Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Scan Win32 Machines in domain for P2P software

by davis (Vicar)
on May 21, 2003 at 11:21 UTC ( #259685=sourcecode: print w/replies, xml ) Need Help??
Category: Win32 Stuff
Author/Contact Info /msg davis
Description: More or less in response to Tracking Kazaa?, I built a quick-n-dirty script that searches machines' registries in the domain for common P2P software.
The initial idea was suggested by zengargoyle.
I'm sure there's a better way to search through the registry than this - suggestions welcome.
Thanks to benn for suggesting that I add other P2P software to the mix.
Update: The software now looks in the HKEY_LOCAL_MACHINE/Software key, and a couple more programs have been added.
Thanks to Marza for the suggestions below
use warnings;
use strict;
use Win32::NetAdmin qw(GetServers SV_TYPE_ALL );
use Win32::TieRegistry qw(KEY_READ);
use Data::Dumper;
use Fcntl;

my %bad_stuff = (
        KaZaA            => qr/kazaa/i,
        Gnucleus         => qr/gnucleus/i,
        Napster          => qr/napster/i,    #Most of these are guessw
        BearShare        => qr/bearshare/i,  #pulled from http://www.g
        LimeWire         => qr/limewire/i,
        Morpheus         => qr/morpheus/i,
        Phex             => qr/phex/i,
        Swapper          => qr/swapper/i,
        XoloX            => qr/xolox/i,
        eDonkey          => qr/edonkey/i,
        BitTorrent       => qr/bittorrent/i,
        iMesh            => qr/imesh/i,
        "Comet Systems"  => qr/comet\s*systems/i,
        ""      => qr/gator/i,


my $domain;
($domain = Win32::DomainName) or die "Unable to obtain the domain name

my %machines;
my %installed_software;
GetServers("", $domain, SV_TYPE_ALL, \%machines) or die "GetServers fa
+iled: $!\n";

foreach my $machine (sort keys %machines) {
        #print "Attempting to connect to registry on $machine\n";
        my $remKey= $Registry->Connect($machine, "HKEY_USERS/", { Acce
+ss=>KEY_READ, Delimiter=>"/" } );
        unless($remKey) {
                warn "Couldn't connect to $machine: $^E\n";

        foreach my $user_sid ($remKey->SubKeyNames) {
                next if($user_sid =~ /_classes$/i);   #There's always 
+a sid....._classes key - skip it.
                my $user_key = $Registry->Connect($machine, "HKEY_USER
+S/$user_sid/SOFTWARE/", { Access=>KEY_READ, Delimiter=>"/" } );
                unless($user_key) {
                        warn "Couldn't get a software key for sid $use
+r_sid on machine $machine\n";

                my $software_key = $Registry->Connect($machine, "HKEY_
+LOCAL_MACHINE/SOFTWARE/", { Access=>KEY_READ, Delimiter=>"/" } );
                unless($software_key) {
                        warn "Couldn't get a software key from HKEY_LO
+CAL_MACHINE on machine $machine\n";
                foreach my $subkey ($user_key->SubKeyNames, $software_
+key->SubKeyNames) {
                        foreach my $software (keys %bad_stuff) {
                                if($subkey =~ $bad_stuff{$software}) {
                                        next if($installed_software{$m
                                        print "Machine $machine could 
+have $software installed\n";
Replies are listed 'Best First'.
Re: Scan Win32 Machines in domain for P2P software
by Marza (Vicar) on May 28, 2003 at 23:38 UTC

    Played around with the code and found an instance were LimeWire is missed. It did not load in the SID area, only the programs area of Local_machine.

    Right now I am going to try out a mixture of the two. It is not bulletproof as people tend to leave trash around(ie napster entries when the program was uninstalled)

    Also for your list: eDonkey and BitTorrent, and iMesh

    These were suggestions from an NT admin board.

Re: Scan Win32 Machines in domain for P2P software
by Marza (Vicar) on Jun 13, 2003 at 19:00 UTC

    Cool thanks for the mods!

    Another thing I noticed is that if you make use of the exists command, you can eliminate this loop

    foreach my $software (keys %bad_stuff) { if($subkey =~ $bad_stuff{$software}) { next if($installed_software{$machine.$software}++); print "Machine $machine could have $software installed\n"; } }

    So it would be something like:

    foreach my $subkey ($user_key->SubKeyNames,$software_key->SubKeyNames) + { if ( exists $bad_stuff{$subkey} ) { print "Machine $computer could have $subkey installed\n"; } }

    Finally, one other thing concerning the getservers option:

    GetServers("", $domain, SV_TYPE_ALL, \%machines) or die "GetServers failed: $!\n";

    This will pick up samba servers which will error off since they don't have a registry.

    If make use of SV_TYPE_SERVER_UNIX you could build an exclusion section to keep them out. Otherwise, you add to the run time as it tries to open a non-existent registry. I had to do that as I have about 20 of them. There are other issues such as a network appliance box but not everybody has those. I can post code if you are intersted. I figured you like to play so I didn't ;-)

      if ( exists $bad_stuff{$subkey} ) {

      Careful. That line would only match if the target machine's registry contained the exact string that I used to key the $bad_stuff hash. I used the hash so that I use a regular expression match to increase flexibility in what the code would catch.

      E.g.: If the registry contained "LimeWireInstallDate" (Made up example), your version wouldn't catch it. I also assumed that it would be possible that software would install registry keys unrelated to the software name (it could use the software vendor's name instead, for example).

      The point about SV_TYPE_ is a good one though, thanks.

      It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.

        Interesting. But is there a case where you only have "LimeWireInstallDate" and not the others?

        As to Gator. He is in the software directory of Lmachine" I would also add Comet System's comet cursor as it does massive tracking and all the women think it is SO cool! At least they are "honest" and give an uninstaller" Note: most spyware progs like SpyBot will take care of these two.

        "Comet Systems" => qr/comet systems/i, "" => qr/,

        Change that! I ran the uninstaller and surprise, the tracking stuff remained. Your spyware cleaner will fix it!

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: sourcecode [id://259685]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (5)
As of 2022-08-16 07:26 GMT
Find Nodes?
    Voting Booth?

    No recent polls found