Incomplete and inconsistent file search results

(imported topic written by SystemAdmin)

My organization has been attempting to locate PST files on client devices. We’ve tried several approaches with varying degrees of success.

One approach is using “dir” to output a result to a file.

runhidden {pathname of system folder}\cmd.exe /C dir /s /b /a /o:gn c:*.PST >“c:\PST.txt”

This works to some degree. However, we’ve found instances where is does not completely work. This example is copied from an XP machine where dir works in the specific folder, but not down through the entire tree. The results are the same if Bigfix runs it or a local admin runs it interactively.

C:>dir “C:\DOCUME~1<username>\My Documents\archive.pst” /s

Volume in drive C has no label.

Volume Serial Number is 9ED0-639E

Directory of C:\DOCUME~1<username>\My Documents

02/20/2012 05:07 PM 271,360 archive.pst

1 File(s) 271,360 bytes

Total Files Listed:

1 File(s) 271,360 bytes

0 Dir(s) 56,690,081,792 bytes free

C:>dir c:*.pst /s

Volume in drive C has no label.

Volume Serial Number is 9ED0-639E

File Not Found

So I searched to forum and found this basic search syntax and tried a variation of it.

delete __appendfile

delete findpstfiles.bat

appendfile @echo off

appendfile del “{pathname of parent folder of regapp “BESClient.exe”}\pstfiles.txt”

appendfile echo “{”" & concatenation "" of pathnames of descendants whose (name of it as lowercase ends with “.pst”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “**”}" > “{pathname of parent folder of regapp “BESClient.exe”}\pstfiles.txt”

move __appendfile findpstfiles.bat

waithidden findpstfiles.bat 1>NUL 2>NUL

This action seems to work completely and consistently on Win7 x86 and x64. However it fails on XP with the following note in the agent log:

Command failed (Relevance substitution failed) appendfile echo “{”" & concatenation "" of pathnames of descendants whose (name of it as lowercase ends with “.pst”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “**”}" > “c:\pstfiles.txt”

(imported comment written by NoahSalzman)

What do these two queries return on the XP box?

q: names of drives whose (type of it=“DRIVE_FIXED”)

A: C:

q: “" & concatenation "” of pathnames of descendants whose (name of it as lowercase ends with “.sys”) of folders “\Windows\System32\drivers” of drives whose (type of it=“DRIVE_FIXED”) & “**”

A: C:\Windows\System32\drivers\1394bus.sysC:\Windows\System32\drivers\acpi.sysC:\Windows\System32\drivers\adp94xx.sysC:\Windows\System32\drivers\adpahci.sysC:\Windows\System32\drivers\adpu160m.sysC:\Windows\System32\drivers\adpu320.sysC:\Windows\System32\drivers\afd.sysC:\Windows\System32\drivers\AGP440.sysC:\Windows\System32\drivers\aliide.sysC:\Windows\System32\drivers\AMDAGP.SYSC:\Windows\System32\drivers\amdide.sysC:\Windows\System32\drivers\amdk7.sysC:\Windows\System32\drivers\amdk8.sysC:\Windows\System32\drivers\arc.sysC:\Windows\System32\drivers\arcsas.sysC:\Windows\System32\drivers\asyncmac.sys**C:\Windows\System32\drivers

(imported comment written by SystemAdmin)

Here are the answers I get from a local XP machine. It appears that some XP machines, like this one, work just fine, yielding expected results. Other XP machines fail the exact same relevance substitution. I’m trying to discern the difference.

q: names of drives whose (type of it=“DRIVE_FIXED”)

A: C:

q: “" & concatenation "” of pathnames of descendants whose (name of it as lowercase ends with “.sys”) of folders “\Windows\System32\drivers” of drives whose (type of it=“DRIVE_FIXED”) & “**”

A: C:\Windows\System32\drivers\acpi.sysC:\Windows\System32\drivers\acpiec.sysC:\Windows\System32\drivers\afd.sysC:\Windows\System32\drivers\agp440.sysC:\Windows\System32\drivers\agpcpq.sysC:\Windows\System32\drivers\alim1541.sysC:\Windows\System32\drivers\amdagp.sysC:\Windows\System32\drivers\amdk6.sysC:\Windows\System32\drivers\amdk7.sysC:\Windows\System32\drivers\arp1394.sys**

q: “" & concatenation "” of pathnames of descendants whose (name of it as lowercase ends with “.pst”) of folders “” of drives whose (type of it=“DRIVE_FIXED”) & “**”

A: C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Outlook\test.pstC:\Documents and Settings\user2\Local Settings\Application Data\Microsoft\Outlook\PO.pst**

(imported comment written by SystemAdmin)

We now believe we have isolated the cause. Apparently some component of Symantec Endpoint Protection 11 was interfering with the query. When we disable SEP, the relevance substitution completes successfully. Working with our SEP admin to determine appropriate SEP settings/exclusions. Has anyone else seen this?