Can anyone help me turn this into a native BigFix query please?
gwmi -Class win32_service | select name,startname | ?{$_.startname -match (gwmi -class win32_useraccount -filter "domain='$env:computername'" | ? {$_.SID -match "-500$"}).name}
Can anyone help me turn this into a native BigFix query please?
gwmi -Class win32_service | select name,startname | ?{$_.startname -match (gwmi -class win32_useraccount -filter "domain='$env:computername'" | ? {$_.SID -match "-500$"}).name}
I’m not entirely sure I follow what that’s trying to do, and it’s taking a really long time to process on my machine. What’s the expected output?
It should return any services that are started by the built in administrator
I’ve tried some other ways of doing it but it’s not quite allowing me to filter correctly for the SID
Ah, ok, thanks I was off on the wrong track. I was able to work it up this way, though, since ‘login account of service’ returns a string (not a sid/user/security account) I compare the string against the local admin account name. Would this work for you?
q: (it as lowercase; computer name as lowercase & "\" & it as lowercase; ".\" & it as lowercase) of names of local users whose (component string of sid of it ends with "-500")
A: administrator
A: bes-root\administrator
A: .\administrator
T: 500.380 ms
I: plural string
q: (service name of it, login accounts of it) of services whose (login account of it as lowercase is contained by set of (it as lowercase; computer name as lowercase & "\" & it as lowercase; ".\" & it as lowercase) of names of local users whose (component string of sid of it ends with "-500"))
A: GoogleUpdaterService132.0.6806.0, .\Administrator
T: 498.411 ms
I: plural ( string, string )
Jason - one day I will owe you more beers than we can drink together!