Administrators perform software audits to ensure that licensing agreements are followed, detect unauthorized software, and prepare for upgrades and migrations. To facilitate software audits, you can install a variety of third-party utilities and agents, some of which, in addition to gathering a list of installed software, can also collect information, such as the amount of free disk space, service status, and BIOS version, and even deploy software. However, at times you might want to remotely determine which software is installed on a workstation or server. The Control Panel Add/Remove Programs applet looks at one registry subkey (and its values), and you can query this subkey to display a list of installed applications. The script QueryInstalledSoftware.cmd, which Listing 1 shows, uses this querying process to easily and quickly perform a low-cost software audit.
Using Reg.exe to Query the Subkey
The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall subkey contains the values that Add/Remove Programs uses to display a computer's installed software. You can use the reg.exe utility to remotely query this subkey. (Reg.exe used to be part of the Microsoft Windows NT 4.0 Resource Kit but now is part of Windows 2000 Support Tools.) You can also use reg.exe to locally and remotely add, delete, and update subkeys from the command line. The Uninstall subkey contains values that represent applications and contain information such as software name, installation source, and uninstall string. The displayname value contains the software name that Add/Remove Programs displays. To use reg.exe to query the subkey, you can type the following command on the command line:
Reg Query HKLM\SOFTWARE Microsoft\Windows CurrentVersion\Uninstall /S \\compname
(Although this command appears on several lines here, you would enter it on one line on the command line. The same holds true for the other multiline commands in this article.) This command outputs all the Uninstall subkey values for the specified computer (compname). Because you don't need all this output, you can massage the output to display only the displayname values. The simplest way to do this is to pipe the output of the Reg Query command to the Find command:
Reg Query HKLM\SOFTWARE Microsoft\Windows CurrentVersion\Uninstall /S \\compname | Find /I "displayname"
Although this output is a significant improvement over the raw output of the Reg Query command, the output also displays quietdisplayname values. Add/Remove Programs doesn't show quiet display names because they're either intermediate programs or dependent modules of other programs. Because you typically won't be interested in these values, you can pipe the output once again to the Find command, this time using the /V and /I switches with the quietdisplayname parameter:
Reg Query HKLM\SOFTWARE Microsoft\Windows CurrentVersion\Uninstall /S \\compname | Find /I "displayname" | Find /V /I "quietdisplayname"
This command sequence excludes from the output any lines that contain quietdisplayname. Figure 1 shows an example of what this command's output looks like.
You can use this command sequence to obtain the output you need, but using a script instead is a good idea for two reasons. First, the command sequence is fairly long and is tedious to type each time you want to obtain the output. Second, you can use a script to manipulate the output so that only the actual display names appear on the screen. In other words, you can suppress the REG_SZ DisplayName part of the output.
To run the script, you use the syntax
where computername is the name of the computer you want to query. Because the script uses the computer's name several times, the script stores this value in the targetcomp variable to make the script more legible. To avoid unnecessary waiting, the script uses the Nbtstat command to determine whether the specified computer name is available on the network, as the code at callout A in Listing 1 shows. If the script can't connect to that computer, it informs the user and quits immediately.
The next part of the script involves running the Reg Query command sequence. The For command is a good way to split columns of data. If you look at the command sequence's output in Figure 1, you'll see that it contains three columns, with the application name displayed in the third column. By default, the For command uses white space (i.e., spaces and tabs) as delimiters, which is a problem if you want to single out the third column. By default, the For command treats only the third word as the third column. Take, for example, the first line of output in Figure 1. The third column lists Microsoft Office XP Professional, but the For command understands the third column (or token, in For command lingo) to only be the word Microsoft. To actually display the entire string Microsoft Office XP Professional, you need to use the third, fourth, fifth, and sixth tokens when you echo the string.
You can't anticipate how many words the application name will contain, but you can count on the application name always being the last set of words in the output string starting from the third word. Thus, the script uses the command sequence that callout B shows to capture the entire application name. In this command sequence, the switch "Tokens=1,2,*" %%i tells the For command that you want to capture column 1 in the %%i variable, column 2 in the %%j variable, and the remaining text, starting from the third word, in the %%k variable. If you want to suppress the REG_SZ and Displayname strings, you simply output only the third token. Because you started the token count by using the variable %%i, the %%k variable will contain the third token. (If you're unfamiliar with iterator variables such as %%i, see "Shell Scripting 101, Lesson 8," http://www.winnetmag.com/windowsscripting, InstantDoc ID 21984.)
The %%k variable is the parameter you want to pass to the :getappname section of code, which callout C shows. This code outputs the application name. You could omit using a separate section of code to output the application name by using the Echo command as part of the For loop. However, I chose not to do so because some applications don't have a display name, which means that the %%k variable would be empty. The code in the :getappname section accounts for this variation. Rather than displaying a blank line if the displayname value is missing, the script goes to the end of the file and quits.
Running the Script
QueryInstalledSoftware.cmd has only one dependency: The reg.exe utility must be in the same directory as the script or in a directory that's part of the user or system path. I tested this script on Win2K Service Pack 3 (SP3) and SP4 and on NT 4.0 SP6a. The script also should work with Windows XP, but note that although XP has a built-in reg.exe command, its version doesn't let you query the registries of remote computers. You'll need to obtain the version of reg.exe that lets the \\computername parameter query remote workstations and servers.
Using the Script
This highly functional but simple script remotely displays a list of applications installed on a computer, which might not seem too exciting. However, the script also lists installed hotfixes as part of its output, which can be useful when you're trying to determine whether any of your workstations or servers are vulnerable to attack because a hotfix wasn't installed. If you want to use this script for auditing your entire network, all you need to do is to run the script once for each workstation on your network.