Saturday, August 13, 2016

LANDesk in the Registry

LANDesk in the Registry
Some of my co-workers recently became aware of information maintained in the Windows Registry by the LANDesk softmon utility, which is pretty fascinating when you look at it.  The previously-linked post states that, "LANDesk Softmon.exe monitors application execution..."...so not just installed applications, or just services, but application execution.  The post goes on to state:

Unfortunately, if an application is no longer available the usage information still lives on in the registry.

This goes back to what I've said before about indicators on Windows systems, particularly within the Registry, persisting beyond the deletion or removal of the application, which is pretty awesome.

The softmon utility maintains some basic information about the executed apps within the Software hive, with subkeys named for the path to the app.  The path to the keys in question is:

HKLM\SOFTWARE\[Wow6432Node]\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\
      MonitorLog\<path to executed app>

Information maintained within the keys includes the following values:
  • Current User
  • First Started
  • Last Started
  • Last Duration
  • Total Duration
  • Total Runs
This site provides information regarding how to decode some of the data associated with the above values; the "First Started" and "Last Started" values are FILETIME objects, and therefore pretty trivial to parse.

This information isn't nearly as comprehensive as something like Sysmon, of course, but it's much better than nothing.

Sysforensics posted a LANDesk Registry Entry Parser script on GitHub, about 2 yrs ago.  Don Weber wrote the original landesk.pl RegRipper plugin back in 2009, and I made some updates to it in 2013.  There's also a landesk_tln.pl plugin that incorporates the data into a timeline.

3 comments:

Unknown said...

Hello Harlan,
As with all government contractors, we have a need to identify a Windows data resource that assists in documenting a users "presence" or is active at the keyboard during time card fraud investigations. We have historically employed the security.evt(x)file with a small number of event IDs to document this but that file is occasionally problematic as well as limited in history due to the default size (which we are changing). Any thoughts to a stable data point that might allow a quantitative identification of activity?

H. Carvey said...

Bob,

Any thoughts to a stable data point that might allow a quantitative identification of activity?

A couple come to mind:

- UserAssist entries
- Other Registry entries illustrating user activity (i.e., http://windowsir.blogspot.com/2013/07/howto-determine-user-access-to-files.html)
- Web browser history
- Have you considered installing Sysmon?

HTH

Mari DeGrazia said...

Harlan,

I ran into the LANDesk key before and it proved extremely helpful - especially since the client did not know how to leverage the tool internally to query data. Instead of waiting for them to figure out who knew how to work the software, we were able to pull this from the registry, use the LANDesk TLN plugin and get some information quickly into a mini timeline.