I use GetSystemIdForPublisher() to identify machine IDs. According to the documentation they are unique, but I have a handful of machines which return the same ID. These machines are completely unrelated and have no common history. They are located in different countries and belong to different users. The Windows version of these machines is the latest Windows 1909 10.0.18363 update.
The documentation clearly states:
The method will first attempt to use the Trusted Platform Module
(TPM), if present, to get an ID. If a TPM is not present, the method
will try to get an ID from the Unified Extensible Firmware Interface
(UEFI). If neither of these sources is available, this method will
return an ID that is backed by the Windows registry. In the case of
the Windows registry, the ID will not satisfy all the above
guarantees. For example, if a system does not have a TPM or UEFI
support, and thus an ID was obtained from the registry, a clean
install of Windows will result in a new, different ID being returned.
Callers of this method should refer to the Source property of the
returned SystemIdentificationInfo to determine where the ID was
obtained from in order to understand the guarantees provided.
As far as I can see, none of these statements explain to me what is happening here. Does anyone else have an idea whats going on? Any help is highly appreciated!
Addendum:
we got feedback in form of a cpu-z report from 2 persons on 2 different continents with the same machine id:
user A:
Mainboard Model Z87M Extreme4 (0x00000444 - 0xECE9B6D4)
UEFI Yes
BIOS Vendor American Megatrends Inc.
BIOS MSG 63-0100-000001-00101111-1xxxx5-Chipset
BIOS Date 12/10/15
Mainboard Vendor 000001
user B:
Mainboard Model 151-BE-E097 (0x0000025D - 0x0A74C7F0)
UEFI Yes
BIOS Vendor American Megatrends Inc.
BIOS MSG 63-0100-000001-00101111-0XXXX5-Chipset
BIOS Date 09/10/15
Mainboard Vendor 000001
both got the same identifier when calling GetSystemIdForPublisher():
XlPRXXXlAPXk-yFXXXJUv3-XXXXXXXXXXXXX = [source is UEFI, ]
==> X included for obfuscation
We have around 60 customers worldwide whose computers return this exact ID.
I am trying to configure SNMP on Ubuntu 14.04. There is a step where I have to edit the community string along with sysLocation and sysContact but I am not sure what goes there. What are the sysLocation and sysContact objects in the snmpd.conf file and how I can get those values for my machine?
All SNMP devices share the following common configurable parameters:
sysLocation
sysContact
sysName
Read-write and read-only access
community strings (and frequently, a trap community string)
Trap destination
sysLocation is the physical location for the device being monitored. Its definition in RFC 1213 is:
sysLocation OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The physical location of this node (e.g., 'telephone closet,
3rd floor')."
::= { system 6 }
RFC 1213's definition of sysContact is similar to that of sysLocation:
sysContact OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The textual identification of the contact person for this managed
node, together with information on how to contact this person."
::= { system 4 }
sysContact is a DisplayString. It's fairly obvious what it's used for: it identifies the primary contact for the device in question. It is important to set this object with an appropriate value, as it can help your operations staff determine who needs to be contacted in the event of some catastrophic failure. You can also use it to make sure you're notified, if you're responsible for a given device, when someone needs to take your device down for maintenance or repairs. As with sysLocation, make sure to keep this information up to date as your staff changes. It's not uncommon to find devices for which the sysContact is someone who left the company several years ago.
source: http://docstore.mik.ua/orelly/networking_2ndEd/snmp/ch07_01.htm
SysLocation and SysContact are simply arbitrary SNMP string variables that are part of SNMPV2-MIB and can be fetched with SNMP get.
OID 1.3.6.1.2.1.1.4 == SysContact
OID 1.3.6.1.2.1.1.6 == SysLocation
Most sites I have been involved with use SysLocation as a decription of the location of the SNMP managed network device, and SysContact as the contact details of somebody who is in some way responsible for the device.
Warning: SysContact also has a habit of becoming out of date without being modified when staff changes.
To get sysContact using snmpget command line:
snmpget -v1 -c public localhost system.sysContact.0
where "public" is your community string, and "localhost" is the ip address of the machine you want to send the SNMP query to.
These values are defined by the administrator. Common formats include:
syslocation Rack, Room, Building, City, Country [GPSX,Y]
syscontact Your Name <your#email.address>
If all the equipment you monitor is in the same country you can use the format google maps uses: "street, city, state zip". For example searching google maps for the white house returns:
1600 Pennsylvania Ave NW, Washington, DC 20500
syslocation is often used my monitoring applications to generate visual maps.
In our WinRT application, we need a unique identifier for a logged in user that 100% consistent between app launches on the same device and persists between app uninstallations and re-installations on the same device. The identifier only has to be consistent for the same logged in user.
We have looked into the ASHWID but "hardware drift" will permute this ID in unpredictable ways and it is not suitable for our design.
Question: Could the EasClientDeviceInformation.Id be suitable? It sounds good but I can't find much documentation or use cases for it. When and how might this ID change?
EasClientDeviceInformation.Id | id property
Returns the identifier of the local computer. The Id property
represents the DeviceId using the GUID truncated from the first 16
bytes of the SHA256 hash of MachineID, User SID, and App ID where the
MachineID uses the SID of the local users group. Each component of the
GUID is returned in network byte order.
I encountered a strange problem:
When our application spawns child process with CreateProcessWithLogonW
switch language with alt-shift stops working in the windows of the new process.
What might be the problem? The OS is XP SP3. The same setup is ok on Win 7.
Additional thing I discovered: This problem only occurs on Win XP Hebrew.
On English XP it works fine.
As Hans Passant has said CreateProcessWithLogonW requires the LOGON_WITH_PROFILE to be set as dwLogonFlags which is the fourth argument of the function in order to load the user registry hive into HKEY_USERS. This will ensure that access to information in the HKEY_CURRENT_USER registry key will produce results that are consistent with a normal interactive logon.
Alternately you can call the LoadUserProfile function beforecalling CreateProcessWithLogonW.
Registry settings you will want to verify exist for the user whose profile you are loading include
[HKEY_CURRENT_USER\Keyboard Layout\Toggle]
"Hotkey"="3"
"Language Hotkey"="3"
"Layout Hotkey"="3"
[HKEY_CURRENT_USER\Keyboard Layout\Preload]
"1"="00000809"
"2"="e00e0804"
[HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar]
"ShowStatus"=dword:00000000"
The values of [HKEY_CURRENT_USER\Keyboard Layout\Toggle] are
1 Key Sequence enabled; use Left-ALT+SHIFT to switch between locales.
2 Key Sequence enabled; use CTRL+SHIFT to switch between locales.
3 Key Sequences disabled.
4 If the default locale is Thai, the accent grave key toggles input locales; otherwise key sequences are disabled.
The values of [HKEY_CURRENT_USER\Keyboard Layout\Preload] are listed here under the KeyName column.
The values of [HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar] are
0 Floating on desktop
4 Docked on the taskbar
3 when set to Hidden which is the default.
Relevant resources include
Similar Stack Overflow Question
CreateProcessWithLogonW function MSDN Reference
Managed CreateProcessWithLogonW
I'm querying the WMI for "SELECT * FROM AntivirusProduct" on SecurityCenter2 (I'm on Windows 7 at the moment).
I'm having a hard time trying to find what do the numbers on productState mean, including AntiSpyware and Firewall aswell. Is there any reference for this out there? I want to make sure I can get the correct product states on any Vista or 7 machine (In case these numbers vary from machine to machine).
There's no official documentation on the productState values. The only info I could find is this article which makes assumptions about the productState value meaning based on the byte-by-byte analysis of the value.
The productState values seem to be a bit set that is not documented except through an NDA with Microsoft. It should be possible to map the values returned with the products installed and their state. You could install a single AV product, record its state, then have its virus definitions go out of date, then check how the value changes. There seems to be a limited set of typical values.
Reference: https://bigfix.me/analysis/details/2998358
Here are the productState values I have found from 34 different AV products across over 10000 endpoints which could help reverse engineer the meaning:
( Decimal, Hex, Bit Set )
262144, 40000, 1000000000000000000
262160, 40010, 1000000000000010000
266240, 41000, 1000001000000000000
270336, 42000, 1000010000000000000
327680, 50000, 1010000000000000000
327696, 50010, 1010000000000010000
331776, 51000, 1010001000000000000
344064, 54000, 1010100000000000000
393216, 60000, 1100000000000000000
393232, 60010, 1100000000000010000
393472, 60100, 1100000000100000000
393488, 60110, 1100000000100010000
397312, 61000, 1100001000000000000
397328, 61010, 1100001000000010000
397568, 61100, 1100001000100000000
397584, 61110, 1100001000100010000
458752, 70000, 1110000000000000000
458768, 70010, 1110000000000010000
462848, 71000, 1110001000000000000
462864, 71010, 1110001000000010000
For anyone else, I've found that when converted to Hex, the third character pretty reliably indicates whether or not any particular antivirus product is enabled. (1 = Enabled, 0 = Disabled)
Here's a PowerShell one-liner I wrote to determine if Windows Defender is Enabled or not. You can replace the string to match whichever antivirus product you want.
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | ForEach-Object {if($($_.displayName) -eq "Windows Defender"){if("$($([Convert]::ToString($($_.productState), 16)).PadLeft(6,""0""))".Substring(2,1) -eq "1"){Write-Host "Windows Defender is Enabled"}else{Write-Host "Windows Defender is Disabled"}}}
I can't say for certain that every antivirus product correctly reports its product state, but I imagine all the mainstream ones must. I can confirm this also works with Symantec Endpoint Protection.