Hard Drive Audit - Windows
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Hard Drive Audit - Windows11/29/2012 10:26:19 AM
2Hard Drive Audit - windows12/10/2012 1:21:27 PM
3Hard Drive Audit - windows12/11/2012 7:40:03 AM
4Hard Drive Audit - windows1/18/2013 11:02:12 AM
5Hard Drive Audit - windows5/28/2013 10:41:22 AM
6Hard Drive Audit - windows6/4/2013 11:24:20 AM
7Hard Drive Audit - Windows6/28/2013 6:33:09 AM
8Hard Drive Audit - Windows12/6/2013 8:22:24 AM
9Hard Drive Audit - Windows8/8/2014 1:12:29 PM
10Hard Drive Audit - Windows8/15/2014 12:30:58 PM

Description

This analysis will report on various windows specific aspects of the hard drives in a system. Found here: http://bigfix.me/cdb/analysis/2994527

This is meant to supliment the analysis "Hard Drive Audit - Universal" :  http://bigfix.me/cdb/analysis/2994530


Property Details

ID2994706
StatusBeta - Preliminary testing ready for more
TitleHard Drive Audit - Windows
DomainBESC
Added by on 8/15/2014 12:30:58 PM
Last Modified by on 8/15/2014 12:30:58 PM
Counters 25133 Views / 157 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

Serial Numbers
Period 1 day
 
  * Results in a true/false
Show indented relevance
if (exists wmi) then (concatenation ", " of (((substrings after "=" whose(it as trimmed string != "") of (property "SerialNumber" of it as string)) of select objects "* from win32_PhysicalMedia where SerialNumber != ''" of wmi) as trimmed string)) else "n/a"
PredictFailure?
Period 6 hours
 
  * Results in a true/false
Show indented relevance
if(not exists (select objects "* from MSStorageDriver_FailurePredictStatus" of wmi "root\WMI") whose(string value of property "PredictFailure" of it as boolean = TRUE)) then "<no failures predicted>" else concatenation "," of (string value of property "PredictFailure" of it & " - " & string value of property "InstanceName" of it) of (select objects "* from MSStorageDriver_FailurePredictStatus" of wmi "root\WMI") whose(string value of property "PredictFailure" of it as boolean = TRUE)
Partitions 4k aligned?
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
not disjunction of ((following text of first "=" of (property "StartingOffset" of it as string) as integer mod 4096) != 0) of select objects "* from Win32_DiskPartition" of wmi
Partition Block Size
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
concatenation "," of unique values of (following text of first "=" of (property "BlockSize" of it as string)) of select objects "* from Win32_DiskPartition" of wmi
Size of PageFile?
Period 6 hours
 
  * Results in a true/false
Show indented relevance
(if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (size of file "c:\pagefile.sys")
Size of HiberFil?
Period 1 day
 
  * Results in a true/false
Show indented relevance
if(not exists file "c:\hiberfil.sys") then nothing else ((if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (size of file "c:\hiberfil.sys"))
Size of Dell folder?
Period 1 day
 
  * Results in a true/false
Show indented relevance
if not exists (folder "dell" of drive of system folder) then nothing else ((if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (sum of sizes of descendants of folder "dell" of drive of system folder))
Drive Firmware
Period 1 day
 
  * Results in a "string"/number
Show indented relevance
if (exists wmi) then (concatenation "; " of ((string value of property "Model" of it, string value of property "FirmwareRevision" of it) of select objects "Model, FirmwareRevision from Win32_DiskDrive" of wmi as string)) else "n/a"
Size of TEM dl cache
Period 1 day
 
  * Results in a true/false
Show indented relevance
if exists (folder "__BESData\__Global\__Cache\Downloads" of parent folder of regapp "Besclient.exe") then ((if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (sum of sizes of descendants of folder "__BESData\__Global\__Cache\Downloads" of parent folder of regapp "Besclient.exe")) else ERROR "none"
Size of Temp folder?
Period 1 day
 
  * Results in a true/false
Show indented relevance
if exists (folder "temp" of drive of system folder) then ((if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (sum of sizes of descendants of folder "temp" of drive of system folder)) else ERROR "no Temp Dir"
TRIM disabled?
Period 6 hours
 
  * Results in a true/false
Show indented relevance
value "DisableDeleteNotification" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem" of native registry
IDF Temp Size?
Period 6 hours
 
  * Results in a true/false
Show indented relevance
if ((exists folder "users" of drive of system folder) AND (exists folders whose (exists folder "AppData\Local\Temp\Identity Finder" of it) of folder "users" of drive of system folder)) then (sum of sizes of descendants of folders "AppData\Local\Temp\Identity Finder" of folders whose (exists folder "AppData\Local\Temp\Identity Finder" of it) of folder "users" of drive of system folder) else ERROR "No IDF temp"
Desc & Loc
Period 2 days
 
  * Results in a true/false
Show indented relevance
(friendly name of it &" - "& location information of it) of active devices whose(class of it = "DiskDrive")
Largest Desktop Folder
Period 2 days
 
  * Results in a true/false
Show indented relevance
(pathname of it, sum of sizes of descendants of it) of folders "Desktop" whose(sum of sizes of descendants of it = maximum of (sum of sizes of descendants of it) of folders "Desktop" of folders of (folder "c:\documents and settings" of it | folder "users" of it) of drive of system folder) of folders of (folder "c:\documents and settings" of it | folder "users" of it) of drive of system folder
Raw Size of Disks
Period 2 days
 
  * Results in a true/false
Show indented relevance
((it as integer) of string values of selects "Size from Win32_DiskDrive WHERE size!='' " of wmi)
Raw Size of SystemDrive
Period 2 days
 
  * Results in a true/false
Show indented relevance
((it as integer) of string values of selects "Size from Win32_DiskDrive WHERE Index=0 AND size!='' " of wmi)
Names of failing drives
Period 2 days
 
  * Results in a true/false
Show indented relevance
(string values of selects "Caption from Win32_DiskDrive WHERE Status!='OK'" of wmi)

Relevance

Used in 28 fixlets and 11 analyses   * Results in a true/false
Show indented relevance
version of client >= "8.0"
Windows XP or Later (Relevance 2997025)
Used in 6266 fixlets and 5 analyses   * Results in a true/false
Show indented relevance
/* Windows XP or later */ version of operating system >= "5.1"
Windows Only (Relevance 2997197)
Used in 6452 fixlets and 32 analyses   * Results in a true/false
Show indented relevance
/* Windows Only */ windows of operating system
Used in 3 analyses   * Results in a true/false
Show indented relevance
/* Many, but not all of these properties use WMI */ exists wmi

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!