Radmind-pc
From radmind
(Difference between revisions)
(Added updated notes from pc-hack-a-thon) |
|||
Line 1: | Line 1: | ||
+ | {|align=right | ||
+ | |__TOC__ | ||
+ | |} | ||
A rough guide to getting Radmind-PC installed on default Windows XP SP2 client. | A rough guide to getting Radmind-PC installed on default Windows XP SP2 client. | ||
* This guide assumes you have access to a working radmind server. | * This guide assumes you have access to a working radmind server. | ||
Line 6: | Line 9: | ||
# [http://sourceforge.net/project/showfiles.php?group_id=141444&package_id=191033 Download] the most recent release of Radmind-PC from the Radmind SourceForge site. | # [http://sourceforge.net/project/showfiles.php?group_id=141444&package_id=191033 Download] the most recent release of Radmind-PC from the Radmind SourceForge site. | ||
#:This package includes ntfsdiff, regdiff, ktcheck, lapply, lcreate, regapply, regcreate and the needed dll's. | #:This package includes ntfsdiff, regdiff, ktcheck, lapply, lcreate, regapply, regcreate and the needed dll's. | ||
- | # Create the directory | + | # Create the directory C:\radmind |
- | # Unzip files | + | # Unzip files C:\radmind |
- | # Added | + | # Added C:\radmind to your PATH environment variable |
#:setx PATH "%PATH%;C:\radmind" | #:setx PATH "%PATH%;C:\radmind" | ||
- | # Create the directory | + | # Create the directory C:\radmind\client. |
#:This directory will hold a client's transcripts. | #:This directory will hold a client's transcripts. | ||
==Create Negative== | ==Create Negative== | ||
- | Set up negative transcripts for the file system and the registry and a command file referencing them in | + | Set up negative transcripts for the file system and the registry and a command file referencing them in C:\radmind\client. Name the command file command.K so that you won't have to specify it repeatedly. Unfortunately there aren't good default negative transcripts available at the moment. |
- | # Open a command prompt and cd to | + | # Open a command prompt and cd to C:\ |
# Create the filesystem negative transcript | # Create the filesystem negative transcript | ||
- | #:ntfsdiff -1 " | + | #:ntfsdiff -1 "C:\Documents and Settings"#:>> C:\radmind\client\fs-negative.T |
- | #:ntfsdiff -1 | + | #:ntfsdiff -1 C:\pagefile.sys >> C:\radmind\client\fs-negative.T |
- | #:ntfsdiff -1 | + | #:ntfsdiff -1 C:\radmind\client >> C:\radmind\client\fs-negative.T |
- | #:ntfsdiff -1 | + | #:ntfsdiff -1 C:\Recycler >> C:\radmind\client\fs-negative.T |
- | #:ntfsdiff -1 " | + | #:: The Recycler appears to not appear until something disappears from the Recycle Bin. |
+ | #:ntfsdiff -1 "C:\System Volume Information" >> C:\radmind\client\fs-negative.T | ||
+ | #:ntfsdiff -1 "C:\Windows\Prefetch" >> C:\radmind\clinet\fs-negative.T | ||
+ | #:C:/WINDOWS/system32/CatRoot2/edb.log | ||
+ | #:C:/WINDOWS/system32/CatRoot2/tmp.edb | ||
+ | #:C:/WINDOWS/system32/config/default | ||
+ | #:C:/WINDOWS/system32/config/default.LOG | ||
+ | #:C:/WINDOWS/system32/config/SAM | ||
+ | #:C:/WINDOWS/system32/config/SAM.LOG | ||
+ | #:C:/WINDOWS/system32/config/SECURITY | ||
+ | #:C:/WINDOWS/system32/config/SECURITY.LOG | ||
+ | #:C:/WINDOWS/system32/config/software | ||
+ | #:C:/WINDOWS/system32/config/software.LOG | ||
+ | #:C:/WINDOWS/system32/config/system | ||
+ | #:C:/WINDOWS/system32/config/system.LOG | ||
# Store the filesystem negative transcript to your radmind server with zero length files | # Store the filesystem negative transcript to your radmind server with zero length files | ||
- | #:lcreate -N -h radmind.server.example.com | + | #:lcreate -N -h radmind.server.example.com C:/radmind/client/fs-negative.T |
# Run lcksum. | # Run lcksum. | ||
#:When lcksum is updated to work with Windows transcripts, it would be run here. | #:When lcksum is updated to work with Windows transcripts, it would be run here. | ||
- | |||
- | |||
==Create command file on server== | ==Create command file on server== | ||
Line 41: | Line 56: | ||
#: | #: | ||
==Create a Baseload== | ==Create a Baseload== | ||
- | # Open a command prompt and cd to | + | # Open a command prompt and cd to C:\radmind\client |
# Update the client's command file and transcript | # Update the client's command file and transcript | ||
#:ktcheck -h radmind.server.example.com | #:ktcheck -h radmind.server.example.com | ||
# Create the filesystem base transcript | # Create the filesystem base transcript | ||
- | #:ntfsdiff -C -c sha1 -o fs-base.T | + | #:ntfsdiff -C -c sha1 -o fs-base.T C: |
# Store filesystem base transcript to your radmind server | # Store filesystem base transcript to your radmind server | ||
#:lcreate -h radmind.server.example.com fs-base.T | #:lcreate -h radmind.server.example.com fs-base.T | ||
==Create base registry transcripts== | ==Create base registry transcripts== | ||
- | # Open a command prompt and cd to | + | # Open a command prompt and cd to C:\radmind\client |
# Create the HKEY_LOCAL_MACHINE base registry transcript | # Create the HKEY_LOCAL_MACHINE base registry transcript | ||
#:regdiff -C -c sha1 -o reg-hklm-base.T "HKEY_LOCAL_MACHINE" | #:regdiff -C -c sha1 -o reg-hklm-base.T "HKEY_LOCAL_MACHINE" | ||
Line 64: | Line 79: | ||
#:f <path> <attributes> O:<owner sid> G:<group sid> D:<dacl><high mtime> <low mtime> <high file size> <low file size> <checksum> | #:f <path> <attributes> O:<owner sid> G:<group sid> D:<dacl><high mtime> <low mtime> <high file size> <low file size> <checksum> | ||
- | |||
- | |||
Directories: | Directories: |
Current revision
|
A rough guide to getting Radmind-PC installed on default Windows XP SP2 client.
- This guide assumes you have access to a working radmind server.
- There is no Radmind server for windows at this time.
[edit] Setup
- Download the most recent release of Radmind-PC from the Radmind SourceForge site.
- This package includes ntfsdiff, regdiff, ktcheck, lapply, lcreate, regapply, regcreate and the needed dll's.
- Create the directory C:\radmind
- Unzip files C:\radmind
- Added C:\radmind to your PATH environment variable
- setx PATH "%PATH%;C:\radmind"
- Create the directory C:\radmind\client.
- This directory will hold a client's transcripts.
[edit] Create Negative
Set up negative transcripts for the file system and the registry and a command file referencing them in C:\radmind\client. Name the command file command.K so that you won't have to specify it repeatedly. Unfortunately there aren't good default negative transcripts available at the moment.
- Open a command prompt and cd to C:\
- Create the filesystem negative transcript
- ntfsdiff -1 "C:\Documents and Settings"#:>> C:\radmind\client\fs-negative.T
- ntfsdiff -1 C:\pagefile.sys >> C:\radmind\client\fs-negative.T
- ntfsdiff -1 C:\radmind\client >> C:\radmind\client\fs-negative.T
- ntfsdiff -1 C:\Recycler >> C:\radmind\client\fs-negative.T
- The Recycler appears to not appear until something disappears from the Recycle Bin.
- ntfsdiff -1 "C:\System Volume Information" >> C:\radmind\client\fs-negative.T
- ntfsdiff -1 "C:\Windows\Prefetch" >> C:\radmind\clinet\fs-negative.T
- C:/WINDOWS/system32/CatRoot2/edb.log
- C:/WINDOWS/system32/CatRoot2/tmp.edb
- C:/WINDOWS/system32/config/default
- C:/WINDOWS/system32/config/default.LOG
- C:/WINDOWS/system32/config/SAM
- C:/WINDOWS/system32/config/SAM.LOG
- C:/WINDOWS/system32/config/SECURITY
- C:/WINDOWS/system32/config/SECURITY.LOG
- C:/WINDOWS/system32/config/software
- C:/WINDOWS/system32/config/software.LOG
- C:/WINDOWS/system32/config/system
- C:/WINDOWS/system32/config/system.LOG
- Store the filesystem negative transcript to your radmind server with zero length files
- lcreate -N -h radmind.server.example.com C:/radmind/client/fs-negative.T
- Run lcksum.
- When lcksum is updated to work with Windows transcripts, it would be run here.
[edit] Create command file on server
- Move transcript
- mv /var/radmind/tmp/transcript/fs-negative.T /var/radmind/transcript
- mv /var/radmind/tmp/file/fs-negative.T /var/radmind/file
- Create a command file for your client
- echo "n fs-negative.T" > /var/radmind/command/WinXPSP2.K
- Added the host or IP of your client to the server's config file and assign it the new command file
- echo "windows.client.example.com#:WinXPSP2.K" >> /var/radmind/config
[edit] Create a Baseload
- Open a command prompt and cd to C:\radmind\client
- Update the client's command file and transcript
- ktcheck -h radmind.server.example.com
- Create the filesystem base transcript
- ntfsdiff -C -c sha1 -o fs-base.T C:
- Store filesystem base transcript to your radmind server
- lcreate -h radmind.server.example.com fs-base.T
[edit] Create base registry transcripts
- Open a command prompt and cd to C:\radmind\client
- Create the HKEY_LOCAL_MACHINE base registry transcript
- regdiff -C -c sha1 -o reg-hklm-base.T "HKEY_LOCAL_MACHINE"
- Store HKEY_LOCAL_MACHINE base registry transcript to your radmind server
- regcreate -h radmind.server.example.com reg-hklm-base.T
- Create the HKEY_USERS base registry transcript
- regdiff -C -c sha1 -o reg-hku-base.T "HKEY_USERS"
- Store HKEY_USERS base registry transcript to your radmind server
- regcreate -h radmind.server.example.com reg-hku-base.T
[edit] PC Transcript Format
Files:
- f <path> <attributes> O:<owner sid> G:<group sid> D:<dacl><high mtime> <low mtime> <high file size> <low file size> <checksum>
Directories:
- d <path> <attributes> O:<owner sid> G:<group sid> D:<dacl>
[edit] Known Issues
- The tools may not be able to open some files that are open by other processes.
- This can occur when ntfsdiff is trying to checksum a file or lcreate is storing a file on the server.
- One example of a file that has been known to cause problems is XXX.
- To get around this problem with lcreate you can remove the offending file from your transcript.
- C:\WIndows\Debug has a bunch of logs files.
- Should probably make a negative transcript for this.