How do I run a powershell script

Content Authoring
1

So I found a fixlet that should allow me to run a ps script. Here is mine:

// Disable wow64 redirection on x64 OSes
action uses wow64 redirection {not x64 of operating system}

delete __createfile

//    CREATEFILE
createfile until END_OF_FILE

# REPLACE THE FOLLOWING WITH THE SCRIPT YOU WANT TO RUN ON THE ENDPOINT
$ProgressPreference = "SilentlyContinue";
Invoke-WebRequest "https://s3.amazonaws.com/agent.exe" -OutFile $env:USERPROFILE\Desktop\agent.exe
Start-Process -FilePath $env:USERPROFILE\Desktop\agent.exe -ArgumentList "/S"
rm -Force $env:USERPROFILE\Desktop\agent.exe
END_OF_FILE

delete powershell.ps1
move __createfile powershell.ps1

waithidden { pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) } -ExecutionPolicy Bypass -File powershell.ps1

Running it locally works, but when I run it through bigfix it’s a hit or miss.
My relevance:

  • Make sure it’s a win server: operating system as string starts with "Win2"
  • ps exists: exists file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry)
  • The agent I’m installing doesn’t exist as a service: not exists service "agent"

When I run it on a dummy server, it just says “completed” but nothing was actually changed.
Any idea what I’m missing? I don’t even see the file being downloaded to the desktop.

2

Since you are not doing anything to run in User context, this will execute as LocalSystem.

If $env:USERPROFILE\Desktop\agent.exe evaluates at all, it’ll probably go to \windows\system32\config\systemprofile\desktop.

And as soon as it executes, the PowerShell script is deleting the agent.exe.

I’d try saving it somewhere outside the user profile, and see whether it installs correctly under the LocalSystem account. I think it should…

2 Likes
3

I’m not sure if we’re experiencing the same issue but the symptoms definitely are the same. Works locally but when running from BigFix, it says completed however, it’s as if the action didn’t run at all.

For us, it turned out that we had to specify in the action script that it should run using 32-bit powershell (C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe). Still unsure as to why but that did the trick.

4

Here’s a handy template

https://bigfix.me/fixlet/details/3860

2 Likes