Searching a computer for a file

(imported topic written by BenKus)

Several threads have been posted about how to search for files with specific extensions using BES.

Searching a computer for file can take a long time and it will use a fair amount of CPU and lots of disk IO. The more files, the longer it will take. This can potentially bother the end-user of the computer or cause performance concerns.

Rather than create relevance that searches for a file (which will run when the BES Client starts and when a ForceRefresh is sent), it is a much better idea to create an action that searches the computer and then writes the results to a file, which can be read with a property. The action will give you much more control about when the search runs (using the action scheduling parameters).

Attached is a .bes file that can be imported into BES 6.0+ deployments. The file includes a Task with two actions and a property to bring back the results:

  • One action will search for specific files and return the counts. For instance, if you search for “avi” and “mp3”, it might return

mp3 - 502

avi - 16

  • The other action will search for files with specific extensions and return the pathname and size. For instance, if you search for “.pst”, it might return:

C:\Outlook\personaldata.pst (1023 KB)

C:\Archive Data\archive.pst (134310 KB)

As always, when searching for files across a system: BE CAREFUL! Searching a file system takes a lot of resources. We continue to run across situations where users are saying that the BES Client is taking too much CPU and we find that they are constantly running searches across their systems.

Please test the attached Task/Property. It didn’t go through any particular QA other than me testing it on a system or two. Let me know if it has any issues.

Ben

(imported comment written by ivynash)

hi ben,

I have imported the fixlet and tried to search an extention “txt”, but it is showing failed and the error is :

The action has been run 1 time, and will not be run again.

The action failed.

Completed: // prompt the BES Console user for extensions to report on

Completed: action parameter query “extensions” with description “Please enter the extensions (one or more) that you wish to count (separated by ‘;’)” with default “mp3;avi”

Completed: // create a reg value to indicate last time started

Completed: regset "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient

" “LastSearchStarted”="{now}"

Completed: // delete temporary file (probably doesn’t exist, but might cause problems if it does)

Completed: delete __appendfile

Completed: // search computer and results in temp file

Failed: appendfile {concatenation “%0d%0a” of (it & “-” & multiplicity of it as string) of unique values whose ((";" & (parameter “extensions” of action) & “;”) contains (";" & it & “;”)) of ( following texts of lasts “.” of (it as lowercase) whose (it contains “.”) of names of descendants of folder “” of drives whose (type of it = “DRIVE_FIXED”)) }

// overwrite previous results (if they exist)

delete “{pathname of parent folder of regapp “besclient.exe”}\searchresults.txt”

move __appendfile “{pathname of parent folder of regapp “besclient.exe”}\searchresults.txt”

// create a reg value to indicate last finish started

regset "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient

" “LastSearchFinish”="{now}"

(imported comment written by Edj)

Ben,

I have tested the Task and it works fine. I was wondering however, what lines of code would you add if you would like to return the “Pathname” and “Modification Time” along with the file size. I have tried modifying your code but I cannot get it to work.

Thanks,

Edj

(imported comment written by BenKus)

Hey Ed,

You would modify part of the second action… Before it was:

…(pathname of it & " (" & (size of it / 1000) as string & " KB)")…

Change it to:

…(pathname of it & " (" & (size of it / 1000) as string & " KB) – " & modification time of it as string)…

BTW, please be VERY careful with this type of action… Not only is it expected to run for a long time on computers, but if it returns lots of results (like dozens of lines per computer), it will cause your BES Console to bloat its memory…

Ben

(imported comment written by Edj)

Thanks Ben.

I must run this task on a selection of Database servers to locate their Database files.

Edj

(imported comment written by Edj)

Ben,

The process worked. However, I do have another question. The “Search results” returns a list of the files but does not display it in regards to the Machine. Is there a way to lists the Property values by the Machine Name?

Thanks Again,

Edj

(imported comment written by BenKus)

Hey Ed,

I am not too sure what you mean… Are you looking at the results in an Analysis view (if so, look at the top-right corner of the analysis page for “view as list”) or is it a global property?

Ben

(imported comment written by Edj)

Its the “Search Results” property that was imported with the “Search computer for files.bes” Task.

(imported comment written by Edj)

I am now receiving the same error that ivynash received, when running this process on my servers. Any Ideas?

Thanks,

Edj

Failed: appendfile {concatenation “%0d%0a” of (it & “-” & multiplicity of it as string) of unique values whose ((";" & (parameter “extensions” of action) & “;”) contains (";" & it & “;”)) of ( following texts of lasts “.” of (it as lowercase) whose (it contains “.”) of names of descendants of folder “” of drives whose (type of it = “DRIVE_FIXED”)) }

// overwrite previous results (if they exist)

(imported comment written by Edj)

Almost There!!!

One Reason that the actionscript below is failing is due to the folder object not being plural (to account for clients with multiple fixed drives). So, tweaking the actionscript below (note the ‘s’ added to folders “\” of drives whose (type of it….) should allow it to run:

// prompt the BES Console user for extensions to report on

action parameter query “extensions” with description “Please enter the extensions (one or more) that you wish to count (separated by ‘;’)” with default “mp3;avi”

// create a reg value to indicate last time started

regset "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient

" “LastSearchStarted”="{now}"

// delete temporary file (probably doesn’t exist, but might cause problems if it does)

delete __appendfile

// search computer and results in temp file

appendfile {concatenation “%0d%0a” of (pathname of it & " (" & (size of it / 1000) as string & " KB)" & "

"& modification time of it as string & "

" & pathname of it as string) of (descendants whose (pathname of it as lowercase ends with “.” & (parameter “extension” of action) ) of folders “” of drives whose (type of it = “DRIVE_FIXED”)) } // overwrite previous results (if they exist)

delete “{pathname of parent folder of regapp “besclient.exe”}\searchresults.txt”

move __appendfile “{pathname of parent folder of regapp “besclient.exe”}\searchresults.txt”

// create a reg value to indicate last finish started

regset "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient

" “LastSearchFinish”="{now}"

That said, in testing the above relevance, another issue appeared which may be more problematic. The above relevance did not find all instances of files with a certain extension on the drives during testing. It found some, but not all. This may be due to a limitation of one of the inspectors. There may be other ways to search the drive for certain types of files that would work (like using dir /s/b instead of descendants). I am not quite sure how to fit this within the action script. I will take a look but if someone comes across a working solution before I do, Please post it.

Notice that I added “Modified Time” and “Pathname” as a varible that I would like returned other than that it is the same action script as the original.

Thanks

And another Thank You to Aram for helping me with this last post.

Edj

(imported comment written by BenKus)

Hey Ed,

I think the “descendants of folder” inspector aborts if it hits a file that it doesn’t have access to… We can check this out a bit to see if we spot the issue…

Ben

(imported comment written by SystemAdmin)

I would be interested to know if “descendants of folder” does abort when it hits a file it doesn’t have access to. I tried before to search for a set of executables and the analysis was failing on ~20% of the machines even when I activated the analysis on a Saturday when no one was in the office. I ran the same search on just the “C:\Program Files” folder and didn’t receive any errors.

(imported comment written by BenKus)

Hi Edj and Hexadecimal,

We found that the “decendants of folder” inspector will stop recursing if it hits a file with characters in the filename that we don’t recognize (such as high or low ascii characters). I believe if the SYSTEM account doesn’t have access to a file it will also stop. We filed a bug about this, but in the meantime we will need to rewrite this “search the computer” action to use something like the “dir” command.

I will see what we can whip up…

Ben

(imported comment written by dankudos91)

I just registered on these forums today after finding this thread. Thank you!

I understand the issues others are seeing but for our environment this worked perfectly in testing today. We’ll run a larger test tonight but I expect this will give us the information we need in an easy to understand way thanks to adding an Analysis and Web reports.

Thanks again and expect to see me back to steal more good ideas!

Dan

(imported comment written by frankc91)

Expanding on thread above, does anyone know of a simple and easy way to append to an existing text file via a fixlet or task?

i.e., add an entry to a Windows “\drivers\etc\Hosts” file with something like:

10.X.Y.Z xyz.test.com

Thanks!

(imported comment written by jessewk)

delete __createfile

createfile until end_create

{(concatenation of lines of file (pathname of system folder & “\drivers\etc\Hosts”)) & “%0d%0a” & “10.X.Y.Z xyz.test.com”}

end_create

delete “{pathname of system folder & “\drivers\etc\Hosts”}”

move __createfile “{pathname of system folder & “\drivers\etc\Hosts”}”

Note: completely untested.

(imported comment written by BenKus)

Hey Frank / Jesse,

I posted another way to do this in a new topic:

http://forum.bigfix.com/viewtopic.php?pid=3667#p3667

My method is different than Jesse’s but either should work…

Ben

(imported comment written by dankudos91)

I returned to my client today and am looking at the results from an overnight search of about 150 machines. We did error out on about 40 machines but the results we have in hand are great. Any plans to revise this action soon or should I investigate other methods for querying with 100% accuracy?

Thank you for the fine start with this action. The level of support offered on these forums certainly has improved my opinion of BigFix overall. Thank you for your excellent help!

Dan

(imported comment written by brolly3391)

Hello Ben,

I have put together this alternate way to perform this file search that does not use the

descendants of

property and is easier on the BES Client. It also performs a neat end around on the bug you mentioned. We will leverage the windows DIR command. This command has a couple of flags, /b and /s, that are not frequently used that will be perfect for this effort. The flags /a and /o could also be of interest. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/dir.mspx?mfr=true

We will still use a task to trigger the data collection and an analysis or retrieved property to collect the results from the endpoints. This is the same model as the first post describes with a different method for the data collection phase. Here is an example of a search on the c: drive for all files with the .MP3 extension:

Task

Relevance

name of operating system as lowercase starts with “win”

Action

runhidden {pathname of system folder}\cmd.exe /C dir /s /b c:*.MP3 >"{pathname of parent folder of regapp “besclient.exe”}\searchresults_MP3.txt"

setting “MyFileSearch_MP3”="{now}" on “{now}” for client

Alternate dir command to include hidden and system file and folders and sort our results by directory then filename.

runhidden {pathname of system folder}\cmd.exe /C dir /s /b /a /o:gn c:*.MP3 >"{pathname of parent folder of regapp “besclient.exe”}\searchresults_MP3.txt"

Analysis or Retrieved Property

Relevance for search results

if (exists file “searchresults_MP3.txt” of parent folder of regapp “besclient.exe” ) then (lines of file “searchresults_MP3.txt” of parent folder of regapp “besclient.exe”) else (“MP3 Search result not present”)

Relevance for last search time

if (exists setting “MyFileSearch_MP3” whose (exists value of it) of client) then (value of setting “MyFileSearch_MP3” of client) else (“Search never run”)

This will return if there are no results after the search has been run. When you take the action of your task you could set it up to run periodically by using the “Automatically reapply this action if it becomes relevant again after it has successfully executed” checkbox and setting the pull down to 1 day or whatever interval you want to use. One thing to remember here is that your search results will age.

To search for a file extension that is not MP3, just use a find/replace on the .BES file or edit the above relevance and action to replace BES with your own file extension.

Cheers,

Brolly

(imported comment written by MBARTOSH)

Hi Brolly,

Thanks for your script.

I was wondering if you found a method of capturing the total size of all of the mp3 files using the DIR command?