locked
WMI/SecurityCenter2 - productstate

    Question

  • Hi

    I am writing an app that picks up information from wmi/securitycenter2 to show what antivirus, antispyware and firewall are installed

    It also returns a productstate value which shows whether product is enabled/disabled and whether definitons are up-to-date or outdated

    I have after lots of research got the app working and it picks up the state correctly for AVG Internet Security 2012 on my computer

    But it appears different companies use different values so it makes it a bit more difficult

    After reading

    wmi-query-windows-securitycenter2

    it appears that if you convert the productstate to HEX then you can read the 2nd or 3rd block to get whether product is enabled/disabled and whether definitons are up-to-date or outdated - I have checked this idea with AVG, Windows Defender and Microsoft Security Essentials and the logic seems to be correct

    What I need to do and can't work out how to - hence my questions is as follows:-

    Convert the product state value I receive when querying i.e. 397312 to HEX i.e. 061000

    Once converted to HEX - how do I pull out the 2nd and 3rd blocks so I can see what the value is and report the relevant status i.e. if last two blocks = 00 then product is up to date or if they = 10 the product is out of date

    And if middle two values = 10 or 11 (I think) it is enabled but if middle two values = 00 or 01 it is disabled


    Any ideas please?



    Examples of results that seem to prove the above logic:-


    AVG Internet Security 2012 (from antivirusproduct WMI)

    262144 (040000) = disabled and up to date

    266240 (041000) = enabled and up to date

    AVG Internet Security 2012 (from firewallproduct WMI)

    266256 (041010) = firewall enabled - (last two blocks not relevant it seems for firewall)

    262160 (040010) = firewall disabled - (last two blocks not relevant it seems for firewall)

    Windows Defender

    393472 (060100) = disabled and up to date

    397584 (061110) = enabled and out of date

    397568 (061100) = enabled and up to date

    Microsoft Security Essentials

    397312 (061000) = enabled and up to date

    393216 (060000) = disabled and up to date


    Darren Rose


    • Edited by wingers Wednesday, April 18, 2012 3:20 PM
    Wednesday, April 18, 2012 2:07 PM

Answers

  • After a few more hours of trying things I think I have got it working:-

    Dim av_searcher As New ManagementObjectSearcher("root\SecurityCenter2", "SELECT * FROM AntivirusProduct")
            For Each info As ManagementObject In av_searcher.Get()
                tbAv.AppendText(info.Properties("displayName").Value.ToString() & vbCrLf)
    
                Dim AvStatus = Hex(info.Properties("ProductState").Value.ToString())
                If Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" Then
                    tbAvStatus.AppendText("AntiVirus enabled" & vbCrLf)
                ElseIf Mid(AvStatus, 2, 2) = "00" Or Mid(AvStatus, 2, 2) = "01" Then
                    tbAvStatus.AppendText("AntiVirus disabled" & vbCrLf)
                End If
    
                Dim AvCurrent = Hex(info.Properties("ProductState").Value.ToString())
                If Mid(AvStatus, 4, 2) = "00" Then
                    tbAvCurrent.AppendText("AntiVirus up-to-date" & vbCrLf)
                ElseIf Mid(AvStatus, 4, 2) = "10" Then
                    tbAvCurrent.AppendText("AntiVirus outdated" & vbCrLf)
                End If
    
            Next info

    The above code will get name of installed antivirus and whether enabled/disabled and if up-to-date or out of date and list it in text boxes on a form

    The same code can be modified for antispyware and firewall (only status is needed for firewall, current not required)


    Darren Rose


    • Edited by wingers Wednesday, April 18, 2012 4:14 PM
    • Marked as answer by Mike FengModerator Thursday, April 19, 2012 8:35 AM
    Wednesday, April 18, 2012 4:13 PM

All replies

  • After a few more hours of trying things I think I have got it working:-

    Dim av_searcher As New ManagementObjectSearcher("root\SecurityCenter2", "SELECT * FROM AntivirusProduct")
            For Each info As ManagementObject In av_searcher.Get()
                tbAv.AppendText(info.Properties("displayName").Value.ToString() & vbCrLf)
    
                Dim AvStatus = Hex(info.Properties("ProductState").Value.ToString())
                If Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" Then
                    tbAvStatus.AppendText("AntiVirus enabled" & vbCrLf)
                ElseIf Mid(AvStatus, 2, 2) = "00" Or Mid(AvStatus, 2, 2) = "01" Then
                    tbAvStatus.AppendText("AntiVirus disabled" & vbCrLf)
                End If
    
                Dim AvCurrent = Hex(info.Properties("ProductState").Value.ToString())
                If Mid(AvStatus, 4, 2) = "00" Then
                    tbAvCurrent.AppendText("AntiVirus up-to-date" & vbCrLf)
                ElseIf Mid(AvStatus, 4, 2) = "10" Then
                    tbAvCurrent.AppendText("AntiVirus outdated" & vbCrLf)
                End If
    
            Next info

    The above code will get name of installed antivirus and whether enabled/disabled and if up-to-date or out of date and list it in text boxes on a form

    The same code can be modified for antispyware and firewall (only status is needed for firewall, current not required)


    Darren Rose


    • Edited by wingers Wednesday, April 18, 2012 4:14 PM
    • Marked as answer by Mike FengModerator Thursday, April 19, 2012 8:35 AM
    Wednesday, April 18, 2012 4:13 PM
  • Thank you for sharing it. It is very meaningful.

    Thanks.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, April 19, 2012 8:35 AM
    Moderator