What you are asking for is not the same thing as what you want
Recently, I had a conversation with a customer over a bit of functionality they wanted in the software they purchased. Specifically, this customer wanted to monitor their server for changes. I was told it was for “Change management”.
Me: “What kind of changes do you want to monitor for?”
Customer: “All changes. We just want to know what was changed and who changed it.”
Me: “Why?”
I should note at this point of the conversation, that I’m not a complete idiot. I’ve been asked a variation of this question numerous times. There are a lot of reasons people ask this kind of question and what they want can be wildly different from one person to another. Here’s a short summary of some of the reasons people want to know.
- Security management
- Integrity checking
- Change control
- Incident Prevention
- etc.
Some people want to know for security reasons. Others because they are having problems with employees making changes outside of the normal change control process. Sometimes the monitoring is required as part of industry regulations. And occasionally, a company is trying to be proactive about detecting what might be causing problems that their customers are seeing.
Whatever the reason, what people are asking for is not always the same thing as what they want. Have you ever had a manager who told you to do something, only to find out later that what should have been done wasn’t remotely related to what he really wanted? It’s irritating, to say the least.
When I do any sort of work for someone, I ask what they want, not what they need me to do. The fact is that I’m being hired to solve a problem, not to do a job. There’s a very subtle distinction, but it’s a difference nonetheless. And it is this distinction that allows developers to sell software and separates a good consultant from a mediocre one.
You see, your customer will never actually tell you what you need to know. They will try to tell you what you should do and it’s up to you to figure out what they actually need. Because most of the time, what people are asking for is not actually what they want. For example, take the question posed earlier of monitoring a system for changes.
Most people don’t realize that on your average Windows server, there are thousands of changes every minute. Don’t believe me? Download the latest version of Process Monitor, fire it up, and watch the number of writes to just your registry. You can also monitor for file system changes with this particular tool. Yet this is exactly what this customer was asking for.
Fortunately, I have a demeanor that indicates to people that I really do know what I’m doing and I’m not just an idiot off the streets. Most people will humor my questions, even though sometimes they border on the edge of insanity. This customer was no different and after a short conversation, it turned out that they simply wanted to make sure that unapproved software wasn’t being installed on the servers in question.
It’s a bit different than knowing each and every single change that happens on a machine, wouldn’t you agree?
The next time someone asks you to do something and you’re not sure if they understand what they’re asking for, make sure you ask what they’re trying to do. Worst case, you’ve wasted a few minutes of someone’s time. Best case, you saved them a lot of trouble trying to implement something that they didn’t really want.
I agree with your high-level point, but what does ‘installed’ actually mean anyway? At the end of the day isn’t that just a bunch of registry and file-system writes?
In a way, yes. But is every file write or every registry write a piece of software that’s being installed? Absolutely not. The problem with monitoring the file system and registry for changes is that there’s a ton of stuff that goes in there which has absolutely nothing to do with installing software.
At that point, you have to have solid filters in place that determine what is and isn’t a piece of software being installed. In addition, depending on the software, you may need to know if it’s installed correctly. For example if an installer lays down 20 dll’s and 5 exe’s, when the user goes and deletes one of each, is that software still installed? Mostly yes. But it’s no longer installed to the “factory specification” if you will.
Also, file system and registry reads don’t necessarily capture all the details of what’s going on. Things like file shares and entries in the IIS metabase are important. You could theoretically, create an IIS application on a server, point IIS to a network drive, and then you have a web application installed where the files aren’t on the physical machine.
Point taken that for the most part, what you said about files and registry keys is true. But my point to the customer was that there are a lot of things he hadn’t considered and I could tell he hadn’t really thought the problem through by what he was asking for.