Common: Child Processes on Windows Platforms
LocalSystem
,
because elevated privileges are required to complete several aspects of inventory gathering.
In the Core deployment case or the FlexNet Inventory Scanner case, it is possible
to run the tracker under a different account, but best practice is to run it with
administrator privileges, or you may lose inventory functionality. Since the tracker always runs with elevated privileges, it is important that it only acts in
place of accounts that are known and trusted in your environment. In many cases, the commands
or services are already running as LocalSystem
on your Oracle server(s), so
there is no effective change when the tracker does the same. But with Oracle Database 12c, or
with IBM MQ (previously WebSphere MQ), it is possible that a service account has been used. To
ensure that only actions by accounts that are trusted are also run by the tracker, it relies
on details found in the Windows registry and in Windows Service Control Manager (SCM), both of
which can only be modified by a system administrator.
In summary:
- Commands in safe system paths (not writable by other users) are run as
LocalSystem
. - Commands found within paths listed in the %PATH% environment
variable for the
LocalSystem
user are run asLocalSystem
.Note: This makes it important that, as is normal secure practice, you do not allow any unsecured directories to be included in the %PATH% environment variable for theLocalSystem
user. - Other necessary commands and utilities are run as
LocalSystem
only if:- They are normally executed by accounts trusted in your Windows SCM configuration, or
- They are saved in paths recorded in Oracle keys or IBM MQ keys in the Windows registry.
- Specifically for
java.exe
commands, the PerformOracleJavaAuditScan preference is enabled and thejava.exe
being considered is digitally signed.
Executable | Path | Notes |
---|---|---|
cmd | C:\Windows\System32 |
Command
line:
Purpose: Runs the named script that has been delivered within InventorySettings.xml (these scripts may be updated through the Application Recognition Library). These scripts provide specialized inventory-gathering steps for use with Oracle products. They include the Oracle GLAS scripts required for preparing an Oracle audit report. Invoked using: The account running the
ndtrack executable (default: |
db2licm.exe |
Path(s) for IBM Db2 found in the Windows registry
|
Command
line:
Purpose: Reports inventory of the IBM Db2 Database (including its product identifier) and its optional add-ons, including the available license information. Invoked using: The account running the ndtrack executable
(normally |
db2ilist.exe |
Path(s) found in the Windows registry for IBM Db2. |
Command
line:
Purpose: Lists all the database instances running in the context where db2ilist is executed (normally, instances from the same database installation that provides the db2ilistexecutable). Invoked using: The account running the ndtrack executable
(normally |
dspmq |
Path(s) found in the Windows registry for IBM MQ. |
Command
line:
Purpose: Reports as installation evidence the name (as
Invoked using: The account running the
ndtrack executable (default: |
dspmqver | Path(s) found in the Windows registry for IBM MQ. |
Command
line:
Purpose: Collect the IBM (or WebSphere) MQ version and build information for inclusion in inventory. Invoked using: The account running the
ndtrack executable (default: |
java | Path(s) found in the file system scan in which java was identified. |
Command
line:
Purpose: Determines the Java product name, version information, and publisher. Further notes: Only executed if the PerformOracleJavaAuditScan preference is enabled and the
|
lsnrctl | %ORACLE_HOME%\bin |
Command line:
Purpose: Invokes the Oracle Listener Control utility against a running listener to gather its network port address and the services (local and remote database instances) to which it provides access. Invoked using: The account running the
ndtrack executable (default: |
nbtstat | %PATH% |
Command line:
Purpose: Returns the local NetBIOS name table for the computer at the nominated IP address, as well as the MAC address of the adapter card connecting it to the network. This data is used in discovery. Invoked using: The account running the
ndtrack executable (default: |
powershell |
On 64-bit systems: %SystemRoot%\system32\ WindowsPowerShell\v1.0and on 32-bit systems: %SystemRoot%\SysWOW64\ WindowsPowerShell\v1.0 |
Command
line:
Purpose: Runs the named script that has been delivered within InventorySettings.xml (these scripts may be updated through the Application Recognition Library). These scripts provide specialized inventory-gathering steps for use with Oracle products. They include the Oracle GLAS scripts required for preparing an Oracle audit report. Invoked using: The account running the
ndtrack executable (default: |
sqlplus | %ORACLE_HOME%\bin |
Command line:
Purpose: Perform queries against running Oracle database instances to gather
inventory on the Oracle Database product. (For ways that the tracker identifies
Invoked using: The account running the ndtrack.exe
executable (default:
LocalSystem ). The account running
ndtrack must be a member of the ora_dba
security group for the target Oracle Database (where the LocalSystem
account is displayed as NT_AUTHORITY\SYSTEM ; and if this account is
missing, it must be entered as SYSTEM ).Tip: From Oracle
Database 12c, there is a distinct ora_dba group for each
separate %ORACLE_HOME%.
Note: This approach means that the tracker can collect inventory only
from running database instances. Instances that are discovered, but are not running
at inventory time, are reported in the task status: navigate to the discovered
device properties, select the Status tab, and expand the
Oracle database inventory heading.
|
vxlicrep | File path extracted from %VCS_ROOT% . |
Command
line:
Purpose: Creates installation evidence used by the Application Recognition Library to recognize installations of Symantec. Invoked using: The account running the ndtrack executable
(default: |
IT Asset Management (Cloud)
Current