highly recommend switching it back to an SSL transport using the following command

 

winrm set winrm/config/client @{AllowUnencrypted="false"}

 

A big thank you to those that chimed in! Kudos given!

View solution in original post