Mon, 16 Nov 2020 17:47:12 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" agent unlink --force
Mon, 16 Nov 2020 17:47:12 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:12 -0500 DebugMessage Command succeeded runhidden cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" agent unlink --force (action:3485126)
Mon, 16 Nov 2020 17:47:12 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:12 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = cmd /c sc config "Tenable Nessus Agent" start=auto
Mon, 16 Nov 2020 17:47:12 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:12 -0500 DebugMessage Command started - waithidden cmd /c sc config "Tenable Nessus Agent" start=auto (action:3485126)
Mon, 16 Nov 2020 17:47:13 -0500 DebugMessage ReportManager - Attempting to post report
Mon, 16 Nov 2020 17:47:14 -0500 DebugMessage DoUploadFile: None authentication used.
Mon, 16 Nov 2020 17:47:14 -0500 DebugMessage Report posted successfully
Mon, 16 Nov 2020 17:47:14 -0500 DebugMessage ReportManager - report sent successfully.
Mon, 16 Nov 2020 17:47:14 -0500 DebugMessage GetExitCodeThread returned zero
Mon, 16 Nov 2020 17:47:14 -0500 DebugMessage checkpoint 1
Mon, 16 Nov 2020 17:47:14 -0500 DebugMessage Command succeeded (Exit Code=-1073741502) waithidden cmd /c sc config "Tenable Nessus Agent" start=auto (action:3485126)
Mon, 16 Nov 2020 17:47:14 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:14 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = cmd /C sc stop "Tenable Nessus Agent"
Mon, 16 Nov 2020 17:47:14 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:14 -0500 DebugMessage Command started - waithidden cmd /C sc stop "Tenable Nessus Agent" (action:3485126)
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage GetExitCodeThread returned zero
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage checkpoint 1
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage Command succeeded (Exit Code=-1073741502) waithidden cmd /C sc stop "Tenable Nessus Agent" (action:3485126)
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = false
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage Wow64 redirection disabled. action uses wow64 redirection false (action:3485126)
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = __createfile
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage Command succeeded delete No 'C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\opsite370\__createfile' exists to delete, no failure reported (action:3485126)
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = wizardedit.reg
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage Command succeeded delete wizardedit.reg (action:3485126)
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = Windows Registry Editor Version 5.00
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input =
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = [HKEY_LOCAL_MACHINE\SOFTWARE\Tenable]
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = "TAG"=-
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input =
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage Command succeeded createfile until (action:3485126)
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = __createfile wizardedit.reg
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage Command succeeded move __createfile wizardedit.reg (action:3485126)
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = regedit /s "wizardedit.reg"
Mon, 16 Nov 2020 17:47:15 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:15 -0500 DebugMessage Command started - waithidden regedit /s "wizardedit.reg" (action:3485126)
Mon, 16 Nov 2020 17:47:16 -0500 DebugMessage GetExitCodeThread returned zero
Mon, 16 Nov 2020 17:47:16 -0500 DebugMessage checkpoint 1
Mon, 16 Nov 2020 17:47:16 -0500 DebugMessage Command succeeded (Exit Code=-1073741502) waithidden regedit /s "wizardedit.reg" (action:3485126)
Mon, 16 Nov 2020 17:47:17 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:17 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = cmd /C sc start "Tenable Nessus Agent"
Mon, 16 Nov 2020 17:47:17 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:17 -0500 DebugMessage Command started - waithidden cmd /C sc start "Tenable Nessus Agent" (action:3485126)
Mon, 16 Nov 2020 17:47:17 -0500 DebugMessage GetExitCodeThread returned zero
Mon, 16 Nov 2020 17:47:17 -0500 DebugMessage checkpoint 1
Mon, 16 Nov 2020 17:47:17 -0500 DebugMessage Command succeeded (Exit Code=-1073741502) waithidden cmd /C sc start "Tenable Nessus Agent" (action:3485126)
Mon, 16 Nov 2020 17:47:18 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:18 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() entering, input = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" agent link --key=9b54f68175b888dd31e3e3341e5da97ab1682d0 --host=test --port=8834
Mon, 16 Nov 2020 17:47:18 -0500 VerboseMessage RelevanceSubstitution::SubstituteStrings() exiting
Mon, 16 Nov 2020 17:47:18 -0500 DebugMessage Command succeeded runhidden cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" agent link --key=9b54f68175b888dd31e3e3341e5da97ab1682d0 --host=test --port=8834 (action:3485126)
Mon, 16 Nov 2020 17:47:18 -0500 DebugMessage bumping active action line
Mon, 16 Nov 2020 17:47:18 -0500 ActionDebugMessage (action 3485126 ) DoWork: Action completed.
Mon, 16 Nov 2020 17:47:18 -0500 DebugMessage ActionLogMessage: (action:3485126) ending action
@dj0321, can you try updating your Action Script and try using:
regset64 “[HKEY_LOCAL_MACHINE\SOFTWARE\Tenable]” “TAG”=“-”
@AlanM, any idea why executing a regedit command as shown above would throw this specific exit code?
all of the waithidden commands terminated with non-zero codes though.
I think it could be something more deeply broken in Windows, like a bad PATH value or broken library, but running it all in one batch may be helpful to get some error messages. I’ll post back a recommended action to try when I get back to my computer in a few minutes.
1 Like
Give this a try…
delete __createfile
createfile until END_OF_FILE_MARKER
"C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" agent unlink --force
sc.exe config "Tenable Nessus Agent" start=auto
// I replace 'sc stop' with 'net stop' because 'net stop' waits for the service to actually stop, while 'sc stop' returns immediately
net stop "Tenable Nessus Agent"
reg.exe DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Tenable /v TAG /F
net start "Tenable Nessus Agent"
"C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" agent link --key=24a3e7e9be518f9e5ab00e28262faa2c98febdf7d448ff --host=team --port=8834
END_OF_FILE_MARKER
delete reset-nessus.cmd
move __createfile reset-nessus.cmd
action uses wow64 redirection false
waithidden cmd.exe /c ""reset-nessus.cmd" > c:\reset-nessus.log 2>&1"
When this batch runs, it should create a c:\reset-nessus.log file containing both the command output and any error messages. You should be able to check that log and see if there were any error messages presented.
1 Like
Same exit code came back. I also do NOT see the log file. I guess all the commands errored out, hence why the file was not created. @JasonWalker
I’d check whether there is something seriously broken on that handful of machines.
Can you log on to them? Launch a command prompt? Run that script manually?
1 Like
@JasonWalker just logged into about 3 machines, and ran the commands from the command prompt, and there were no issues experienced. Do you have anything else I could try?
Try running them as LocalSystem. Easiest way to do that is to obtain psexec from microsoft.com/sysinternals , and run
psexec -i -s cmd
Then from the elevated command prompt try to run the batch file we created
1 Like
The return code -1073741502 appears to be STATUS_DLL_INIT_FAILED.
In your case, even the the regedit fails with this code. Does regedit works on that system?
2 Likes
Yes. Regedit works just fine.
Anyone have the proper syntax for PSExec to upload a bunch of computer names, and then have it execute the script with all my commands in it? @JasonWalker
I think you should try it, interactively, on one of the problem computers instead.
I suspect there may be something wrong with the LocalSystem account - like a badly-defined PATH or something along those lines.
1 Like
I have tried that. It works great no issues at all once I get on the system via RDP and run the commands. I think this is starting to look like a BigFix issue. Not sure what else could be causing this since the BigFix agent runs as a SYSTEM service. @JasonWalker
Ok, try uninstalling and reinstalling the client; or open a support ticket and see if the support team can help.
1 Like
@jgstew We have done everything already you recommended. From looking at the clients firing back this exit code, it seems like the client is having a hard time running all of the commands and NOT just a single command. The commonality I am seeing between this failing hosts, is that they haven’t been restarted in 13-30 days. Not sure if that has something to do with it.
In order to really help troubleshoot, we need the exact actionscript you try each time. Ideally also the client log output for that actionscript as well.
Also, you would really need to run PSExec to run CMD as SYSTEM, then run the command cmd.exe /c ""reset-nessus.cmd" > c:\reset-nessus.log 2>&1" within it to emulate what bigfix is doing. I know you said you used PSExec, but you have to use it that way specifically to fully emulate what you are doing. (just in general, get the command working in CMD, then try it again using CMD /C "_THE_COMMAND_")
I have edited posts above to put things into code blocks so that forum software doesn’t mess with the formatting.
I just tested this on a machine of mine, and this doesn’t seem to work. SC doesn’t seem to take the friendly name of the service like this on my windows system. Are you sure your commands work when you try them manually?
See here:
C:\Windows\Temp>cmd /c "sc query "BES Client""
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
C:\Windows\Temp>cmd /c "sc query "BESClient""
SERVICE_NAME: BESClient
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
I got a similar result when using the sc config option.
You might also need the following at the very top of the action: action uses wow64 redirection false
ALSO it is very important to note that Exit codes don’t come from BigFix itself, it comes from whatever command you run with BigFix and BigFix just passes the error codes onto you as a helpful diagnostic and troubleshooting step.
I would strongly recommend getting just 1 thing to work at a time through bigfix action on a test machine. Like just this and only this: sc.exe config "Tenable Nessus Agent" start=auto before moving onto the next thing.
It would also be helpful to know what specific versions of windows you are doing this on, so that we can better match what you are trying to do.
I’m pretty sure this should be waithidden and not runhidden, but also, I think it needs wrapped in quotes.
These are related:
2 Likes
@jgstew I think we everything is getting jumbled in here so let me post what my actionscript looks like today. This actionscript works on most computers, but there is a select number of computers where this is not working.
runhidden cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" agent unlink --force
waithidden cmd /c sc config "Tenable Nessus Agent" start=auto
waithidden cmd /C sc stop "Tenable Nessus Agent"
action uses wow64 redirection false
delete __createfile
delete wizardedit.reg
createfile until @end_create_reg_file
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Tenable]
"TAG"=-
@end_create_reg_file
move __createfile wizardedit.reg
waithidden regedit /s "wizardedit.reg"
waithidden cmd /C sc start "Tenable Nessus Agent"
runhidden cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" agent link --key=24a3e7e9448ff --host=abc123com --port=8834What OS are the computers running where it doesn’t work?
This definitely doesn’t work on my Windows 2012R2 test machine, and I suspect it also doesn’t work on Windows 7 or Windows 8.1 but I haven’t tried it. It likely doesn’t work anywhere in which this is true: exists versions whose(it < "6.4") of operating systems
If all of the places it does not work are a certain version of windows OR older, then that is probably the issue.
You have to test scripts on both the oldest and newest versions of the OS you are going to run it against and you either need to write it to the lowest common denominator, or you need to do it differently depending on OS version. Also, when you begin rolling things out, if it doesn’t work on a specific set of systems, then test it manually on that exact OS version to see if there is something there that is different.
Generally once you get things working on 1 version of windows, it will work everywhere, but that isn’t a safe assumption until it has been tested everywhere.
That is a pretty significant piece of the puzzle. You need to give us the windows names / versions of the systems in which it doesn’t work or anything else that might be common about them. It would also be useful to understand what % of systems the failures represent. It would also be helpful to know if there are any apparent successes on the specific OS versions in which there are also failures.
1 Like