Radmind-pc

From radmind

Revision as of 15:54, 13 July 2007

A rough guide to getting Radmind-PC installed on default Windows XP SP2 client.#:This guide assumes you have access to a working radmind server.#:There is no Radmind server for windows at this time.

Setup

1. Download the most recenet release of Radmind-PC from the Radmind SourceForge site.#:This package includes ntfsdiff, regdiff, ktcheck, lapply, lcreate, regapply, regcreate and the needed dll's.
2. Create the directory c:\radmind
3. Unzip files c:\radmind
4. Added c:\radmind to your PATH environment variable

   setx PATH "%PATH%;C:\radmind"

5. Create the directory c:\radmind\client.#:This directory will hold a client's transcripts.

Create Negative

Set up negative transcripts for the file system and the registry and a

command file referencing them in c:\radmind\client. Name the command file

command.K so that you won't have to specify it repeatedly. Unfortunately

there aren't good default negative transcripts available at the moment.

1. Open a command prompt and cd to c:\
2. Create the filesystem negative transcript

   ntfsdiff -1 "c:\Documents and Settings"#:>> c:\radmind\client\fs-negative.T

   ntfsdiff -1 c:\pagefile.sys >> c:\radmind\client\fs-negative.T

   ntfsdiff -1 c:\radmind\client >> c:\radmind\client\fs-negative.T

   ntfsdiff -1 c:\Recycler >> c:\radmind\client\fs-negative.T

   ntfsdiff -1 "c:\System Volume Information" >> c:\radmind\client\fs-negative.T

3. Store the filesystem negative transcript to your radmind server with zero length files

   lcreate -N -h radmind.server.example.com c:/radmind/client/fs-negative.T

4. Run lcksum.#:When lcksum is updated to work with Windows transcripts, it would be run here.

Create command file on server

1. Move transcript

   mv /var/radmind/tmp/transcript/fs-negative.T /var/radmind/transcript

   mv /var/radmind/tmp/file/fs-negative.T /var/radmind/file

   1. Create a command file for your client

   echo "n #:fs-negative.T" > /var/radmind/command/WinXPSP2.K

2. Added the host or IP of your client to the server's config file and assign it the new command file

   echo "windows.client.example.com#:WinXPSP2.K" >> /var/radmind/config

Create a Baseload

1. Open a command prompt and cd to c:\radmind\client
2. Update the client's command file and transcript

   ktcheck -h radmind.server.example.com

3. Create the filesystem base transcript

   ntfsdiff -C -c sha1 -o fs-base.T c:

4. Store filesystem base transcript to your radmind server

   lcreate -h radmind.server.example.com fs-base.T

Create base registry transcripts

1. Open a command prompt and cd to c:\radmind\client
2. Create the HKEY_LOCAL_MACHINE base registry transcript

   regdiff -C -c sha1 -o reg-hklm-base.T "HKEY_LOCAL_MACHINE"

3. Store HKEY_LOCAL_MACHINE base registry transcript to your radmind server

   regcreate -h radmind.server.example.com reg-hklm-base.T

4. Create the HKEY_USERS base registry transcript

   regdiff -C -c sha1 -o reg-hku-base.T "HKEY_USERS"

5. Store HKEY_USERS base registry transcript to your radmind server

   regcreate -h radmind.server.example.com reg-hku-base.T

PC Transcript Format

Files:

1. f <path> <attributes> O:<owner sid> G:<group sid> D:<dacl><high mtime> <low mtime> <high file size> <low file size> <checksum>

Directories:

1. d <path> <attributes> O:<owner sid> G:<group sid> D:<dacl>

Known Issues

• The tools may not be able to open some files that are open by other processes.#:This can occur when ntfsdiff is trying to checksum a file or lcreate is storing a file on the server.#:One example of a file that has been known to cause problems is XXX.#:To get around this problem with lcreate you can remove the offending file from your transcript.

• C:\WIndows\Debug has a bunch of logs files.#:Should probably make a negative transcript for this.