Does anyone have a relevance to compare the value of _BESClient_ActionManager_PendingRestartExclusions to the HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations value in the same way the BES Client compares them?
Ref:
http://www-01.ibm.com/support/docview.wss?uid=swg21506002
There’s a statement that the string is case sensitive. I’ve added what I thought were enough exclusions, then rebooted the client, but pending restart still evaluates as True after a reboot.
The PendingFileRenameOperations key contains
\??\C:\windows\system32\spool\PRTPROCS\x64\7_GNUD054C.DLL
\??\C:\windows\system32\SET5B8D.tmp
!\??\C:\windows\system32\difxapi.dll
\??\C:\windows\system32\spool\PRTPROCS\x64\7_hpcpp107.dll
\??\C:\windows\system32\spool\DRIVERS\x64\3\New\hpcpu107.CFG
\??\C:\windows\system32\spool\DRIVERS\x64\3\hpcpu107.CFG
The BESClient_ActionManager_PendingRestartExclusions value is system32\spool;.tmp;system32\difxapi.dll
I’d like to evaluate which (if any) strings from the key are not matched in PendingRestartExclusions. And also to determine whether I need to match the null strings, and if so then how.
All the values in this key are being recreated at restart by the Print Spooler service. It may be because of a connected network printer that’s using an old, unsigned driver, but I’m not certain and can’t change it.
One final question, does anyone know the significance of the exclamation before the “difxapi.dll” replacement? I see the existing difxapi.dll is version 2.1 and signed, while the .tmp file that is supposed to replace it is also version 2.1 but not signed.
1 Like
My understanding is that these should always be in pairs (a missing second in the pair means it is getting deleted instead of renamed or removed) so your first so:
\??\C:\windows\system32\spool\PRTPROCS\x64\7_GNUD054C.DLL
\??\C:\windows\system32\SET5B8D.tmp
!\??\C:\windows\system32\difxapi.dll
\??\C:\windows\system32\spool\PRTPROCS\x64\7_hpcpp107.dll
\??\C:\windows\system32\spool\DRIVERS\x64\3\New\hpcpu107.CFG
\??\C:\windows\system32\spool\DRIVERS\x64\3\hpcpu107.CFG
With the first item in the pair being the source file and the second item being the destination file.
The ! before the entry means that the target file will be replaced if it already exists (otherwise it will not replace the target file).
You do need a trailing semi-colon on your list of strings.
This shouldn’t be too terrible to do – i’ll play around with it and reply once ive got something.
Thanks! I didn’t know about the ! indicating overwrite.
The entries are in pairs, but from what I’ve read an empty target file is valid, indicating a file delete. So
’??\C:\windows\system32\spool\PRTPROCS\x64\7_GNUD054C.DLL’ should be deleted.
1 Like
I came up with something like this:
Q: ("\??\C:\windows\system32\spool\PRTPROCS\x64\7_GNUD054C.DLL";"\??\C:\windows\system32\SET5B8D.tmp";"!\??\C:\windows\system32\difxapi.dll";"\??\C:\windows\system32\spool\PRTPROCS\x64\7_hpcpp107.dll";"\??\C:\windows\system32\spool\DRIVERS\x64\3\New\hpcpu107.CFG";"\??\C:\windows\system32\spool\DRIVERS\x64\3\hpcpu107.CFG") whose (not exists matches (regexes (concatenation "|" of (regex escapes of ("system32\spool";".tmp";"system32\difxapi.dll")))) of it)
A: !\??\C:\windows\system32\difxapi.dll
I think what might be happening is that BigFix isn’t taking into account the fact that these are pairs – and it just checks each line against its exclusions list – in your example that difxapi.dll isn’t currently matched so it may be why it’s flagged for restart.
To do it more generically I think you could just do:
(unique values whose (it != "") of substrings separated by "%00" of (it as string) of value "PendingFileRenameOperations" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of native registry) whose (not exists matches (regexes (concatenation "|" of (regex escapes of (substrings separated by ";" of value of setting "_BESClient_ActionManager_PendingRestartExclusions" of client)))) of it)
Hmm but “system32\difxapi.dll” was specified in the list and should have matched. Is there something odd going on in “escapes” that I’m misunderstanding? edit - yes I misunderstood see below
q: escapes of "system32\spool";".tmp";"system32\difxapi.dll"
A: system32\\spool
A: .tmp
A: system32\difxapi.dll
T: 0.038 ms
I: plural string
It looks like “escapes” correctly substituted one backslash for two in the “system32\spool” line, but not in “system32\difxapi.dll”.
edit Ok I see. It was actually only “escaping” the first string in the list because of parentheses matching.
q: escapes of "system32\spool";".tmp";"system32\difxapi.dll"
is actually evaluting as escape of “system32\spool”; followed by normal string “.tmp”; followed by normal string “system32\difxapi.dll”.
If we wrap the string set in parentheses so that each string gets escaped, there’s no match…
Q: ("??\C:\windows\system32\spool\PRTPROCS\x64\7_GNUD054C.DLL";"??\C:\windows\system32\SET5B8D.tmp";"!??\C:\windows\system32\difxapi.dll";"??\C:\windows\system32\spool\PRTPROCS\x64\7_hpcpp107.dll";"??\C:\windows\system32\spool\DRIVERS\x64\3\New\hpcpu107.CFG";"??\C:\windows\system32\spool\DRIVERS\x64\3\hpcpu107.CFG") whose (not exists matches (regexes (concatenation “|” of (regex escapes of (“system32\spool”;".tmp";“system32\difxapi.dll”)))) of it)
T: 0.337 ms
I: plural string
But I don’t know what logic is actually being used to parse this client setting or the PendingFileRenameOperations key.
It also looks like you are missing the trailing semicolon on your list did you try fixing that?
not: "system32\spool;.tmp;system32\difxapi.dll"
but instead: "system32\spool;.tmp;system32\difxapi.dll;"
1 Like
Yes I just sent that to the client but I may have some trouble testing (they’re using that particular machine today). I need to go find another test case.