Sometimes it is necessary to search Symantec Endpoint Protection Manager database looking for duplicated entries Hardware ID. Hardware ID (hwid) is a hash identifying a particular machine and each SEP client is recognized by Symantec Endpoint Protection Manager by its hwid.
On a client, a hwid is located in two places - in the registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID and in a file %ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml
When the same clients share the same hwid, only one of them can connect at a time which causes clients to randomly appear and disappear in the console. The most common reason for such a situation is as a preparation of a system image with Symantec Endpoint Protection already installed and without cleaning the hwid before deploying the image to the target machines.
The instruction how to prepare Symantec Endpoint Protection for system image creation and how to change hwid on an already existing machine can be found here:
Configuring Symantec Endpoint Protection client for deployment as part of a drive image
http://www.symantec.com/business/support/index?page=content&id=TECH102815&locale=en_US
If you want to check your database agains duplicated hwids, connect to your Sybase DB by running %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbisqlc.exe and login to the database (you can use your existing ODBC settings). The logins will be: dba. Use your password you created during the installation of Symantec Endpoint Protection Manager.
Note: these queries were validated against embedded Sybase database and were not tested on MS SQL server.
To show all machines in the database run the following query:
select client_id "Client unique ID",computer_name "Host name",hardware_key "Hardware ID",
isnull((select count(hardware_key)
from sem_client c2
where c1.hardware_key=c2.hardware_key
group by hardware_key
having count(hardware_key)>1),1)
"Number of this HWID in the DB",Dateadd(ss, creation_time/1000,'19700101') "Client creation time", deleted "To be deleted?"
from sem_client c1
order by 4 desc
It will show client unique id, hostname, hardware ID, number of this hardware ID in the database (1 means that there is no duplication), time the client was created and if the client is marked for deletion (if 0 - means that the client will be removed at the next database maintenance and should not be treated as a duplicate). The result will be sorted by number of hardware IDs in the database, in descending order.
If you want to see information on machines with duplicated hardware IDs, run this query:
select client_id "Client unique ID",computer_name "Host name",hardware_key "Hardware ID",
(select count(hardware_key)
from sem_client c2
where c1.hardware_key=c2.hardware_key)
"Number of this HWID in the DB",Dateadd(ss, creation_time/1000,'19700101') "Client creation time", deleted "To be deleted?"
from sem_client c1
where "Number of this HWID in the DB">1
order by hardware_key
It will show exactly the same columns as the previous query except it will be sorted by the Hardware ID column.