Wondering if anyone knows how to look into a folder and determine the last file to be created. To clarify, Microsoft released an update which randomized cookie names. This screwed up one of my fixlets that looked for a specific name of the cookie and extracted data from the cookie. We use this to grant local administrator rights to our users remotely. They would go to a webpage and request the access, a cookie was dropped on the system and BigFix looked for the file, extracted user information from the cookie, and added them as admin. Now the name is randomized I have no idea how to find the file anymore.
Previous Relevance: Looked if the file exsisted.
exists file (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies” & (name of current user) & “@domain.txt”)
Action:
dos net localgroup Administrators ent{following text of first “” of line containing “[” of it of file (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies” & (name of current user) & “@domain.txt”)} /ADD
delete “C:\users{name of current user}\AppData\Roaming\Microsoft\Windows\Cookies{name of current user}@domain.txt”
Now:
Files have randomly generated names. I’d like it to just check the last created file if possible. Maybe someone has a better idea.
This is awesome. I just have one final question. As you can tell I’m still learning relevance. I need to delete the file after extracting the data and I’m having trouble.
Thoughts?
delete file whose (exists contents whose (it contains “Reason” and it contains “Application Installation”) of it) of folder (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies”)
Relevance “file whose…” is used to identify conditions on the computer; to query the computer and get back a true or false.
Action Script is used like a batch file or shell script: to make changes to the computer.
Using curly braces {} you can embed relevance in Action Script, as you have in your first post:
delete “C:\users{name of current user}\AppData\Roaming\Microsoft\Windows\Cookies{name of current user}@domain.txt”
So, I haven’t tried this myself, but something like this may work if you are getting a full path back from the “file” query:
delete “{file whose (exists contents whose (it contains “Reason” and it contains “Application Installation”) of it) of folder (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies”)}”
Of course, that line will fail if the file does not exist.
Sorry I wasn’t very clear; here is what we’re doing. I will share just in case anyone is interested.
Users visit an external website and request local administrative access. The site authenticates the user (Siteminder) and drops a cookie on the system. We use event logging and a SIEM to collect the data for reporting purposes. Once the cookie is on the system BigFix will detect it, extract information from it, add it to the local admin group, and delete the cookie. From there we have a different fixlet that detects the user in the group and gives the client X amount of hours to be admin before it removes it.
Relevance1:
exists file whose (exists contents whose (it contains “Reason” and it contains “Application Installation”) of it) of folder (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies”)
Action1:
dos net localgroup Administrators ent{following text of first “” of line containing “[” of it of file whose (exists contents whose (it contains “Reason” and it contains “Application Installation”) of it) of folder (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies”)} /ADD
delete “{file whose (exists contents whose (it contains “Reason” and it contains “Application Installation”) of it) of folder (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies”)}”
And thank you for your help. One last thing. I know I’m getting close. I just need to get this file deleted and it’s not quite working. See attached screenshot. I think the delete fails because of the quotes, but I could be wrong.
One of my co-workers was able to nail it down. Thank you for your help Noah.
q:name of file whose (exists contents whose (it contains “Reason” and it contains “Application Installation”) of it) of folder (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies”)
A: Test2.txt
T: 14.794 ms
q:“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies” & name of file whose (exists contents whose (it contains “Reason” and it contains “Application Installation”) of it) of folder (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies”) as string
delete {“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies” & name of file whose (exists contents whose (it contains “Reason” and it contains “Application Installation”) of it) of folder (“C:\users” & (name of current user) & “\AppData\Roaming\Microsoft\Windows\Cookies”) as string}
You’ve to use “names of files” or else you might see the error with (E: Singular expression refers to nonexistent object.)
Use below: q: names of files whose (exists contents whose (it contains "Reason" and it contains "Application Installation") of it) of folder ("C:\users\" & (name of current user) & "\AppData\Roaming\Microsoft\Windows\Cookies")