Getting Error While killing Process In Windows

gsing1987 · August 12, 2021, 1:45pm

Hi,

I am using below action script to kill process in windows however my script is getting failed on waithidden { pathname of file ((it as string) of value “Path” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” of native registry)} -ExecutionPolicy Bypass -File powershell.ps1

Please suggest the fix.

action parameter query "Process_Name" with description "Please enter the Process Name" with default value ""
action parameter query "Error_Folder" with description "Please enter the Folder Name and Path" with default value ""

// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}

if { not exists folder (parameter "Error_Folder")}
folder create {parameter "Error_Folder"}
endif

//    CREATEFILE
createfile until END_OF_FILE

# REPLACE THE FOLLOWING WITH THE SCRIPT YOU WANT TO RUN ON THE ENDPOINT

Stop-Process -Name {parameter "Process_Name"}

$? > {parameter "Error_Folder"}\output.txt
$Error > {parameter "Error_Folder"}\error.txt

END_OF_FILE

delete powershell.ps1
move __createfile powershell.ps1

waithidden { pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry)} -ExecutionPolicy Bypass -File powershell.ps1
if {exists file "output.txt" whose (line of it as string contains "False") of folder (parameter "Error_Folder")}
Exit 100
endif

JasonWalker · August 12, 2021, 2:08pm

I don’t see anything obvious wrong with your command…but let’s check whether your lookup for PowerShell.exe is working.

Before the ‘wait’ command, let’s create a parameter for your lookup logic to see whether it fails on that line instead

parameter "PowerShellEXE"="{ pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry)}"

gsing1987 · August 12, 2021, 2:35pm

Hi,

Thanks for the help.

That Parameter does not give any error and ran successfully.

Kindly guide how can i fix entire issue?

JonL · August 12, 2021, 2:53pm

Might be simpler with Taskkill. Here is an example using Java. Substitute in your app/process.

wait taskkill.exe /F /IM java.exe

gsing1987 · August 12, 2021, 3:03pm

Thanks for your help, but i wanted to fix that issue in same way

JasonWalker · August 12, 2021, 5:47pm

We’ll need a snippet of that action running from the client log to determine what’s going on.

gsing1987 · August 13, 2021, 7:03am

Below are the logs

At 19:44:25 +0530 - mailboxsite (http://srvat0029.dryicelabs.com:52311/cgi-bin/bfgather.exe/mailboxsite8149204)
Downloaded ‘http://srvat0029.dryicelabs.com:52311/mailbox/files/a0/cb/a0cb6916c160959983b3dd16037c4684919f48a5’ as 'Action 6661.fxf’
Gather::SyncSiteByFile adding files - count: 1
At 19:44:25 +0530 -
Successful Synchronization with site ‘mailboxsite’ (version 359) - 'http://srvat0029.dryicelabs.com:52311/cgi-bin/bfgather.exe/mailboxsite8149204’
At 19:44:26 +0530 -
ActiveDirectory: Refreshed Computer Information - Domain: DRYICELABS
ActiveDirectory: User logged in - Domain: SRVAT0030 User: rakesh.p
ActiveDirectory: User logged in - Domain: SRVAT0030 User: gurjeet.s
User interface process started for user 'rakesh.p’
User interface process started for user ‘gurjeet.s’
[ThreadTime:19:44:23] SetupListener success: IPV4/6
[ThreadTime:19:44:25] BESClientUI: Failed to start child UI application ‘“C:\Program Files (x86)\BigFix Enterprise\BigFix Self Service Application\BigFixSSA.exe”’, Error: 4, OSError: 2.
[ThreadTime:19:44:25] BESClientUI: Failed to start child UI application ‘“C:\Program Files (x86)\BigFix Enterprise\BigFix Self Service Application\BigFixSSA.exe”’, Error: 4, OSError: 2.
GatherHashMV command received.
Already have this version of site.
ActiveDirectory: Refreshed User Information - Domain: SRVAT0030 User: rakesh.p
ActiveDirectory: Refreshed User Information - Domain: SRVAT0030 User: gurjeet.s
At 19:44:26 +0530 - mailboxsite (http://srvat0029.dryicelabs.com:52311/cgi-bin/bfgather.exe/mailboxsite8149204)
Relevant - Kill process (fixlet:6661)
At 19:44:26 +0530 -
ActionLogMessage: (action:6661) Action signature verified for Execution
ActionLogMessage: (action:6661) starting action
At 19:44:26 +0530 - actionsite (http://srvat0029.dryicelabs.com:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded action parameter query “Process_Name” with description “Please enter the Process Name” with default value “” (action:6661)
Command succeeded action parameter query “Error_Folder” with description “Please enter the Folder Name and Path” with default value “” (action:6661)
Wow64 redirection disabled. action uses wow64 redirection {not x64 of operating system} (action:6661)
Command succeeded createfile until (action:6661)
Command succeeded delete powershell.ps1 (action:6661)
Command succeeded move __createfile powershell.ps1 (action:6661)
Command started - wait C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File powershell.ps1 (action:6661)
At 19:44:26 +0530 -
Encryption: optional encryption with no certificate; reports in cleartext
At 19:44:35 +0530 -
Report posted successfully

JasonWalker · August 13, 2021, 2:00pm

I don’t see an error here, rather the PowerShell command started and at the end of this log has still not completed execution.
Is the PowerShell prompting for user input, like a confirmation message or something like that?

MMosley · August 13, 2021, 2:37pm

try

powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -file “powershell.ps1”