The risks to the corporate network by the use of MSN Messenger and similar programs is a minefield in your own network. Using SMS can often detect it and while SMS does an excellent job of detection, if it's not an option, there are other means of detection and destruction using a couple of slighly complex batch files. The following files will find and destroy MSN, though it can be adapted to any file in theory.
I use a couple of PSTools (www.sysinternals.com) to kill it and replace it though detection is enough with strong backing from management. The process is designed to capture a listing of users. This file will NOT work if the install directory is in a non-standard location though I go through some effort to find it in a few places. There's a few things you can do to find it through detection using PSList but this is only if it's running, PSInfo might work too. I did not use these tools for detection in this application.
DOALLPCS.cmd: This batch file will locate most if not all PCs on the network, it's presumed you would have administrative rights on these PCs. It accepts two parameters, the first of which is the batch file to run, the second is passed to the natch file is specified. In this application the batch file specified is the next CMD file, FindMSN. Note the ~SPLIT LINE~ tags... the next line is supposed to be part of this line.
@echo off
echo %TIME%: Start
for /F "skip=1 tokens=1 delims=\ " %%a in ('NET VIEW') ~SPLIT LINE~
do START "Checking %%a using %1..." /MIN %1 %%a BATCH %~2
echo %TIME%: End - %1
:end
FindMSN.CMD: This is the worker in this process. It's big and I'll try to document this in a helpful manner.
@echo off
SET KILLSHARE=NO
SET TARGET=%~1
ECHO %TARGET%...
REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory
IF %ERRORLEVEL% EQU 1 GOTO NOTPRESENT
REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory|FIND /I "C:"
IF %ERRORLEVEL% EQU 0 GOTO ONC
REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory|FIND /I "D:"
IF %ERRORLEVEL% EQU 0 GOTO OND
REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory|FIND /I "E:"
IF %ERRORLEVEL% EQU 0 GOTO ONE
pause
GOTO END
:ONC
echo C Drive
SET LOCATION=\\%TARGET%\C$
ECHO %LOCATION%
IF EXIST %LOCATION%\*.* GOTO DOIT
\\tcint1\apps\ISTOOLS\RMTSHARE %LOCATION%=C:\ | ~SPLIT LINE~
FIND /I "command failed"
IF %ERRORLEVEL% EQU 0 GOTO FAILED
SET KILLSHARE=YES
GOTO DOIT
:OND
echo D Drive
SET LOCATION=%TARGET%\D$
IF EXIST %LOCATION%\*.* GOTO DOIT
\\tcint1\apps\ISTOOLS\RMTSHARE %LOCATION%=D:\ | ~SPLIT LINE~
FIND /I "command failed"
IF %ERRORLEVEL% EQU 0 GOTO FAILED
SET KILLSHARE=YES
GOTO DOIT
:ONE
echo E Drive
SET LOCATION=%TARGET%\E$
IF EXIST %LOCATION%\*.* GOTO DOIT
\\tcint1\apps\ISTOOLS\RMTSHARE %LOCATION%=E:\ | ~SPLIT LINE~
FIND /I "command failed"
IF %ERRORLEVEL% EQU 0 GOTO FAILED
SET KILLSHARE=YES
GOTO DOIT
:DOIT
ECHO Check Typical Locations...
IF EXIST "%LOCATION%\Program Files\MSN Messenger\*.*" GOTO Found
IF EXIST "%LOCATION%\MSN Messenger\*.*" GOTO Found
echo Not Found
goto end
:Found
echo Found...
IF NOT exist "FoundMSN" MKDIR "FoundMSN"
echo %1 %DATE% %TIME% >> FoundMSN\%1.txt
REG QUERY \\%TARGET%\HKLM\SOFTWARE\Microsoft\MSNMessenger ~SPLIT LINE~
/V InstallationDirectory >> FoundMSN\%1.txt
echo %LOCATION% >> FoundMSN\%1.txt
dir "%LOCATION%\Program Files\MSN Messenger\*.*" >> FoundMSN\%1.txt
dir "%LOCATION%\MSN Messenger\*.*" >> FoundMSN\%1.txt
pslist \\%TARGET% |FIND /i "msnmsgr" >> FoundMSN\%1.txt
IF %errorlevel% EQU 0 pskill \\%TARGET% msnmsgr
:NOTRUNNING
IF NOT EXIST "%LOCATION%\Program Files\MSN Messenger\msnmsgr.exe" GOTO ALT1
dir "%LOCATION%\Program Files\MSN Messenger\*.*" >> FoundMSN\%1.txt
Xcopy F:\msnmsgr.exe "%LOCATION%\Program Files\MSN Messenger" /Y /I
goto wrapup
:ALT1
IF NOT EXIST "%LOCATION%\MSN Messenger\*.*" GOTO HIDDEN
dir "%LOCATION%\MSN Messenger\*.*" >> FoundMSN\%1.txt
Xcopy F:\msnmsgr.exe "%LOCATION%\MSN Messenger" /Y /I
goto wrapup
:HIDDEN
echo Search for EXEcutable... >> FoundMSN\%1.txt
goto wrapup
:WRAPUP
if not exist "\\%TARGET%\e$\My Received Files\msnmsgr.exe" goto end
IF NOT EXIST FoundMSN\%1_MRF MKDIR FoundMSN\MRFList
REM start /min x:\istools\robocopy "\\%TARGET%\e$\My Received Files" ~SPLIT LINE~
FoundMSN\%1_MRF *.* /E /XO /V /ETA
DIR "\\%TARGET%\e$\My Received Files\*.*" >> FoundMSN\MRFList\%1_MRF.TXT
IF "%2"=="NOTIFY" call notify %1 "MSN Messenger"
IF "%3"=="NOTIFY" call notify %1 "MSN Messenger"
goto end
:FAILED
echo Cannot connect to %TARGET%. Aborted.
:end
:NOTPRESENT
IF "%KILLSHARE%"=="YES" RMTSHARE %LOCATION% /d
echo done
IF "%2"=="BATCH" exit
BTW: I don't think this is necessarily the BEST way to do this, it's one way. You may notice I spawn this into many VMs and this can take it's toll but I only need to watch 500-700 PCs. There are ideas you can take from this to do good or evil, please do good. Oh... There's one more batch file I didn't mention... NOTIFY.CMD. This is a wrapped NET SEND to the machine that's been examined. It tells them they're on the list of people that are about to have a very bad day.
This tool is designed to ENSURE that all systems that had received the Microsoft Patches via SMS have been rebooted and/or reported. It uses the DOALLPCS.CMD or DOALLPCS1.CMD which are in Trick 4.
@echo off
SET TARGET=%~1
SET SEARCHID=MSEMF 1
ECHO Checking Target: %TARGET%...
IF /I "%TARGET%"=="%COMPUTERNAME%" echo Cannot Reboot Self...&goto end 2
PING -n 1 %target%|find /i "Reply from" 3
if %errorlevel% EQU 0 goto :checkver
goto END
:checkver 4
For /F "skip=1 tokens=1,2 delims=:" %%a in ('psinfo \\%TARGET%') do ~SPLIT LINE~
call :SetVars "%%a" "%%b"
IF "%NU_Product type%"=="Server" goto end
IF "%NU_Product type%"=="Professional" goto COI
goto end
:COI 5
ECHO %TARGET%: %NU_Uptime%>> F:\UPTIME.TXT
SET /A X12=%NU_Uptime:~0,2%
REM IF %X12% EQU 0 echo Not Required...&goto end
:: ---------------------------------------------------
:: PAYLOAD
:: ---------------------------------------------------
:DETECT FILE - END 6
IF NOT EXIST "\\%TARGET%\C$\Program Files\Common Files\~SPLIT LINE~
Microsoft Shared\Grphflt\MS.EMF" GOTO END
IF NOT EXIST 20051108\*.* MKDIR 20051108
ECHO Found
ECHO FOUND MS.EMF AT %DATE% %TIME% >> 20051108\%TARGET%_%SEARCHID%.LOG
:DETECT FILE - END
:: REBOOT CODE 7
goto NOREBOOT
echo g:\istools\shutdown -m \\%target% -t 30 -r -f
g:\istools\shutdown -m \\%target% -t 300 -r -f
ECHO %TARGET%: To Be Rebooted! (%NU_Product type%)>> F:\UPTIME.TXT
:: REBOOT CODE
:NOREBOOT
:: ---------------------------------------------------
:: PAYLOAD 8
:: ---------------------------------------------------
goto end
:SetVars 9
SET VAR=%~1
SET VALUE=%~2
REM echo **NU_%W1%**
:TRIMLEAD
IF "%VALUE%"=="" SET VAR=&GOTO :eof
IF "%VALUE:~0,1%"==" " SET VALUE=%VALUE:~1%&goto TrimLead
ECHO %VAR%=%VALUE%
SET NU_%VAR%=%VALUE%
goto :eof
:end
:NOTPRESENT
echo done
color
IF /I "%BATCHMODE%"=="ON" exit 10
| |
|
| 1 | Set this to a difference code so it's easy to find the files. |
| 2 | Don't reboot the computer you're running this on. |
| 3 | Check to be sure the target is available. |
| 4 | Check to be sure you're not targetting a server (or are if you wanna get fired). Calling SetVars ( 9 ) captures the variables you'll need. |
| 5 | This first checks to see if the system has been rebooted recently, if it has, no need to interfere again. |
| 6 | This is the file you're checking for, this may be more complex than looking at the existence of a file, but the test can go here. If you haven't created a place to save the logs the folder is created (20051108) and the date and time is logged to a file. This is a manner of validation for the process. |
| 7 | While there are a couple of versions of SHUTDOWN.EXE, please make sure your versions parameters are correct. If not time, embarrassement is saved when you test thoroughly. |
| 8 | This may be additional actions. I haven't used this, but you can deliver files or registry settings here if required. |
| 9 | This is the procedure to capture various settings on your target system. The output of PSINFO.EXE (from sysinternals.com) is processed into environment variables. It also Trims Leading characters to ensure the data is relatively clean. |
| 10 | This is a catch all that allows the code to exist if it's shelled from another batch file. |
