/build/static/layout/Breadcrumb_cap_w.png

Using WMI and PowerShell to expand computer inventory info

We already have a wealth of information provided to us by the K1000 Inventory System. However, in my company, we have found a need to gather additional information. We do this, as many do, by use of the Custom Inventory Items, collecting software versions, registry entries, etc. I just recently, however, discovered how to use Powershell and WMI calls to inventory even more information.

In my organization, we have a need, due to various privacy regulations, to track all users that log into a PC. Our previous asset management system did this, but currently KACE only captures the currently logged in user. That's where a simple WMI Query using Powershell comes in handy:

Get-WmiObject -class Win32_NetworkLoginProfile | Select-Object Name,LastLogon,NumberOfLogons

 This will return a table with the username, last logon date (in UTC format), and number of logons. The NumberOfLogons seems to be pulled from our domain, so it's not always 100% accurate for users that login to multiple PCs (such as the IT staff) but it's still fairly useful.

Now, for me the above query actually returned a little too much info, including local accounts created by our anti-virus and other built in accounts. So, I added a "where" clause to the query to limit it only to accounts that have logged in at least once:

Get-WmiObject -class Win32_NetworkLoginProfile | Where {$_.NumberOfLogons -gt 0} | Select-Object Name,LastLogon,NumberOfLogons 

That's a little bit better, but the date and time contained in LastLogon is not easily readable. We'll have to convert it to a more human readable format:

Get-WmiObject -class Win32_NetworkLoginProfile | Where {($_.NumberOfLogons -gt 0) -and ($_.NumberOfLogons -lt 65535)} | Select-Object  Name,@{label='LastLogon';expression={$_.ConvertToDateTime($_.LastLogon)}},NumberOfLogons

Now the information we get is much more meaninful. You'll also notice I changed the Where clause a bit. There appears to be an issue (at least on our network) with some invalid logins appearing with 65535 as the number of logins, so this helps filter those out. I recommend you try it without first to see what you get.

After it's all said and done, my full custom inventory rule looks like this:

ShellCommandTextReturn(cmd /c powershell.exe "Get-WmiObject -class Win32_NetworkLoginProfile | Where {($_.NumberOfLogons -gt 0) -and ($_.NumberOfLogons -lt 65535)} | Select-Object  Name,@{label='LastLogon';expression={$_.ConvertToDateTime($_.LastLogon)}},NumberOfLogons")

Now, when you run this in Powershell, it comes out as a nice pre-formatted table. Unfortunately, since HTML strips out extra spaces, it doesn't look quite as pretty once it's displayed on the K1000. However, it is still searchable.

This is, of course, only one possibility when using WMI along with Powershell. We also have one that inventories the printers on a system, including the port name, so we can tell who has a locally attached printer versus printing to a Standard TCP/IP Port.


Comments

This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ