E-Z Audit Technical FAQ

Auditing Topics | Admin Console Topics | Report, Export, Searches Topics | Intranet and Add-on Topics

Troubleshoot the #1 most asked questions about scanning with the troubleshooter in the Quick Start Guide

I have some users whose PCs aren't getting audited / some PCs that won' audit. How do I start troubleshooting?

Are these machines wireless to the LAN? Some wireless cards actually don’t run logon scripts because they don’t acquire a network IP address until after user logon.

Are they using desktop firewall products like Zone Alarm or Norton Internet? Depending how these are configured the firewall program may be stopping the audit module from running because it thinks that, for example, getting DHCP and IP information is suspicious behavior. Many such programs block routine Windows processes until they are explicitly permitted. If they are set not to ask the user what to do (the default for many such programs), they stop the application silently resulting in no audit and no error message.

Check permissions for these users. The folder on your server with the audit module files must have explicit read, write, create, delete, execute permissions, and the folder to save the audits the same less (optionally) execute. Check the advanced properties for sharing for these folders to ensure that the "Everyone" group isn't inheriting any "Deny" permissions, and that you do not have any Group Policies set that would inhibit these users from running the audit.

If users definately can write to the folder on your server with the audit modules (ezscan.exe and ezstart.exe), check for 'errorlog.txt' and if it exists, read it for what messages are being written. It is in plain language and can point you to the fix.

Read the Quick Start Guide

and check the Troubleshooting section. This contains the solutions for the overwhelming majority of auditing issues encountered.

Do I need to add a custom (in-house) program to some list in E-Z Audit for the scanner to find it? Do you rely on databases of "known" programs?

No.

E-Z Audit doesn't rely on lists or databases of "known" software, so you don't need to do a thing. In a Full audit, the .exe details will be reported. In a Basic audit, it will appear in the Installed Software Titles list provided you use a Windows compliant installer.

My audits are not being updated even though the scanner is running normally.

Possible reasons include:

You have set an audit frequency of 0 (zero) days in your configuration file for automated audits. A zero days frequency only audits PCs one time and never again until the existing audit has been deleted or moved to another folder.

If only some PCs are experiencing this, check the folder where ezscan.exe is located on in your server's shared audit folder for errorlog.txt and see what they are reporting. (Note, this file can only be created and updated if your user have Create and Write permissions to the folder where you are running the audits from.)

If a PC has remained logged in continuously for longer than the frequency you set, it would not be re-audited. It is audited at login time, so if your frequency is every day and the PC has been on and logged in for a two, three or more days, then it is not being re-audited.

The audits are not running on XP machines, and XP machines only.

Here are some of the most likely reasons for this, from the Microsoft Knowledge Base:

Description of the Windows XP Professional Fast Logon Optimization feature
http://support.microsoft.com/kb/q305293/

Note this from the above:

Note that Windows XP clients support Fast Logon Optimization in any domain environment. To turn off Fast Logon Optimization, you can use the following policy setting: Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon When this policy is enabled, a Windows XP client behaves in the same manner as a Windows 2000 client at both system startup and at user logon.

A Logon Script Does Not Work If %0 or %0\..\ Calls Multiple Commands
http://support.microsoft.com/?kbid=318689

My Windows XP SP2 users are being asked by Windows if they want to run the audit module. Why and how do I stop this?

If you launch the scan from your logon script using an IP based path, SP2 will show this warning. If you use a UNC with a server name it will not.

Example that causes the problem: " \\192.100.100.1\ezaudit\ezstart.exe " /auto

Examples that won't result in the warning: "\\your_server_name\ezaudit\ezstart.exe" /auto or "X:\ezaudit\ezstart.exe" /auto

I'm getting a 0 MB report for RAM and I have over 2GB of RAM on a Windows 2000 machine.

Update the Windows 2000 machine to SP4 or higher.

Windows 2000 Service Pack 4 corrects some WMI bugs that prevent non-administrators from obtaining some types of data.

I'm not getting Make, Model, Serial Number data on some PCs

1) The PC must run Windows Management Instrumentation, WMI. This is standard with Windows 2000 or newer.

It can be installed to NT4 and Windows 9x machines. You can download the installers for these from the Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=afe41f46-e213-4cbf-9c5b-fbf236e0e875&DisplayLang=en

Very old PCs may also fail to report this data if they do not conform to the SMBIOS 2 standard. Not all vendors conform to the standard, especially "white box" PCs, and may not provide this information.

2) If your PC has WMI, for example an XP machine, WMI may have become corrupted. To fix this read the following from Microsoft TechNet, as it provides examples you can follow to resolve the issue.

http://www.microsoft.com/technet/scriptcenter/topics/help/wmi.mspx

The CPU information for the amount of MHz seems too low.

E-Z Audit reports actual processor speed at the time of the audit.

Processor speed is affected even on an idle machine by power-saving technologies, especially on notebook/laptop machines, as well as for things like shared video processing tasks.

Overheated machines can also lose a lot of speed, so if you are certain the above do not apply, check the cooling fans or environment of the suspect machine.

The audit runs, but they won't save.

Usually this is because the user doesn't have the proper permissions to the folder where you are saving audits to.

Check the Troubleshooting Guide (PDF) that covers the most frequent scanning questions for resolving this and further troubleshooting steps.

If you are still using Novell Netware 3 or 4 you must enable long filename support. If you have Netware 4 and have long filename support, apply the patch as described in the Novell knowledgebase articles below to correct "MIXMODFX" issues. Although they refer specifically to Microsoft Office, it should also resolve this issue.

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10026905.htm

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10021253.htm

I've got some Windows 95/98 machines where I get an error about OLEAUT32.DLL. How do I correct that?

This PC is likely to be in serious need of updating.

OLEAUT32.DLL is a Windows system DLL that is required by many applications. The lowest compatible version is 2.30.4261.

It is updated to a more current version by upgrading your version of Internet Explorer to 5.x or newer.

I get a "UNC Path is not supported error" from Windows when I try to run the E-Z Audit scanner from a Command window (DOS box).

Windows does not allow using UNC paths from inside DOS boxes.

Read this Microsoft Knowledge Base article for more information.

You can click Start > Run then enter the UNC path and command line in the "Open" box.

Why do I get an Invalid Page Fault Error on a PC while scanning?

Invalid Page Fault errors are an extremely generic error to track down and almost any software ever written for the Windows platform can run into one at some time or another. In the context of E-Z Audit scans the most likely causes (and they are very rare) are:

1 - An invalid .exe or .dll file such as a damaged or incomplete downloaded file

2 - A virus or Trojan horse infected file or other malicious software

3 - Unreadable files that are part of an installation CD that's been copied to the hard drive

4 - A DOS or 16-bit program that is running during the audit and that is locked down in use and cannot be scanned. Legacy apps don't play well in modern environments.

I get a KRNL386.EXE Error. What is it and what can be done?

The KRNL386.EXE module is Windows' "DOS emulator" for lack of a better term.

The most likely cause is that a DOS or 16-bit legacy application is running during the audit and is triggering the error when our scanner tries to get information from it.

Since the scan runs when the user logs in, removing the legacy application as a "start up" application resolves the issue.

Does the scanner run each time a PC boots up or logs into my network?

PCs are only audited once per calendar day.

The scanner launcher will run and immediately abort if it finds an audit that is current.

Can I use E-Z Audit to automate audits in a peer-to-peer network?

This is not a supported form of scanning, however here is a work-around you can use:

Open shares on a PC to run the scanner and to save the audits in the same manner as the instructions for doing so with a script via a LAN using a server (as described in the E-Z Audit Quick Start Guide (PDF) -- but at each PC you to create some mechanism to launch the scan when the user logs into the PC.

The simplest method is to create a shortcut to ezstart.exe on your shared folder in the usual manner on the PC that you are sharing-out to other PCs, then make the change indicated below. Once you've done that copy the shortcut file to each User's Startup folder (in NT/2000/XP you can do it in the Documents and Settings\All Users\Start Menu\Startup folder).

To create the shortuct, right-click ezstart.exe and select Create Shortcut.

Open the shortcut properties by right-clicking it, and change the "Target" to include the /auto switch, for example:

"\\the_shared_pc_name_here\shared_foldern_name_here\ezstart.exe" /auto

The type of scan, where to save the audits and how often to audit are regulated by the config.ezc file you create from the admin console.

Note when creating the "save-to" location, do not enter local path that your users' PCs won't recognize. C:\ezaudit$\audits may be fine on your machine but the others will need a true UNC path like the above example

How do I scan non-networked PCs? Can I do so from a USB flash ('thumb") drive? A CD?

You can audit using a USB device or CD-R.

These topics are covered in the User's Guide.

How do I audit servers on a schedule since they rarely get logged into?

You can use Task Manager to run the audit on a schedule.

You can read more in this section of the User's Guide.

I'm not getting license numbers for software. Why?

E-Z Audit will collect information for all programs on your PCs and you can do searches to see who has what, at what version, and so forth.

E-Z Audit does not report back license numbers - with reasons:

Any audit program claiming to deliver license numbers for all installed software is offering a false promise.

For example, they would not be able to do so for E-Z Audit were it installed on a PC they are auditing.

This is because there are no standards for how license numbers are stored. Most software vendors take great pains to encrypt them or "obfuscate" them with derivative numbers.

For example, Microsoft Office stores what they call a PID. This is not a license number. The number Microsoft wants to support the software is the License KEY, namely what's on the CD case or in the contract when buying bulk.

To the best of our knowledge there is no public information available to developers for how to get the actual product key for Microsoft products. There are any number of reverse engineering techniques that could yield this, but we opt not to use any as there are explicit prohibitions for reverse engineering in their End User License agreement.

We report how many of 'x' you have. Most vendors really only care that you've bought the necessary number of licenses, and don't usually care if the numbers are unique on all your machines because in large (and even some small) organizations, PC's are cloned off a disk image, and license numbers get cloned along with the image; so, the numbers are not really relevant, as they are all the same.

I get a Dr. Watson error with a code of c0000005

This is a very generic error type – a memory access violation error – that can be caused by any number of things (and also for E-Z Audit very rare).

It can be an interrupt issue by a driver, an antivirus interference, faulty RAM, or a software conflict.

Troubleshooting these is more a trial and error process than anything else. Ensure you have current, patched antivirus software, ensure there are no attached peripherals with old drivers, that sort of thing. Check what else is running on the server from a software standpoint and terminate any non-essential applications or utilities as a test.

Other possibilities include

If it occurs on the machine being audited:

A DOS-based or old 16-bit application that locks itself when running in such a manner that obtaining file information from it triggers an unrecoverable error;
A corrupted or otherwise invalid .exe or .dll file - such as an aborted download of an installer package when queried triggers an unrecoverable error. Check likely download locations on that machine for any suspect files, for example My Documents or My Downloads
An infected .exe or .dll file - virus, Trojan, etc. Run a full virus scan on the PC.
If you are using synchronization software for PDA type devices that establish an IP connection to the server, we have seen (although not for years) where they bottleneck the network connection and can cause problems. Adding a delay to the scan longer than the default 30 seconds can help. If you are using such software and it is more than a year or two old, check for updated versions from the vendor.

If it occurs on the server that is "hosting" the scanner module:

Check that there are not connectivity issues to the server. Small interruptions to the server can cause errors. Again, extremely rare and also beyond our control to manage.

I get an error message in the Event Viewer that E-Z Audit's scanner has terminated which reads in part: Windows cannot access the file ezscan.exe ...

...for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program E-Z Audit Scanner Module because of this error.

As the audit module, ezscan.exe, is running in the PC’s RAM space but is “physically” on the server, this error indicates that there was a loss of network connectivity while the audit scan was running. It can be a case of a network bottleneck, excessive traffic, or some other sort of “blip” where that PC loses its connection.

The scanner itself puts no load while running (Windows maintains pointers to the server as the source of the application, as it does if it were local), and a tiny one while loading as it loads into RAM. When it saves the data it’s acting like any program saving a file to the network. Depending on the audit that’s between under 100K to around 1MB, so file sizes that are well inside normal sorts of transactions like saving a spreadsheet or Word document.

If that user has a lot of applications he/she starts up either via the startup group or registry, or manually, and any of them either pull over large data sets, or quite simply “hog” resources (some PDA sync tools are notorious for that), the network can slow to where it is effectively a dead line for other apps.

You can troubleshoot that user’s machine for the above, or generally just increase the delay before the audit commences to a longer threshold. The default is 30 seconds. Edit the configuration file and change it to, say, 120 seconds.