BigFix 9.5 - BigFix client not able to run bat file

Usage and Config Platform
1

Hello,

We have a ActionScript which invokes one of our windows bat file using waithidden construct, which in turn invokes ps1 script. In this ps1 script, we add few powershell snapins. (e.g. SQL PS snapins)

Now, When we run our batch file manually, our script execution is successful, since its run from a regular account. When we run it from BigFix client, we see that powershell snapins could not be added error, and this is because BigFix client (which runs the batch file) runs with “LOCAL SYSTEM” account.

We were always told that BigFix client has all the permissions, but that does not seem to be the case.

We would like to know how we can run the windows batch file from ActionScript successfully.
Are there some windows settings that needs to be enabled or some specific way to get it to run?

Thanks n Best Regards,
Deepak

2

The client does have a lot of permissions but as it runs as LOCAL SYSTEM it does have some limitations. Many things can have issues as they require a user context. This can be done if there is a user logged in, and in some cases when there is no user logged in, via an override for a wait command. There are a lot of examples on the forum of this but the reference is at:

https://developer.bigfix.com/action-script/reference/execution/override.html

3

I’d add that this issue is not specific to BigFix but common to all system management tools that run in SYSTEM context. The same kind of thing occurs in SCCM, KACE, and Group Policy. So if you find a solution for your particular use case with any of these other tools, it’ll usually work with BigFix as well.

Easiest way to test interactively is using PSExec to open a window in SYSTEM context, via psexec -i -s cmd.exe

4

Thanks Alan for providing some insights. Based on reference link shared by you, I believe if I use below text, then it will be able to run our bat file with current logged user.

override wait
completion=job
hidden=true
runas=currentuser
wait ./scriptsRunner_Windows.bat

Can you please confirm if my understanding is correct or suggest with an example, where we can run with superuser/admin, without need to specify a password, since we want our actionscript to run in background without any user interaction.
Further, Is ther, our bat file

5

Thanks Jason. Yes, Piotr from BigFix Inventory team has helped us in understanding the issue due to limitation of “LOCAL SYSTEM” account and we have confirmed our script execution failure with psexec. We need a way out of it.

6

If someone can confirm this or point out a reference example on what is needed here will be helpful for us.
Thanks in advance!

7

You haven’t told us yet what you are trying to accomplish, except to run a powershell script.

8

Its a TADDM usecase, where we would like to capture the details about the software (e.g. SQL server, Exchange server) by utilizing the powershell snapins provided by SQL/Exchange.

i.e., We would like to get the windows bat script (and embedded ps1) executed successfully, so that it will generate execution results, which we can copy over to BES server. But ,Right now, we are not able to run it due to “Local System” account restriction.

9

Check that the SYSTEM account has logon rights to SQL and Exchange (also with PSExec, using SQL Management Studio and whatever client you are trying with Exchange).

Also you can check in the forum for “override wait” and “runas=” options to run the action under a user account; but I think that requires someone with rights to be logged on at the endpoint.

10

We are invoking ActionScript Execution using BigFix REST API, and there won’t be any user that will be logged onto the endpoint manually, hence It seems “override wait” and “runas” options won’t work for us.

So, Does it mean, only option will be to give “LOCAL SYSTEM” account permissions for SQL and Exchange server?

11

Override has functions for running as a user that is not logged in but you have to be on a newer level of the platform to use them. That may be sufficient for your usage.

Also the fact that you are using REST to create an action vs the console doesn’t matter here.

12

Thanks Alan. Do you have some sample ActionScript snippet to use for override, because we tried few override options (like currentuser, localuser) in our ActionScript (invoked from REST API) and it didn’t work.

BigFix Client version we are using is: 9.5.5.196.

13

Hi Deepak
If I understand correctly , you are running a bat file with in which you have a powershell file to trigger to install am I right ?

Can you share me the command line details of batch file which you are using in Bigfix and the command line which is with in batch file for Ps1 file ?

I had similar issues last week and I managed to fix it .

similar scenario where I had to run a power shell file . I create a batch file
with in the batch file , below are the commands I used to run ps1 file

pushd "C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\actionsite__Download"
powershell -ExecutionPolicy Bypass -file “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\actionsite__Download\Install-Script.ps1”

The normally , I ran the batch file… which went success to me…

I hard coded the path for powershell in the batch file .

14

Hello Vishnu,

Sorry, but we were trying out the “override” etc. earlier. Yes, We are running a bat file which embeds powershell script, which again invokes another powershell script (that tries to add powershell snapins)

scriptRunner_Windows.bat
cd %~dp0

powershell.exe Invoke-Command -ScriptBlock { ^
$opt=Get-ExecutionPolicy; ^
if (($opt -ne ‘RemoteSigned’) -and ($opt -ne ‘Unrestricted’)) { ^
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process; } ^
.\scriptsRunner_Windows.ps1 }

cd %~dp0

./scriptsRunner_Windows.ps1

runSensorScript com.ibm.cdb.discover.sensor.app.db.mssql.sqlserver_7.2.5 sensorCommon.ps1

function runSensorScript ($sensor, $script){
Write-Output “[$sensor, $script]”
$ERRORFILEPATH="${OUTPUTDIR}$sensor$ERRORFILE"
$EC=0

runCmd "executeMainScript" "powershell.exe -noprofile -file .\$sensor\$script"
if($EC -eq 1){
    return
}

## find scripts number to run
$commonContent=[IO.File]::ReadAllText($MAIN)


SensorCommon.ps1

if ($LoadAsSnapin){
if ((Get-PSSnapin -Name “SqlServerProviderSnapin100” -ErrorAction SilentlyContinue) -eq $null){
logDebug "[DEBUG] Adding SqlServerProvider Snapin."
Add-PsSnapin -Name “SqlServerProviderSnapin100” -ErrorAction SilentlyContinue -ErrorVariable errSnapin
}
if ($errSnapin) {
logDebug “[ERROR] There was an error while adding SqlServerProviderSnapin100 snapin.”
$errProviderSnapin = $true
$errMsg = $errSnapin
$errSnapin = $null
}

BigFix Agent is running ./scriptsRunner_Windows.bat file

15

We were able to resolve the problem today based on suggestion to compare the environment, since we were able to run our scripts successfully with “PsExec -i -s” (i.e. Systems account), but BigFix Agent was not able to run our scripts successfully, even though it was also running with Systems Account.

We compared the Environment variables used by “PsExec -i -s” and IBM BigFix Agent, when our scripts gets executed and noted that “Program Files” variable were different. Both “Program Files” and “Program Files (x86)” was pointing to “Program Files(x86)”, i.e. 32-bit program.

Problem was occuring because “BESClient” was executing as a 32 bit process on a 64 bit Windows OS and SQL was 64 bit. Thus, When BESClient was trying to load the powershell snapins (when it executed sensor scripts), it was trying to load 32 bit snapins, whereas they were 64 bit based (as per SQL server) and hence failed.

We identified the fix as follows:

Adding below line above our script execution inside the BigFix ActionScript:
action uses wow64 redirection {not x64 of operating system}

waithidden “%TEMP_ATH_WIN%\taddmaasd_%TADDM_HOST%\scriptsRunner_Windows.bat”