Hard Drive Audit - Windows
0 Votes |
Versioning - This is the latest version.
1 | Hard Drive Audit - Windows | 11/29/2012 10:26:19 AM |
2 | Hard Drive Audit - windows | 12/10/2012 1:21:27 PM |
3 | Hard Drive Audit - windows | 12/11/2012 7:40:03 AM |
4 | Hard Drive Audit - windows | 1/18/2013 11:02:12 AM |
5 | Hard Drive Audit - windows | 5/28/2013 10:41:22 AM |
6 | Hard Drive Audit - windows | 6/4/2013 11:24:20 AM |
7 | Hard Drive Audit - Windows | 6/28/2013 6:33:09 AM |
8 | Hard Drive Audit - Windows | 12/6/2013 8:22:24 AM |
9 | Hard Drive Audit - Windows | 8/8/2014 1:12:29 PM |
10 | Hard Drive Audit - Windows | 8/15/2014 12:30:58 PM |
Description
This analysis will report on various windows specific aspects of the hard drives in a system. Found here: http://bigfix.me/cdb/analysis/2994527
This is meant to supliment the analysis "Hard Drive Audit - Universal" : http://bigfix.me/cdb/analysis/2994530
Property Details
2994706 | |
Beta - Preliminary testing ready for more | |
Hard Drive Audit - Windows | |
BESC | |
jgstew on 8/15/2014 12:30:58 PM | |
jgstew on 8/15/2014 12:30:58 PM | |
25133 Views / 157 Downloads | |
* Average over 0 ratings. ** Log In or Register to add your rating. |
Properties
Serial Numbers
Period
1 day
* Results in a true/false |
if (exists wmi) then (concatenation ", " of (((substrings after "=" whose(it as trimmed string != "") of (property "SerialNumber" of it as string)) of select objects "* from win32_PhysicalMedia where SerialNumber != ''" of wmi) as trimmed string)) else "n/a"
PredictFailure?
Period
6 hours
* Results in a true/false |
if(not exists (select objects "* from MSStorageDriver_FailurePredictStatus" of wmi "root\WMI") whose(string value of property "PredictFailure" of it as boolean = TRUE)) then "<no failures predicted>" else concatenation "," of (string value of property "PredictFailure" of it & " - " & string value of property "InstanceName" of it) of (select objects "* from MSStorageDriver_FailurePredictStatus" of wmi "root\WMI") whose(string value of property "PredictFailure" of it as boolean = TRUE)
Partitions 4k aligned?
Period
1 day
* Results in a "string"/number |
not disjunction of ((following text of first "=" of (property "StartingOffset" of it as string) as integer mod 4096) != 0) of select objects "* from Win32_DiskPartition" of wmi
Partition Block Size
Period
1 day
* Results in a "string"/number |
concatenation "," of unique values of (following text of first "=" of (property "BlockSize" of it as string)) of select objects "* from Win32_DiskPartition" of wmi
Size of PageFile?
Period
6 hours
* Results in a true/false |
(if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (size of file "c:\pagefile.sys")
Size of HiberFil?
Period
1 day
* Results in a true/false |
if(not exists file "c:\hiberfil.sys") then nothing else ((if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (size of file "c:\hiberfil.sys"))
Size of Dell folder?
Period
1 day
* Results in a true/false |
if not exists (folder "dell" of drive of system folder) then nothing else ((if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (sum of sizes of descendants of folder "dell" of drive of system folder))
Drive Firmware
Period
1 day
* Results in a "string"/number |
if (exists wmi) then (concatenation "; " of ((string value of property "Model" of it, string value of property "FirmwareRevision" of it) of select objects "Model, FirmwareRevision from Win32_DiskDrive" of wmi as string)) else "n/a"
Size of TEM dl cache
Period
1 day
* Results in a true/false |
if exists (folder "__BESData\__Global\__Cache\Downloads" of parent folder of regapp "Besclient.exe") then ((if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (sum of sizes of descendants of folder "__BESData\__Global\__Cache\Downloads" of parent folder of regapp "Besclient.exe")) else ERROR "none"
Size of Temp folder?
Period
1 day
* Results in a true/false |
if exists (folder "temp" of drive of system folder) then ((if (0<(it / (1024*1024*1024*1024))) then (it / (1024*1024*1024*1024)) as string & " TB" else if (0<(it / (1024*1024*1024))) then (it / (1024*1024*1024)) as string & " GB" else if (0<(it / (1024*1024))) then (it / (1024*1024)) as string & " MB" else if (0<(it / (1024))) then (it / (1024)) as string & " KB" else (it as string & " B")) of (sum of sizes of descendants of folder "temp" of drive of system folder)) else ERROR "no Temp Dir"
TRIM disabled?
Period
6 hours
* Results in a true/false |
value "DisableDeleteNotification" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem" of native registry
IDF Temp Size?
Period
6 hours
* Results in a true/false |
if ((exists folder "users" of drive of system folder) AND (exists folders whose (exists folder "AppData\Local\Temp\Identity Finder" of it) of folder "users" of drive of system folder)) then (sum of sizes of descendants of folders "AppData\Local\Temp\Identity Finder" of folders whose (exists folder "AppData\Local\Temp\Identity Finder" of it) of folder "users" of drive of system folder) else ERROR "No IDF temp"
Desc & Loc
Period
2 days
* Results in a true/false |
(friendly name of it &" - "& location information of it) of active devices whose(class of it = "DiskDrive")
Largest Desktop Folder
Period
2 days
* Results in a true/false |
(pathname of it, sum of sizes of descendants of it) of folders "Desktop" whose(sum of sizes of descendants of it = maximum of (sum of sizes of descendants of it) of folders "Desktop" of folders of (folder "c:\documents and settings" of it | folder "users" of it) of drive of system folder) of folders of (folder "c:\documents and settings" of it | folder "users" of it) of drive of system folder
Raw Size of Disks
Period
2 days
* Results in a true/false |
((it as integer) of string values of selects "Size from Win32_DiskDrive WHERE size!='' " of wmi)
Raw Size of SystemDrive
Period
2 days
* Results in a true/false |
((it as integer) of string values of selects "Size from Win32_DiskDrive WHERE Index=0 AND size!='' " of wmi)
Names of failing drives
Period
2 days
* Results in a true/false |
(string values of selects "Caption from Win32_DiskDrive WHERE Status!='OK'" of wmi)
Relevance
version of client >= "8.0"
Windows XP or Later (Relevance 2997025)
/* Windows XP or later */ version of operating system >= "5.1"
Windows Only (Relevance 2997197)
/* Windows Only */ windows of operating system
Used in 3 analyses | * Results in a true/false |
/* Many, but not all of these properties use WMI */ exists wmi
Sharing
Social Media: |