VMware Horizon Community
SteveWH
Enthusiast
Enthusiast
‎04-13-2017 06:53 AM
Jump to solution

Leveraging UEM to maintain a user activity log of logon, logoff, disconnect, reconnect, lock, unlock

We have a Horizon View 7 VDI environment with non-persistent floating pools. We are interested in maintaining a log of the following user events: logon, logoff, disconnect, reconnect, lock, and unlock. Since UEM has the ability to execute scripts when these triggers are detected we created custom VBS scripts for each event that will write the event name, username, VM name, date, time, client name, client IP, connection server name, and connection protocol to a log file on a network share. The problem we are encountering is that the ViewClient related environmental variables aren't always available in the VM when UEM detects the event and launches the script. This results in the script recording the variable name instead of the value. I'm starting this discussion to see if there is another location we can obtain this data. I have attached an example trigger XML file, VBS script, and an event log file showing the problem.

uemlogon.vbs.zip
example.log.zip
uemlogon.xml.zip
0 Kudos
1 Solution

Accepted Solutions
ijdemes
Expert
Expert
‎04-14-2017 08:26 AM
Jump to solution

Hi SteveWH​,

Your issue is possibly "timing" related.

If permissions allow it, there is also the possibility to read the registry.

I would first do a check to see if the variable/registry entry exists. If not, wait a little and check again, until it exists, and then add an entry to the log file.

pastedImage_0.png

I hope this helps.


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com

View solution in original post

0 Kudos
8 Replies
ijdemes
Expert
Expert
‎04-14-2017 08:26 AM
Jump to solution

Hi SteveWH​,

Your issue is possibly "timing" related.

If permissions allow it, there is also the possibility to read the registry.

I would first do a check to see if the variable/registry entry exists. If not, wait a little and check again, until it exists, and then add an entry to the log file.

pastedImage_0.png

I hope this helps.


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
0 Kudos
ijdemes
Expert
Expert
‎04-15-2017 07:49 AM
Jump to solution

Hi SteveWH​,

I have conducted a simple test by adjusting your VBscript. Instead of the user environment variables, I used the entries from the registry. I checked both logon and reconnect. Both worked as expected and changes were written to the example.log file. Also when I switch to another client/endpoint, this information (client name/IP) is updated and written to the example.log file.

Here's the adjusted VBscript. You can make your own adjustments and test.

--

Dim filesys, filetxt, getname, path

Set filesys = CreateObject("Scripting.FileSystemObject")

Set filetxt = filesys.OpenTextFile("\\SERVER\SHARE\example.log", 😎

Set WshNetwork = WScript.CreateObject("WScript.Network")

Set WshShell = WScript.CreateObject("WScript.Shell")

Set WshSysEnv = WshShell.Environment("Volatile")

varFound = "false"

Do

  WScript.Echo "variable does not exist yet"

  WScript.Sleep 2000

  If NOT WshShell.RegRead("HKEY_CURRENT_USER\Volatile Environment\ViewClient_Broker_DNS_Name") = "" Then varFound = "true"

Loop Until varFound = "true"

path = filesys.GetAbsolutePathName("\\INFRA01.lab.local\UEM_ProfileArchives\testuser01\example.log")

getname = filesys.GetFileName(path)

strViewClient_Broker_DNS_Name = WshShell.RegRead("HKEY_CURRENT_USER\Volatile Environment\ViewClient_Broker_DNS_Name")

strViewClient_Machine_Name = WshShell.RegRead("HKEY_CURRENT_USER\Volatile Environment\ViewClient_Machine_Name")

strViewClient_IP_Address = WshShell.RegRead("HKEY_CURRENT_USER\Volatile Environment\ViewClient_IP_Address")

strViewClient_Protocol = WshShell.RegRead("HKEY_CURRENT_USER\Volatile Environment\ViewClient_Protocol")

filetxt.WriteLine( "LOGON " + WshNetwork.UserName  + " " + WshNetwork.ComputerName + " " ) & now() & ( " " + strViewClient_Machine_Name + " " + strViewClient_IP_Address + " " + strViewClient_Broker_DNS_Name + " " + strViewClient_Protocol )

filetxt.Close

--

I hope this helps.


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
0 Kudos
SteveWH
Enthusiast
Enthusiast
‎04-18-2017 07:00 AM
Jump to solution

Good morning,

Thank you for taking a look at my issue. I also believed it was timing related and added a static sleep of 20, 40, up to 60 seconds but it never logged the values of the environmental variables. I confirmed the values existed manually once logged in so I'm not sure why the script can't see them but the user can. I also found those volatile registry keys and tried referencing those instead of the variables but the script doesn't pull them either. Based on your recommendation I tried adding a loop sleep instead of a static 60 second but it never completes and loops forever. When I manually run my script as well as the one you provided they do log the desired information successfully so there is no issue with the scripts themselves. I even tried adding a 'launcher' vbs script that sleeps and then launches a child VBS script with our actual payload but that doesn't work either. It's as if the logon scripts may be running under a different context that doesn't have access to the HKCU or Volatile Variables. Is that a setting in UEM that you know of? Maybe it is running as SYSTEM instead of the user?

0 Kudos
SteveWH
Enthusiast
Enthusiast
‎04-18-2017 08:56 AM
Jump to solution

I added a 'whoami' to the routine and saved it to an output file and confirmed it is running as the user and not another context. I can't explain why the script isn't getting the values at logon but it can if you manually run the script after you are logged in.

0 Kudos
SteveWH
Enthusiast
Enthusiast
‎04-18-2017 09:42 AM
Jump to solution

I changed cscript to wscript and noticed the VBS script is erroring on the initial regread since the key doesn't exist. this then stops the script from continuing because of the error. I am looking into how to check the existence of the key by using regread and monitoring the err.level and looping until the condition is met. This may still be a timing issue and we just need to continue the loop on error

0 Kudos
ijdemes
Expert
Expert
‎04-18-2017 01:33 PM
Jump to solution

I run the VBscript from UEM with "async" enabled. Maybe that's the difference. In my environment the script works.


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
0 Kudos
SteveWH
Enthusiast
Enthusiast
‎04-18-2017 02:16 PM
Jump to solution

During troubleshooting I did find that to be the problem. I was able to get this working by creating a custom app and setting flexengine to look for 'explorer.exe' and run a pre-import task of the logon VBS script. This is a workaround to sync vs. async environments. It appears the script would never finish (or would timeout) preventing/delaying explorer.exe from launching which is when the volatile registry keys and environmental variables are available. I can't change sync in this environment so I set the script to execute at explorer.exe launch instead of as a startup script and it is working. thank you for your help!

0 Kudos
ijdemes
Expert
Expert
‎04-19-2017 04:28 AM
Jump to solution

Nice workaround! And good that it works now. Thanks for the feedback.


\\ Ivan
---
Twitter: @ivandemes
Blog: https://www.ivandemes.com
0 Kudos