http://qs321.pair.com?node_id=259685
Category: Win32 Stuff
Author/Contact Info /msg davis
Description: More or less in response to Tracking Kazaa?, I built a quick-n-dirty script that searches machines' registries in the domain for common P2P software.
The initial idea was suggested by zengargoyle.
I'm sure there's a better way to search through the registry than this - suggestions welcome.
Thanks to benn for suggesting that I add other P2P software to the mix.
Update: The software now looks in the HKEY_LOCAL_MACHINE/Software key, and a couple more programs have been added.
Thanks to Marza for the suggestions below		 
use warnings;
use strict;
use Win32::NetAdmin qw(GetServers SV_TYPE_ALL );
use Win32::TieRegistry qw(KEY_READ);
use Data::Dumper;
use Fcntl;

my %bad_stuff = (
        KaZaA            => qr/kazaa/i,
        Gnucleus         => qr/gnucleus/i,
        Napster          => qr/napster/i,    #Most of these are guessw
+ork,
        BearShare        => qr/bearshare/i,  #pulled from http://www.g
+nutelliums.com/
        LimeWire         => qr/limewire/i,
        Morpheus         => qr/morpheus/i,
        Phex             => qr/phex/i,
        Swapper          => qr/swapper/i,
        XoloX            => qr/xolox/i,
        eDonkey          => qr/edonkey/i,
        BitTorrent       => qr/bittorrent/i,
        iMesh            => qr/imesh/i,
        "Comet Systems"  => qr/comet\s*systems/i,
        "Gator.com"      => qr/gator/i,
);

$Registry->Delimiter("/");

my $domain;
($domain = Win32::DomainName) or die "Unable to obtain the domain name
+";


my %machines;
my %installed_software;
GetServers("", $domain, SV_TYPE_ALL, \%machines) or die "GetServers fa
+iled: $!\n";

foreach my $machine (sort keys %machines) {
        #print "Attempting to connect to registry on $machine\n";
        my $remKey= $Registry->Connect($machine, "HKEY_USERS/", { Acce
+ss=>KEY_READ, Delimiter=>"/" } );
        unless($remKey) {
                warn "Couldn't connect to $machine: $^E\n";
                next;
        }

        foreach my $user_sid ($remKey->SubKeyNames) {
                next if($user_sid =~ /_classes$/i);   #There's always 
+a sid....._classes key - skip it.
                my $user_key = $Registry->Connect($machine, "HKEY_USER
+S/$user_sid/SOFTWARE/", { Access=>KEY_READ, Delimiter=>"/" } );
                unless($user_key) {
                        warn "Couldn't get a software key for sid $use
+r_sid on machine $machine\n";
                        next;
                }

                my $software_key = $Registry->Connect($machine, "HKEY_
+LOCAL_MACHINE/SOFTWARE/", { Access=>KEY_READ, Delimiter=>"/" } );
                unless($software_key) {
                        warn "Couldn't get a software key from HKEY_LO
+CAL_MACHINE on machine $machine\n";
                        next;
                }
                foreach my $subkey ($user_key->SubKeyNames, $software_
+key->SubKeyNames) {
                        foreach my $software (keys %bad_stuff) {
                                if($subkey =~ $bad_stuff{$software}) {
                                        next if($installed_software{$m
+achine.$software}++);
                                        print "Machine $machine could 
+have $software installed\n";
                                }
                        }
                }
        }
}

Back to Code Catacombs