Relevance substitution error - for file cleanup of old MS MRT EXE

DerrickD · September 13, 2023, 9:13pm

I recently created a task to cleanup old Microsoft Malicious Removal Tool (MRT) EXE from Windows. It works by checking file dates and deleting from Windows and BigFix and if BigFix is recent, copy back to Windows.

This part of the code, seems to have no issues.

// Force 64bit
action uses wow64 redirection false


// Kill any running process
if {exists running application "mrt.exe"}
	WAITHIDDEN "taskkill /F /IM mrt.exe"
endif
if {exists running application "Windows-KB890830.exe"}
	WAITHIDDEN "taskkill /F /IM Windows-KB890830.exe"
endif


// Delete older MRT from Windows System folder
if {exists file "MRT.exe" whose (modification time of it < (now - 45 * day)) of native system folder}
	delete "{native system folder}\MRT.EXE"
endif

In one of our deployments (I did not check others), 742 computers ran this fine. However, 20 failed at the same place with this section:

// Delete older MRT from BigFix Client folder
if {exists file "Windows-KB890830.exe" whose (modification time of it < (now - 45 * day)) of folder (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")}
	delete "{pathname of parent folder of client folder of site "actionsite"}\__MSTools\RemovalTool\Windows-KB890830.exe"
endif

Client logs show:

Wow64 redirection disabled. action uses wow64 redirection false (group:1126590,action:1126629)
   Command succeeded delete "C:\windows\system32\MRT.EXE" (group:1126590,action:1126629)
   Command failed (Relevance substitution error.) if {exists file "Windows-KB890830.exe" whose (modification time of it < (now - 45 * day)) of folder (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")} (group:1126590,action:1126629)

If I run the relevance in QNA, these computers have no issues. True/False is returned correctly. All endpoints are Windows Servers (12/16/19/22).
Any ideas what could be issue?

And for those curious about the full task, this is the last part.

// Copy Windows-KB890830.exe to MRT.exe
if {exists file "Windows-KB890830.exe" of folder (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")}
	copy "{pathname of parent folder of client folder of site "actionsite"}\__MSTools\RemovalTool\Windows-KB890830.exe" "{native system folder}\MRT.EXE"
endif

More frustrating is the relevance for the task, has the same code essentially. Which means the computer already interpreted it fine. It’s just when being used as substitution in actionscript.

(version of client >= "6.0.0.0") AND ((exists true whose (if true then (exists (if exists true whose (if true then in proxy agent context else false) then "Proxy - " & data source else "Native") whose (it as string as lowercase contains "Native" as lowercase)) else false)) AND (exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Win" as lowercase)) else false)) AND (exists true whose (if true then ((exists file "MRT.exe" whose (modification time of it < (now - 45 * day)) of native system folder) OR (exists file "Windows-KB890830.exe" whose (modification time of it < (now - 45 * day)) of folder (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool") | False)) else false)))

Screenshot showing False as the file is recent, but then True when I change 45day to 1day.

DerrickD · September 26, 2023, 2:20pm

Found the issue finally. The issue is if the path does not exist, it causes the relevance to fail when looking for path with EXE. I am sure there is a simpler way to do this, but this is my updated code that worked in testing… have not had a large deployment yet.
The relevance for the fixlet works because I have a “| False” in there which was not the case inside of the actionscript.

// Delete older MRT from BigFix Client folder
if {exists folder (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")}
	if {exists file "Windows-KB890830.exe" whose (modification time of it < (now - 45 * day)) of folder (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")}
		delete "{pathname of parent folder of client folder of site "actionsite"}\__MSTools\RemovalTool\Windows-KB890830.exe"
	endif
endif


// Copy Windows-KB890830.exe to MRT.exe
if {exists folder (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")}
	if {exists file "Windows-KB890830.exe" of folder (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")}
		copy "{pathname of parent folder of client folder of site "actionsite"}\__MSTools\RemovalTool\Windows-KB890830.exe" "{native system folder}\MRT.EXE"
	endif
endif

JasonWalker · September 26, 2023, 3:57pm

Do you only want to copy MRT if there is an older version present, or do you also want to copy it if there is none present at all?

Could probably simplify some of the checks using plurals. Give this a try. The ‘delete’ will silently succeed if the file is not present, as long as the Relevance is pluralized and it doesn’t throw an error this should evaluate ok.

// If a version newer than 45 days old is not present, delete old one (if it exists) and copy new one from site
if {not exists files "Windows-KB890830.exe" whose (modification time of it > (now - 45 * day)) of folders (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")}
		delete "{pathname of parent folder of client folder of site "actionsite"}\__MSTools\RemovalTool\Windows-KB890830.exe"
endif

if {exists files "Windows-KB890830.exe" of folders (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")}
copy "{pathname of parent folder of client folder of site "actionsite"}\__MSTools\RemovalTool\Windows-KB890830.exe" "{native system folder}\MRT.EXE"

Thinking on this a bit more, this should also work to put it all in one step. This compares the modification time of the __BESData__MSTools copy to the modification time of what’s in the system32 folder; if the system32 version does not exist, the “Jan 01 1970” time is substituted instead. If the system32 copy is missing or older, the copy from __MSTools is used. This doesn’t delete the copy in __MSTools if it’s old, but ignores it if the copy in system32 is newer.

if {exists (files "Windows-KB890830.exe" of folders (pathname of parent folder of client folder of site "actionsite" as string & "\__MSTools\RemovalTool")) whose (modification time of it > maximum of (modification times of files "MRT.exe" of native system folder; "01 Jan 1970 00:00:00 -0000" as time))}
  delete "{native system folder}\MRT.EXE"
  copy "{pathname of parent folder of client folder of site "actionsite"}\__MSTools\RemovalTool\Windows-KB890830.exe" "{native system folder}\MRT.EXE"
endif