How retrieve a command output

IS there any way to retrieve a value in IEM using a command line.

For eg I want to create an analysis that return the value of command W32TM /query /status

Is there any format I can use or alternative. Any assist would be appreciated.

Hello!

In order to achieve this, you must create an action that outputs the value of the command to some location (file? registry?) then return the value of the location using an analysis. Relevance language is designed to NOT be able to execute commands against a given endpoint as a security measure.

Thanks aram. By any chance do u have the commands for the actions and relevance you mentioned or atleast direct me to the right forum to get it.

thanks

You are going to need to create a Task to execute your command and capture the output to a file.

I’ve done similar things in the past retrieving the status of PGP encryption. I’ve always pulled the data into a client setting so I don’t have to worry about files vanishing. I later pull the value of the setting back with an Analysis.

To do this, create a Task with your desired Targeting Relevance.
The action script should look like …

delete w32tm.txt
waithidden W32TM /query /status > w32tm.txt

if {(exists file “w32tm.txt”)}
if {(exists lines of file “w32tm.txt”)}
setting “W32tmStatus”=“{lines of file “w32tm.txt”}” on “{now}” for client
else
setting “W32tmStatus”=“#NO LINES#” on “{now}” for client
endif
else
setting “W32tmStatus”=“#NO RESULTS#” on “{now}” for client
endif

You can then use an Analysis to return the values of the “W32tmStatus” setting.

2 Likes

I’m having trouble with the task to create the file.

This does not work.

delete w32tm.txt
waithidden W32TM /query /status > w32tm.txt

This works in PowerShell and in BigFix as PowerShell. For some reason it’s removing my backslashes when I post here but they are there, I can even see it as I’m editing.

Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"

However when I take a BigFix Action Script and run as PowerShell every line completes but it never creates the file. I also added start-transcript and it never even creates the transcript file.

if {not exists folder "C:\@oneneck"}
folder create "c:\@oneneck"
continue if {exists folder "C:\@oneneck"}

//1. Save old ExecutionPolicy value
parameter "PolicyExisted"="{exists value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry)}"
parameter "oldExecutionPolicy"="{if (parameter "PolicyExisted" as boolean) then (value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry) as string) else ""}"
//2. set to ExecutionPolicy=Unrestricted  and Pull PowerShell exe from registry... if 64bit then pull PowerShell x64 
if {x64 of operating system}
	regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted"
	parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of x64 registry}"
else
	//we need to determine what the current execution policy is so we can put it back when we're done.
	regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted"
	parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of registry}"
endif

//3. Create PowerShell Script and save to ps1 file
delete __createfile
delete time.ps1

createfile until END_OF_FILE

Start-Transcript -path "C:\@oneneck\w32transcript.txt" -verbose
Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"
Stop-Transcript

END_OF_FILE

move __createfile time.ps1

action uses wow64 redirection false
waithidden "{​​parameter "PowerShellexe"}​​" -file "{​​pathname of client folder of current site}​​\time.ps1"

//4. Restore ExecutionPolicy back
if {​​x64 of operating system}​​
if {​​parameter "PolicyExisted" as boolean}​​
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{​​parameter "oldExecutionPolicy"}​​"
else
regdelete64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"
endif
else
if {​​parameter "PolicyExisted" as boolean}​​
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{​​parameter "oldExecutionPolicy"}​​"
else
regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"
endif
endif

Here are the results. Again, don’t know why this forum is removing the \ when I post. It should be c:@oneneck

The action executed successfully.
This action has been applied 1 time and will not be applied again.

Status Completed 
Start Time 02/23/22 09:25:47 
End Time 02/23/22 09:25:47 
Exit Code None 
Action Script Execution Detail
Completed if {not exists folder "C:\@oneneck"} 
Completed folder create "c:\@oneneck" 
Completed continue if {exists folder "C:\@oneneck"} 
Completed //1. Save old ExecutionPolicy value 
Completed parameter "PolicyExisted"="{exists value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry)}" 
Completed parameter "oldExecutionPolicy"="{if (parameter "PolicyExisted" as boolean) then (value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry) as string) else ""}" 
Completed //2. set to ExecutionPolicy=Unrestricted and Pull PowerShell exe from registry... if 64bit then pull PowerShell x64 
Completed if {x64 of operating system} 
Completed regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted" 
Completed parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of x64 registry}" 
Completed else 
Completed //we need to determine what the current execution policy is so we can put it back when we're done. 
Completed regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted" 
Completed parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of registry}" 
Completed endif 
Completed //3. Create PowerShell Script and save to ps1 file 
Completed delete __createfile 
Completed delete time.ps1 
Completed createfile until END_OF_FILE 
Completed  
Completed Start-Transcript -path "C:\@oneneck\w32transcript.txt" -verbose 
Completed Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue 
Completed W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt" 
Completed Stop-Transcript 
Completed  
Completed END_OF_FILE 
Completed move __createfile time.ps1 
Completed action uses wow64 redirection false 
Completed waithidden "{​​parameter "PowerShellexe"}​​" -file "{​​pathname of client folder of current site}​​\time.ps1" 
Completed //4. Restore ExecutionPolicy back 
Completed if {​​x64 of operating system}​​ 
Completed if {​​parameter "PolicyExisted" as boolean}​​ 
Completed regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{​​parameter "oldExecutionPolicy"}​​" 
Completed else 
Completed regdelete64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy" 
Completed endif 
Completed else 
Completed if {​​parameter "PolicyExisted" as boolean}​​ 
Completed regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{​​parameter "oldExecutionPolicy"}​​" 
Completed else 
Completed regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy" 
Completed endif 
Completed endif

Even with the Fixlet Debugger it shows it running but never creates the file.

Apparently it works like this
waithidden cmd.exe /c “w32tm.exe /query /status > c:@oneneck\timesource.txt”

I usually run bat files and then dump to the registry. Then use analysis to read the data.

Use the createfile until to create your batch file so you dont have to do the prefetch

The Batch file…

Execute it then pull the data from the registry in an analysis

2 Likes

The backslash thing is because the forum is interpreting your text as Markdown tags. Use the ‘Code’ format when pasting your scripts…highlight the code text and select the "</>" format button.

1 Like

Yes that’s the right way…output redirection is a function of the shell, so you need to launch the CMD shell to get the output redirection options.

Any idea why it was failing running in PowerShell under the BigFix action script but not running in the new PowerShell mode in BigFix? That’s the one that has me confused. Preformatted text

This should have been written to a ps1 file and executed but it’s like the file was blank. It’s almost like there was a character that made it escape but when I saw that in the past I would get a fail on the line. In the past the issue I had was with { making the line fail so I just had to {{ to escape the relevance.

Completed Remove-Item -Path “C:@oneneck\w32tm.txt” -ErrorAction SilentlyContinue
Completed W32TM /query /status | out-file -FilePath “c:@oneneck\w32tm.txt”

I’m afraid I’m not all that well-versed on PowerShell, but is C:@oneneck a valid path, or does that need to be C:@oneneck or c:\oneneck maybe?

The path is valid. It got edited here. C:\@oneneck
It worked when I changed it from BigFix action script to PowerShell. You can see above what I did with the BF action script. I copied and pasted all that from another action script I used and just changed the PowerShell inside the createfile section. So that one has me completely baffled.

Ok I went back and edited your old posts to put the code tags in.

Does the “C:\@oneneck” path already exist before you run your action? If the directory doesn’t exist, you’ll need to create it before trying to write a file in it - from a quick test I ran, PowerShell won’t automatically create the folder path for you.

It’s not clear to me whether you’re using the right ActionScript Types.

If you’re running this as the PowerShell script type, you can’t mix ActionScript commands like ‘if {condition}’ - with the PowerShell script type, you would include only PowerShell script commands, no ActionScript, no Relevance Substitutions, no ‘createfile’ commands, or any of that.

If you’re running this as the ActionScript script type, where you build the PowerShell script using ‘createfile’ and then execute it via PowerShell.exe…instead of all that business about saving the ExecutionPolicy, changing it, and then restoring it after, it’s far easier to just bypass the policy on the command line like

waithidden "{​​parameter "PowerShellexe"}​​" -ExecutionPolicy Bypass -file "{​​pathname of client folder of current site}​​\time.ps1"

When I run this as BigFix ActionScript, it works. You don’t need to check whether the “`c:@oneneck’” folder exists, just use the ‘folder create’ command and it will be created if it’s missing, or skipped if the folder already exists.

delete __createfile
delete time.ps1
folder create C:\@oneneck
parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of x64 registry}" 

createfile until END_OF_FILE
Start-Transcript -path "C:\@oneneck\w32transcript.txt" -verbose
Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"
Stop-Transcript
END_OF_FILE

move __createfile time.ps1

action uses wow64 redirection false
waithidden "{​​parameter "PowerShellexe"}​​" -ExecutionPolicy Bypass -file "{​​pathname of client folder of current site}​​\time.ps1"

Likewise, if I execute this action with the Action Type set to PowerShell, it also works (note I create the C:\@oneneck folder as part of the Powershell script)

mkdir c:\@oneneck
Start-Transcript -path "C:\@oneneck\w32transcript.txt" -verbose
Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"
Stop-Transcript

Thank you Jason.

My coworker set up debugging and said there was something going on with the if statement. The odd this is I copied and pasted this all from a working BigFix task. It’s worked on dozens of other tasks but wasn’t happy with this one. I’ll clean this up though. Thank you for the help.

Usually this is because Powershell will not run unsigned scripts unless you tell it to. See:

The downside of using the built in poweshell support is that you cannot do relevance substitution in it.

1 Like