/build/static/layout/Breadcrumb_cap_w.png

Scripting Question


Powershell Script Successful but not working

03/05/2019 818 views

I have set up a Script to run a Powershell Script to fix an Unquoted Windows Service Path vulnerability.  I have run .ps1 script manually and I know it does what it needs to.  I have set up the following in my K1000 system Script area:

The Entire Parameters Section is:  -nologo -executionpolicy bypass -WindowStyle hidden -file $(KACE_DEPENDENCY_DIR)\Windows_Path_Enumerate.ps1


I will run it against a machine or two for testing, and the results will be Successful (I have masked the Domain and User):


Output Log

Running with credntials provided: domain [xxxxx] user [xxxxx]
Launched Process: powershell.exe

Activity Log

verify - on_verify_success
verify - on_verify_failure
verify - launch_program
Launching program: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' '-nologo -executionpolicy bypass -WindowStyle hidden -file C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\95\Windows_Path_Enumerate.ps1' wait='false'

Debug Log

Running kbot: runkbot 95 1551803362
KBotScript::LogScriptInfo - Start
id=95 name=Copy of Windows Enumerate version=1551803362 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScript::LogScriptInfo - Start
id=95 name=Copy of Windows Enumerate version=1551803362 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\95\
CleanupDependencies: file Windows_Path_Enumerate.ps1 is part of the dependency list, keep the file
runkbot    ----- launching [path='C:\Windows\System32\WindowsPowerShell\v1.0' program='powershell.exe' parms='-nologo -executionpolicy bypass -WindowStyle hidden -file C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\95\Windows_Path_Enumerate.ps1' wait='false'] -----
runkbot    ----- completed [exitCode=0] -----

However, when I check the registry of the machine I've run this on, it is still unquoted, hence the vulnerability remains.  If I run it manually on the PC, it works.  I have 200 PCs I need to do this on, so it would be a blessing if I can get this to work.  It seems it is not taking the ExecutionPolicy setting, but it is not failing, so I can't be sure.  Does anyone have any ideas about how to get this to work?  Thanks for any help anyone can provide

0 Comments   [ + ] Show comments

Comments


All Answers

3

You are running into the 32 bit client restrictions.  I bet the change is going to wow6432node keys under the HKLM\software\ instead of in HKLM\software.

Nate shared this PS code on Kace slack with everyone

# Relaunch in x64 powershell if not already

if ($PSHOME -like "*syswow64*") {

Write-Output 'Relaunching as x64'

& (Join-Path ($PSHOME -replace 'syswow64', 'sysnative') powershell.exe) `

-File $Script:MyInvocation.MyCommand.Path `

@args

Exit

}


Answered 03/05/2019 by: SMal.tmcc
Red Belt

  • https://gist.github.com/ArtisanByteCrafter/91167d5178a13f7c038236a5d7881ca7
    • Thank you for the reply. The problem is, these are 32-Bit OS machines. When I added the lines to switch to 64 Bit, it threw an error. Once I removed the lines, it worked properly
      • my bad assumed 64bit have not been around a 32bit machine in years
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ