3 Replies Latest reply on Nov 1, 2017 2:19 PM by ahassall

    SAM WIndows Software Inventory


      We've recently encountered an issue during polling of our Windows Servers for software inventory.


      First things first: I'm assuming that Software Inventory is requested over WMI using the Win32_Product class.  This class appears to be perfectly suited for this kind of inquiry because the WMI class doesn't seem to care if the software is 32-bit or 64-bit.  However, it turns out that querying this class leads to all kinds of issues.  See the Microsoft KB Article: Microsoft Support

      Buried down under the "More Information" heading is the following text:

      Win32_product Class is not query optimized. Queries such as “select * from Win32_Product where (name like 'Sniffer%')” require WMI to use the MSI provider to enumerate all of the installed products and then parse the full list sequentially to handle the “where” clause. This process also initiates a consistency check of packages installed, verifying and repairing the install. With an account with only user privileges, as the user account may not have access to quite a few locations, may cause delay in application launch and an event 11708 stating an installation failure.


      This scares me to no end.  If the system might re-run the installer, that can do any number of nightmarish things beginning with really slowing down logons to the machine and escalating from there.  There have even been reports of this WMI Class calling the reinstallation of Exchange Service Packs!  (I have not verified this personally)


      Note to Developers:

      It looks like the only safe path for this information is directly accessing the registry.  There is a PowerShell-based example available on TechNet Gallery (Script List Remote Application on Computer), but it omits the "SOFTWARE\Wow6432Node\Windows\CurrentVersion\Uninstall" registry path that needs to be queried for 32-bit Applications on a 64-bit Computer.


      Otherwise the new SAM is fantastic!

        • Re: SAM WIndows Software Inventory

          Thank you KMSigma for your due diligence in both identifying these events, as well as offering suggestions for improvement . We are aware that queries to the Win32_Product class are not query optimized which is partly why we will only be polling asset inventory information once a day. When we first encountered these messages in the Event Log we thoroughly investigated this issue and determined that querying this class is perfectly safe. Nothing is being installed/reinstalled/etc unless the installation was corrupted anyway, which would occur on it's own when the next time the application launched thanks to MSI Self Healing.


          A quick checksum is done on the original installer the same as when you open "Programs & Features" under "Settings" in Windows Server 2008 and later. This is why the list sometimes takes a minute or two to fully populate. This same process occurs when the Win32_Product class is queried.


          Microsoft recommends avoiding its use during operations such as login scripts, group policy filters, or continuous monitoring products like patch management,  vulnerability assessment, and computer posturing/NAC, as this process takes up to a minute to return results on slower/older machines with many products installed.


          While I understand your concerns with such an ominous message stating that it might repair or even re-install a package as a result this query. However, this same WMI class is the industries de facto standard, used by virtually every product that collects installed software information via WMI.


          We do however plan to investigate alternative methods for collecting this information or allowing software inventory to be disabled entirely.

          2 of 2 people found this helpful