Need help with an analysis

Hi noob here and having trouble with an analysis. I am trying to get “if a specific file exists anywhere on the hard drive, what is it’s path and what is the version.”

I tried a couple of things that mostly did not work like:
((pathnames of find files “zoom.exe” of (descendant folders of folder “c:”)) AND (versions of files “zoom.exe” of (descendant folders of folder “C:”))) this gave me errors looking for a Boolean expression

I also tried “pathnames of find files “zoom.exe” of (descendant folders of folder “c:”)” as one property and
"versions of files “gui.exe” of (descendant folders of folder “C:”)" as another property. While this gave all the answers it mixed them up and matrix-ed them together so if there were 3 files that existed in three paths and three versions of that file, I would end up with 6 results as each one would have two paths and two versions.

I am trying but I don’t speak BigFix yet. Can someone give me a hand?

Hi, welcome to Bigfix!

There are several considerations here -

An Analysis that looks at all descendant files on the hard drive is very likely to have some errors with timing-out during evaluation, as it takes a long time to traverse the drive and will also cause performance impacts to the client (as in, the client won’t evaluate any other content or respond to any actions while this is running). So for an operation like that we’d usually use what we call a “breadcrumb” approach - where we run an Action to find the files & properties, save the result to a text file, and report the contents of the text file in an Analysis.

From a pure Relevance standpoint, any time you could have multiple files and want to retrieve multiple properties of it (like the pathname and the version), you’ll need to craft the relevance a little bit differently. When you treat them separately, you get a “cross-product”, where every name is combined to every version. Here’s an illustration, looking at two files from the system folder:

q: files ("cmd.exe"; "cscript.exe") of system folder
A: "cmd.exe" "10.0.17763.592" "Windows Command Processor" "10.0.17763.1 (WinBuild.160101.0800)" "Microsoft Corporation"
A: "cscript.exe" "5.812.10240.16384" "Microsoft ® Console Based Script Host" "5.812.10240.16384" "Microsoft Corporation"
T: 12.364 ms
I: plural file

If we retrieve their names and versions, we get a cross-product:

q: (names of files ("cmd.exe"; "cscript.exe") of system folder, versions of files ("cmd.exe"; "cscript.exe") of system folder)
A: cmd.exe, 10.0.17763.592
A: cmd.exe, 5.812.10240.16384
A: cscript.exe, 10.0.17763.592
A: cscript.exe, 5.812.10240.16384

What’s happened there is that is we are retrieving both the names of the two files, and the versions of the two files, but we don’t have a relationship between each file name and each file version.

Instead, we need to examine each file separately and retrieve only that file’s properties. We can do this with a construct like (property 1 of it, property 2 of it) of files (x) :

q: (pathname of it, version of it) of files ("cmd.exe"; "cscript.exe") of system folder
A: C:\WINDOWS\system32\cmd.exe, 10.0.17763.592
A: C:\WINDOWS\system32\cscript.exe, 5.812.10240.16384

So, performance considerations aside, your first query should look more like

(pathname of it, version of it ) of find files "zoom.exe" of descendant folders of folder "c:"

You can reduce that a bit, expecting that zoom.exe should live somewhere in the user profiles:

(pathname of it, version of it ) of find files "zoom.exe" of descendant folders of folder "c:\Users"

And even better if you know it lives beneath something like C:\Users<something>\AppData\Zoom (I don’t know what directory it really lives in though, so that may take some investigation:

(pathname of it, version of it ) of find files "zoom.exe" of folders "AppData\Zoom" of folders of folder "c:\Users"

Once you get down to that form, you’re no longer traversing every descendant folder, and it’s much safer to use this in an Analysis.

The folders of folder "c:\Users" gets you to every folder one-level beneath C:\Users - so it returns values like
So when you look at folders “AppData\Zoom” of that, you’re searching every user account’s AppData\Zoom folder for the executable.

1 Like

Oh, yeah - if you really didn’t know where the file might live, we’d go back to the Breadcrumb approach I talked about before. Here’s an example

Run an Action to build a text file of the zoom.exe paths on the drive and save it to a text file. I haven’t tested this but I expect this script should work:

action uses wow64 redirection false
waithidden cmd.exe /C dir /s /b c:\zoom.exe > "{pathname of data folder of client}\zoom-results.txt"

Then use the fully-qualified pathnames that are listed in the text file for your Analysis report:

(pathname of it, versions of it) of files(lines of file "zoom-results.txt" of data folder of client as string)

1 Like