Reading a txt file created by big fix

(imported topic written by NelsonEW)

Good morning everyone,

I’m using an action to run a command line that pipes to a txt file, when I use the relevance debugger to read the lines of the file I get the test, along with a %00 in between every character. How can I read the file without seeing the %00s. Here is the Code and the results:


if {exists file “c:\tools\test.txt”}

delete “c:\tools\test.txt”


run “c:\tools\runascurrentuser.exe” --w --q cmd.exe /c wmic logicaldisk get caption,providername,drivetype,volumename >> “c:\tools\test.txt”

What I put in the Relevance debugger:

q: lines of file “c:\tools\test.txt”

A: %ff%feC%00a%00p%00t%00i%00o%00n%00 %00 %00D%00r%00i%00v%00e%00T%00y%00p%00e%00 %00 %00P%00r%00o%00v%00i%00d%00e%00r%00N%00a%00m%00e%00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00V%00o%00l%00u%00m%00e%00N%00a%00m%00e%00 %00 %00

A: %00

A: %00C%00:%00 %00 %00 %00 %00 %00 %00 %003%00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00O%00S%00D%00i%00s%00k%00 %00 %00 %00 %00 %00 %00

A: %00

Any help would be greatly appreciated. Thank you

(imported comment written by NoahSalzman)

concatenation “” of substrings separated by “%00” of lines of file “c:\tools\test.txt”

(imported comment written by NelsonEW)

Thats great, anyway to seperate them, that moves them all on to one line in the relevance debugger where as they are on separate lines in the txt document

(imported comment written by NelsonEW)

Or is there way to have the action that created the file, then delete the null characters from the file?

(imported comment written by NoahSalzman)

You can do something like this…

concatenation "%0d%0a" of substrings separated by "#$#" of concatenation "" of substrings separated by "%00" of concatenation "#$#" of substrings separated by "%0d%0a" of lines of file "c:\text.txt"

The debugger shows the literal %0d%0a… not sure if that will get properly converted to CRLF in other contexts (such as an Analysis display in the Console).

(imported comment written by NelsonEW)

Thanks, That seems to be working.

I had tried putting %0d%0a in the concatenation, but the debugger just put the text in, never thought to actually put it in an analysis to see what happens!

Appreciate your help!

(imported comment written by jpeppers91)

I’m having the same the issue where the text is dispayed in the same format and I’m trying to remove the %00’s and
%ff%fe. Using the relevance above works in relevance debugger but but it doesn’t display in the console and get .

  1. Why does the text file display in this manner using the TEM tools and console but works fine in notepad?

  2. How do I fix it where it displayed correctly in the console?

%ff%feD%00e%00s%00c%00r%00i%00p%00t%00i%00o%00n%00 %00 %00 %00 %00 %00 %00H%00o%00t%00F%00i%00x%00I%00D%00 %00 %00 %00I%00n%00s%00t%00a%00l%00l%00e%00d%00O%00n%00 %00 %00


%00U%00p%00d%00a%00t%00e%00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %009%008%002%008%006%001%00 %00 %00 %00 %00 %001%001%00/%003%000%00/%002%000%001%002%00 %00


%00U%00p%00d%00a%00t%00e%00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %009%008%002%008%006%001%00 %00 %00 %00 %00 %001%001%00/%003%000%00/%002%000%001%002%00 %00 %00 %00


%00U%00p%00d%00a%00t%00e%00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00K%00B%009%005%008%008%003%000%00 %00 %00 %001%000%00/%002%006%00/%002%000%001%001%00 %00 %00 %00


%00U%00p%00d%00a%00t%00e%00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00 %00K%00B%009%007%001%000%003%003%00 %00 %00 %001%000%00/%002%006%00/%002%000%001%001%00 %00 %00 %00


(imported comment written by Lee Wei)

The cause of the issue is that the file is encoded as Unicode, rather than the usual ANSI.

If you use Notepad, you can do “Save As” and change the encoding.

So it would appear that the TEM tools/console do not handle Unicode.

(imported comment written by jpeppers91)

Here is is my way around it.

The second to the last line list writes it in a ANSI format.

In case this helps anyone else.

if {not exists folder "c:\temp"}
dos mkdir "c:\temp"
waithidden cmd.exe /q /c wmic /output:c:\temp\hotfixes_temp.txt qfe get description,hotfixid, installedon
waithidden cmd.exe /a /C type c:\temp\hotfixes_temp.txt > c:\temp\hotfixes.txt  
waithidden cmd.exe /q /c del c:\temp\hotfixes_temp.txt

(imported comment written by martinc)

Kind late on this, but just to ask why the /format option was not used. For example:

wmic logicaldisk get caption,providername,drivetype,volumename /format:csv




wmic qfe get description,hotfixid,installedon /format:csv








ZAAZEE-XPS15,Security Update,KB2393802,10/21/2012

This could then be read quite easily with an analysis.

Or maybe I am just missing something :slight_smile:


(imported comment written by jpeppers91)

During my testing regardles of the format, wmic always dumped the file in unicode format and TEM couldn’t translate that.

When you say could be easily read with an analysis, what do you mean?

(imported comment written by liuhoting)

I think what martin means is if the wmic /format command works (and you can verify with the relevance debugger on that endpoint), you should be able to write up an analysis that has a property with something like "lines of file :\temp\hotfixes.txt and have that data be available in our console.

(imported comment written by jpeppers91)

I gotcha.

(imported comment written by martinc)

Ok so wmic is known to output to not to ASCII and there is no built in way to get around this. Even the MS docs state to use TYPE as jpeppers noted above.

So piecing together some queries from previous posts (
), maybe try this:

q: if (exists wmi) then ((string value of property “Description” of it | “No Description”, string value of property “HotFixID” of it | “No HotFix ID”, string value of property “InstalledOn” of it | “No InstalledOn Date”) of select objects “description,hotfixid,installedon from Win32_QuickFixEngineering” of wmi) as string else “N/A”

A: Security Update, KB2832414, 7/18/2013

A: Security Update, KB2833946, 7/19/2013

A: Security Update, KB2834886, 7/19/2013

A: Security Update, KB2835361, 7/19/2013

This would avoid the need of using a fixlet action and you could just put it into an analysis.

Hope that helps.

(imported comment written by SecurityMG)

From the previous post just read the WMIC output like so:

dos type whatever.txt > proper_text_whatever.txt

Should clean up the WMI /format issue.

QNA will give you an odd result, but the final output from BF should be right and readable by you in Notepad or Excel.