Inspector interrupted error

nevermore · January 6, 2026, 5:51pm

Hi all,

With regards to the below property relevance which checks for modified files within the last 24 hours from different specified filesystems and subdirs.

Q: ((pathname of it & " ( " & modification time of it as string & " )") of files whose (modification time of it > now - 24hour and ((name of it as lowercase ends with ".exe") or (name of it as lowercase ends with ".sys") or (name of it as lowercase ends with ".dll") or (name of it as lowercase ends with ".ocx"))) of (system folder; descendant folders of system folder)) ; ((pathname of it & " ( " & modification time of it as string & " )") of files whose (modification time of it > now - 24hour) of (folder it; descendant folders of folder it) of ("c:\inetpub"; "e:\inetpub"; "c:\windows\sysvol"; "e:\windows\sysvol") whose (exists folder it)); ((pathname of it & " ( " & modification time of it as string & " )") of files whose (modification time of it > now - 24*hour and ((name of it as lowercase = "machine.config"))) of (folder it; descendant folders of folder it) of ("c:\windows\``microsoft.net``"; "") whose (exists folder it))
T: 10286.854 ms

This has a evaluation frequency of 12 hours. It evaluates fine and returns results for some machines, but unfortunately returns with "Inspector interrupted" for some. From reading through other forum posts it seems that this kind of use case for relevance is not advisable, due to the fact that it scans through a lot of folders and subfolders, which takes too much time and results to being interrupted/timed out.

Would it be advisable to utilize _BESClient_Resource_InterruptSeconds on the machines involved and set it with a value greater than default? When running the relevance through fixlet debugger the eval time is approx 9k to 10k ms.

Would appreciate any feedback and suggestions.

JasonWalker · January 7, 2026, 1:21am

I'd advise refactoring this to run as an Action instead of pure Relevance, using a shell script to pull back the file paths.

I've done similar for spring shell and log4j detections.

https://bigfix.me/fixlet/details/26943 may be a useful example, but that does a lot more than you'd need (this scan checks inside the content of .jar files) but the 'dir' and 'findstr' command s might be helpful.

nevermore · January 9, 2026, 4:56pm

We appreciate your suggestion. And as for our internal use case this is currently being handled through a property analyses and using pure relevance to scan and sweep through drives which we understand as intensive for the BigFix Client. A little bit of background, our Windows Admin team receives daily scheduled reports (where the inspector interrupted error is seen) tied to the property through BigFix WebReports.

We are trying to consider your suggestion of converting the whole process of running a fixlet utilizing a shell script that outputs to a file and have a analyses to pull the contents of the file. I have created a script utilizing powershell to pull files and their paths. But am encountering an error during testing. A run time error that states substitution failed while writing file on line 9.

It seems that the culprit is the PS foreach block with braces. Isn't the create file until the closing END_OF_FILE enough to declare and treat the script as it is and not do any substitutions? When trying to escape the braces within the block, the problem is that powershell ignores the lines and results to Out-File not writing anything. (Script below) Would appreciate any input thanks.

if {not exists folder "C:\temp\Scripts"}
waithidden cmd.exe /C mkdir "C:\temp\Scripts"
endif

if {not exists folder "C:\temp\Search"}
waithidden cmd.exe /C mkdir "C:\temp\Search"
endif

delete "C:\temp\Scripts\findfiles.ps1"

delete "C:\temp\Search\ModifiedFiles.txt"

createfile until END_OF_FILE
$Output = "C:\Temp\Search\ModifiedFiles.txt"
Remove-Item $Output -ErrorAction SilentlyContinue

$Paths = ("C:\Windows\System32","C:\Windows\Sysvol","E:\Windows\Sysvol","c:\inetpub","e:\inetpub")
$CutoffDay = (Get-Date).AddDays(-1)

foreach ($Path in $Paths) {
Get-ChildItem -Path "$Path*" -Recurse -Include ".exe",".sys",".dll",".txt" -File -ErrorAction SilentlyContinue |
Where-Object { $.LastWriteTime -gt $CutoffDay } |
ForEach-Object { $.FullName } |
Out-File -Append $Output
}
END_OF_FILE

move __createfile "C:\temp\Scripts\findfiles.ps1"

waithidden powershell.exe -ExecutionPolicy Bypass -File "C:\temp\Scripts\findfiles.ps1"

JasonWalker · January 9, 2026, 4:58pm

No, in fact it's very common to use relevance substitutions inside of createfile statements in ActionScript.
You'll need to escape the PowerShell open-curly brackets; instead of { use {{ any place you don't want a relevance substitution to be started.