Jump to content

DarrenWhite99

Administrator
  • Content Count

    1169
  • Joined

  • Last visited

  • Days Won

    137

DarrenWhite99 last won the day on July 9

DarrenWhite99 had the most liked content!

Community Reputation

368 Excellent

My Information

  • Location
    Redding, California, US
  • Agent Count
    2000 - 3000 Agents

Converted

  • OCCUPATION
    Senior Systems Engineer

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. DarrenWhite99

    Transferring a file from LT Share

    They should work correctly, if the command can complete the task. If you need the value back in the script, that’s where you have trouble.
  2. I made the monitor handle "*" automatically, but it's good to think in MySQL terms. "%" is the wildcard character, not "*". Whenever "*" works as a SQL wildcard it is because someone is changing it to "%" for you.
  3. DarrenWhite99

    Transferring a file from LT Share

    From a scripting perspective, this is the problem with %USERPROFILE%: From CMD.EXE on my computer: C:\Windows\System32>whoami & echo %userprofile% apexnt\dwhite C:\Users\dwhite From Automate Remote Command Prompt against my computer: %windir%\system32> #whoami & echo %userprofile% apexnt\apexservice C:\WINDOWS\system32\config\systemprofile %windir%\system32> whoami & echo %userprofile% nt authority\system C:\WINDOWS\system32\config\systemprofile See the issue? There is no "good" way for Automate to find out what the user profile path is for the logged in user. Wow.. This ended up being a pain. This should mostly work. 🤦‍♂️ powershell.exe "$user=(Get-WmiObject -Query 'select username from win32_computersystem').UserName; $objUser = New-Object System.Security.Principal.NTAccount($user); $SID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]).Value; $userprofile=(Get-ItemProperty \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$SID\").ProfileImagePath; (Get-Item -path \"Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\").GetValue('{374DE290-123F-4565-9164-39C4925E467B}', '', 'DoNotExpandEnvironmentNames') -replace '\%USERPROFILE\%',$userprofile" This will work from Automate. It will determine the logged in user, their SID, their profile path, and the download folder location. You can get other folders as well if you replace '{374DE290-123F-4565-9164-39C4925E467B}' with 'Desktop', 'Personal', etc.
  4. When you are having to repeatedly whitelist new versions of previously whitelisted applications, you might want to use a wildcard.
  5. DarrenWhite99

    Script function documentation/reference and utilities

    I have a backup script that exports scripts, scriptlets, internal monitors, etc. It uses powershell to unbundle the items to individual files. Once the XML is sitting there, another tool could parse it and output to text, for simple tracking. Right now I don't know of a simple portable way to chain my script dumps into the JavaScript based decoder.... The various pieces exist, it would just take someone to put them all together.
  6. Yes.. It is a very easy Google Search. Run "dsregcmd /status" Check for "AzureAdJoined : YES" Nothing in Automate tracks this natively though, you would need to create a role definition to test for it.
  7. DarrenWhite99

    CWA Agent Version Update Monitor

    Perhaps it was added previously and renamed. Try running: SELECT * FROM Agents WHERE GUID='81fe7c64-2592-4a08-9461-38cf2ad5ba59'; That will return the row (showing the name) for the Internal Monitor that it should have added or updated.
  8. Just AND, not AND WHERE .. The WHERE has already been added by the monitor.
  9. DarrenWhite99

    Script function documentation/reference and utilities

    The motivation for this document was to help newer scripters read other people’s scripts. Often the way a function appears in the editor and what it’s actually called are between slightly to completely different. Unless you have seen and memorized every function, this document can let you search for what you see in the editor and learn which function is actually behind it.
  10. DarrenWhite99

    Transferring a file from LT Share

    FYI, the profile path may not be that. To get it correctly you must either grab it from the registry, or use an environment variable that resolves to a path inside the profile and back up one level. Even one that references a path such as your appdata or documents can be redirected and not actually point to the profile path root. I’m on mobile so I can’t suggest the “best” variable to try, but you can check available variables easily and find one to use.
  11. DarrenWhite99

    [SOLVED] utorrent uninstallation script - need help on last bit

    Use the regular functions, not their “As Admin” counterparts.
  12. DarrenWhite99

    Alerts are sending emails over and over

    The monitor will generate a new alert for every event it finds. If you are getting the alert over and over, then the event is being logged over and over. That said, typically an event alert that creates a ticket should update an open ticket with any additional events it finds. It sounds like the alert is not configured to create a ticket, it is sending an email. You need to open computer 1571, check out the remote monitors, and determine what is controlling this monitor, and what alert template it is configured to use. (It is group or plugin controlled, most likely). Then determine if the alert template needs to be reconfigured, or the monitor needs a different alert template assigned, etc. Then update the plugin/group configuration for the monitor. Is it also possible that this is being generated by an Internal Monitor, in which case the monitor "identity" field determines if two events are treated like the same thing or not. Normally you have to use a script to consolidate events into a single ticket for these monitors. There are some stock scripts, that are triggered by the stock monitors, for these kinds of events. "Monitor Drive Errors and Raid Failures* (117)", "Monitor Disk Blacklist Events - Informational* (246)", and "Monitor Disk Blacklist Events - Warnings and Errors* (308)". Maybe the monitor was changed from using these scripts to a custom alert template, and that is why you are getting multiple tickets now.
  13. DarrenWhite99

    Autofixing Broken Agents

    There should be no need to use RAWSQL. Just use "plugin_webroot3_computers" for the Table to check, and "LastSeen" as the Field to check. I think this will work better, since you are doing RAWSQL wrong. You can switch to another computer mid-script by changing the value of "@computerid@". So the alert would start on the offline computer (make sure you are using an "Offline" script). Just pick another computerid from the location to run your commands from inside the script, change the value for "@computerid@", run your commands, and then change the "@computerid@" value back so that you can log a result. The stock "Monitor Offline Agent" script does almost exactly this. It would be a good reference for you.
  14. DarrenWhite99

    Monitor Restart Service* Mod

    It looks like you have the command line worked out. My script (which may or may not be modified) has the following on steps 78-80: 78, START SERVICE: @fieldname@ 79, Sleep 60 seconds 80, Resend Service List I would add two steps. First, a Variable Check to see if the service name is one that you have defined (so that you don't enable recovery for EVERY single service that you find stopped one time) and then a Shell step to set the failure recovery parameters. Like: 78, START SERVICE: @fieldname@ 79, Sleep 60 seconds 80, IF @fieldname@ Not In LTSvcMon,Spooler,WSearch THEN Jump to line 82 81, SHELL: SC.EXE Failure "@fieldname@" actions= restart/60000/restart/60000/restart/60000 reset= 3600000 and store the result in %shellresult% 82, Resend Service List Make sure that steps 80/81 are limited to Windows agents only, and that step 81 is set to "Continue On Failure" (you don't want an error from that step to fail the whole script).
  15. You could update the monitor to put a lower limit on the date, which would exclude those 1901 values. In the additional condition, add: AND STR_TO_DATE(computers.WindowsUpdate,'%m/%d/%Y %H:%i:%s')>DATE_ADD(NOW(),INTERVAL -30 YEAR)
×