Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


KKerezman last won the day on January 27

KKerezman had the most liked content!

Community Reputation

10 Good

My Information

  • Location
    Hillsboro OR USA
  • Agent Count
    2000 - 3000 Agents


Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. We're doing it with a script to update an EDF as well, though it's just a one-liner in PowerShell followed by a set of IF checks: (Get-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’).CurrentBuild Then things like "IF @POWERSHELLRESULT@ = 10240 set EDF to 1507" (okay it's actually "if NOT 10240 skip to next check" but you get the idea) and iterate through all of the options. Which reminds me, I need to add in the 20H2 result to that script, don't I...?
  2. So we're seeing this PSA from ConnectWise @ https://www.connectwise.com/company/trust, and we appreciate the information and guidelines but they left part of it a bit vague: "Check for the presence of the tools Cobalt Strike and Mimikatz." Great idea! But... how? I mean, I can look for 'mimikatz.exe' or something, but that seems a bit brute-force and prone to foiling through obfuscation, and my initial bit of research on Cobalt Strike suggests that I'm more likely to find it by looking for open ports than by any particular EXE. Does anyone who's more into this side of things hav
  3. Thanks to the OP for this script! I made a couple of changes but the core of it was what I needed to get started. I'm filtering out results where the "IDProcess" result is '0' (the Idle processes) and dropping the thread ID data. I also run the PS command as system instead of As Admin, since that fails in a lot of cases. My current full working PS command: Get-WMIObject -cl Win32_PerfFormattedData_PerfProc_Thread | ? {$_.Name -notlike '*_Total*' -and $_.idprocess -notlike '0' } | Sort-Object PercentProcessorTime -desc | select -first 20 | ft -auto Name,IDProcess,PercentProcessorTime I d
  4. Ah, goody. It's so nice when we onboard a client and tell them to look for our branded icon and instead it's the green gear. Quality workmanship there, CW team.
  5. Nobody's ever accused any of us in our organization of being too classy, but I'll look into this nonetheless... 😅
  6. Ian, I'm totally sending my boss your way the next time he gripes about the desktop client closing down after he leaves it running 24/7. 😄
  7. (Apologies for the necroposting.) I'm glad I'm not alone in the frustration with trying to script shell commands on Mac agents. I'm getting a lot of "OK" or even weirder results. For instance, I'm trying to run a 'date' command (I need to populate a variable with "today's" date in a particular string format so I can then parse a log file looking for that string match) and yes, 'date' takes variables in %X format which Automate needs escaped by doubling up the % signs, great, fine. So why does the Shell step of "date '+%%m/%%d/%%y'" give me a %shellresult% of "%m/%d/%y"? Argh. I can r
  8. Yikes... I don't think ticket comments in Automate have any awareness of the idea of internal notes on the Manage side, I'm afraid. I'd be glad to be proved wrong though.
  9. Hello, @KyotoUK, hopefully what we've done may be of some use. Here's the rough breakdown of the script we use. (And we're using an EDF to track if we have or haven't added/updated the admin account.) Shell 'net user [username]', IF %shellresult% contains [username] then jump to part of script where we just use a batch file to update the password. IF %shellresult% doesn't, we need to create a new account. New account - Use the 'add user' script step, then a shell command for 'net localgroup Administrators [username] /add', and to make the password not expire we run a 'WMIC US
  10. Chiming in real quick to say: We ended up abandoning the Sharepoint ISO hosting after one too many "file, what file?" situations. Since we're paying for a Wasabi storage account, we made a bucket with a public read-only ISO in it instead, that seems to be working much, much better. Also the Win10 mount trick @SteveYates described is working a treat. Nice one!
  11. I'm glad I found this post. I just finished fiddling with my copy of Drive Details to create Drive History - 90 Days, with less fiddly data I don't want (why is there output for the drive letter when the header for each section is the drive letter?) and a nice wide expanded graph per drive for better visibility, plus actual sorting the drives in letter order (the original Drive Details was listing our fileserver's drives in order D, C, F, then E). I will never enjoy bashing around in DevExpress but hey, whatever gets the job done.
  12. Jay, I can totally do that. You just need to prep a data field under Computers called something like "Windows 10 Version" (put it into whatever folder you like) and then schedule a periodic run of a data collection script. Our script is a bit brute force, really: Powershell command '(Get-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’).CurrentBuild' and a series of IF checks (if powershellresult not = 10240 THEN jump to Not1507, set Windows 10 Version EDF to 1507) and so forth. Twice a year we have to expand the script to accommodate the new release ID number. You'll n
  13. I was today years old when I learned there's a REST API inside each ImageManager install. Sweet! Now, why ShadowControl is claiming our 7.5.6 installs are "current" when clearly there've been a couple of significant releases in the meantime is anyone's guess...
  14. Chiming in on this because I just dealt with trying a non-working method to do this and followed up with an actually-working (so far) method. At first I tried setting up an Event Log Remote Monitor for the group in question (long story short, I want to update Bitlocker status with a script after reboots so I know if people have used the "suspend" command incorrectly pre-reboot), but while the monitor applied to each machine it refused to do anything. The solution? Copied one of the built-in "EV - " Internal Monitors, specifically the BlackListed Events - Symantec Endpoint Protection one,
  • Create New...