/build/static/layout/Breadcrumb_cap_w.png
10/18/2019 597 views

I am trying to run a batch file from the K1000 appliance that will copy some files from a network location down to a PC, execute a command to run the USMT ScanState tool and upload the user state to a network location and then delete the folder with the files initially downloaded.

The script works fine when I run it manually but fails to execute when I push it from the K1000 and don't know why. I run it using my credentials.


Here is the script I am using:

@echo off

XCOPY /i /e \\ITS-USMT01\USMT\%PROCESSOR_ARCHITECTURE% %systemdrive%\USMT

cd %systemdrive%\usmt

cls

ECHO Creating migration store.......

start /b /wait \\its-usmt01\usmt\%PROCESSOR_ARCHITECTURE%\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log

goto Done

:Done

cd..

echo Deleting working directory!!!

timeout 30

rd /s /q %systemdrive%\USMT 1>nul 2>nul


The way I did this is by going to scripts, selecting windows 7 as the OS, added my test box as the device to push the script to, selecting Windows run as "Credentials" and selecting my credentials from the list, selected Notify user before run (just so that I know it is running while testing), allow run without a logged-in user, created a task just entering the commands above in the On Success run a batch file. After saving, Kace created the file Kace1823.bat in the dependencies section. After that I just click on run now. I get notified on my test PC that a task is being ran and then it fails. On the status it logs a failed execution with the following entries:

Output Log:

Running with credntials provided: domain [] user [Testadmin]
Creating process returned non-zero: C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\364\kace1823.bat : (4294967295)
Error Code: -1
Status Code: 0

Activity Log:

verify - on_verify_success
verify - on_verify_failure
verify - launch_program
Launching program: 'C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\364\kace1823.bat' '' wait='false

Debug Log:

Running kbot: runkbot 364 1571399111
KBotScript::LogScriptInfo - Start
id=364 name=ScanState version=1571399109 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScript::LogScriptInfo - Start
id=364 name=ScanState version=1571399109 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Quest\KACE\kbots_cache\\packages\kbots\364\
CleanupDependencies: file kace1823.bat is part of the dependency list, keep the file
runkbot    ----- launching [path='C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\364' program='kace1823.bat' parms='' wait='false'] ----
1 Comment   [ + ] Show comment

Comments

  • Thank you all for the good suggestions. I think I have made some good progress however I can't get the script to run with my provided credentials (administrator). If I log into the machine and push the script using logged in user then it runs fine. The modifications I have made to the script are:
    Verify that the file "c:\windows\syswow64\cmd.exe" exist. On success run batch file:
    @echo off

    XCOPY /i /e \\ITS-USMT01\USMT\amd64 %systemdrive%\USMT
    cd %systemdrive%\usmt
    TIMEOUT /T 30
    ECHO Creating migration store.......
    cd %systemdrive%\usmt
    start /b /wait %systemdrive%\usmt\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log

    remediation run batch file:

    @echo off

    XCOPY /i /e \\ITS-USMT01\USMT\x86 %systemdrive%\USMT
    cd %systemdrive%\usmt
    TIMEOUT /T 30
    ECHO Creating migration store.......
    cd %systemdrive%\usmt
    start /b /wait %systemdrive%\usmt\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log

    Like I said, this script works when running under the logged user but fails if trying to use saved credentials and I am not sure why. I have verified the credentials already. The idea of this script is to collect a user state and copy it to a network share after hours so we can run the loadstate on to a replacement PC 1st thing in the morning ... Any suggestions:

All Answers

0

Are these x64 machines the bat is failing on?  If yes try changing your batch xcopy line to

C:\Windows\Sysnative\XCOPY /i /e \\ITS-USMT01\USMT\%PROCESSOR_ARCHITECTURE% %systemdrive%\USMT


Other thought to try is be logged on machine as your super user and choose run as logged in user to see if that works.

Let us know, that will help eliminate a couple of possibilities.

Answered 10/18/2019 by: SMal.tmcc
Red Belt

  • ^ This is the first thing that comes to mind, you might also have to call the bat via cmd.exe in sysnative so that the %Processor_Architecture& env variable is properly set according to the host os.

    When I set up scripts that need to be ran in the OS-Native environment I usually have a verify step that looks for the executable in the 64-Bit native path which will only exist on a 64-Bit OS install.
    E.G. IF the file"C:\WIndows\sysnative\cmd.exe" exists, launch c:\windows\sysnative\cmd.exe /c "(Path to bat)"
    otherwise on remediation launch c:\Windows\System32\cmd.exe /c

    A few additional things I would recommend raul does the following.
    - Set the run program task to wait for completion as error messages and echo output during the bat should then be logged to debug.
    - If running the script using the System account, verify that the system(s) machine account has sufficient rights to access the network share.

    I've gotten in to the habit of making my scripts fairly verbose which makes it worlds easier to troubleshoot and pinpoint issues as they occur. Kace will capture text output from both .bat and powershell scripts when you wait for completion. This has been especially useful on some of my more complicated scripts that span more then 200 lines of code.
    • Thank you all for the great ideas... I have incorporated some of the suggestions and I have things working currently as long as I run the script as the logged in user but it fails if I try to run the script with credentials (using domain administrator credentials).
      The script is as follows:

      Task1
      Verify a file exists "c:\windows\syswow64\cmd.exe"
      on success run batch file:
      @echo off

      XCOPY /i /e \\ITS-USMT01\USMT\amd64 %systemdrive%\USMT
      cd %systemdrive%\usmt
      TIMEOUT /T 30
      ECHO Creating migration store.......
      cd %systemdrive%\usmt
      start /b /wait %systemdrive%\usmt\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log

      Remediation:
      run batch file:
      @echo off

      XCOPY /i /e \\ITS-USMT01\USMT\x86 %systemdrive%\USMT
      cd %systemdrive%\usmt
      TIMEOUT /T 30
      ECHO Creating migration store.......
      cd %systemdrive%\usmt
      start /b /wait %systemdrive%\usmt\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log

      Any suggestions on running it with other credentials? The idea is to push this to a group of machines after hours to copy the user profiles and then run the loadstate.exe process on a replacement PC. This is part of a Windows 10 migration from Windows 7 and some of the profiles can be rather large so doing this after hours can save us a lot of time.
      • How are you handling the share permissions for the network folder, is it being granted to a security group or OU? You would need to either give the AD machine objects access to the share or run the script as an adult service account which has access to the share as well as sufficient privaledges on the end user workstations. I would consider the service according route a better practice as you can then limit the share access to just that account and not have users potentially stumble upon it and poke around, it would however require quite a bit more work GPO and permission wise.
      • When it runs as logged in user but not with credentials it is usually the software has to have a live profile to stage the temp files thru. We have a few pieces of software like that here. The way to get around that on a machine no is on is to use a task chain and use the first task to set autologin and reboot. then use the next tasks to run what you need to do. the final task clears autologin.
      • The credentials I was testing with have domain admin permissions so the network share permissions should not be an issue I don't think.
0

Can you try mapping a drive to the server and then copying it that way.  I have seen where some batch files we use do not like UNC paths.  I had one I wrote similar to this and never could get it to work.  It copied a program from a share and then launched the exe.  Never would work so I gave up.  

Answered 10/24/2019 by: kjfaucheux@lpssonline.com
Senior White Belt