Hi All,
We have recently noticed that event viewer spawning MsiInstaller for an number of times in the Application log, Please let me know, if BigFix uses the Win32_Product class anywhere within the Fixlets/Tasks/Analayses.
Thanks,
Nitin V J
Hi All,
We have recently noticed that event viewer spawning MsiInstaller for an number of times in the Application log, Please let me know, if BigFix uses the Win32_Product class anywhere within the Fixlets/Tasks/Analayses.
Thanks,
Nitin V J
Can you be more specific? Relevance can include a lot of things but nothing specific like you mention as thats a Win32 structure.
What MSIInstaller is being run?
Querying the WMI Win32_Product class can trigger MSInstaller to verify each product. This repeated event logging sometimes comes from WMI GPO filters using Win32_Product but third-party products (ie Bigfix) certainly could be doing the same.
is there a way that we could avoid BigFix from querying the Win32_product class alone and not the other wmi queries?
Hello Gentleman,
Any further information ?? how I can stop spamming 1035 event id in event log ??
Thanks
Since BigFix runs in a System context I think you will have a hard time preventing it through permissions or anything like that.
Are you seeing this behaviour from the default IBM sites?
I think the issue is finding what, if any, of the content is running this check. I should have something to post shortlyâŚ
Iterate through fixlet content with REST and look for any relevance that contins âwin32_productâ?
Try searching your fixlet content to find one containing win32_product in its relevance. This may take several minutes!
You could try this in Web Reports QNA by opening a browser and connecting to https://your_web_reports_server?page=QNA
Q: (id of it, name of it, name of site of it, relevance clauses of it) of fixlets whose (exists relevance clauses whose (it as lowercase contains "win32_product") of it) of all bes sites
I didnât get results in my deployment, which tells me that itâs (at least) not in the âPatches for Windowsâ or âUpdates for Windows Applicationsâ default content. You might find results from one of your custom tasks/fixlets.
update: you can also check your BES Property definitions to see whether this is being returned by a Property / Analysis Property (itâs not, in my environment):
q: (name of it, (if (exists source analysis of it) then (name of site of source analysis of it & ":" & name of source analysis of it) else "Global"), definition of it) of bes properties whose (definition of it as lowercase contains "win32_product")
Thatâs exactly where I was going with it
Having had situations where I have a template piece of relevance or actionscript that worked in testing, got added to dozens of fixlets, then I found some edge case where it breaks and I have to go update the logic in lots of places, I already had a dashboard handy to search for a given string in all fixlet/task Relevance & Action Script, and in Analysis properties.
I did find few results on querying your first query, below are the few samples of results. Please guide how to proceed further.
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, ( (if(name of operating system starts with âWinâ) then free space of drive of client > 70071680 else if ((mac of it) of operating system) then free space of filesystem of folder (pathname of client) > 70071680 else free space of filesystem of client > 70071680) )
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, version of client >= "9.5.6.63"
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, windows of operating system AND (if( name of operating system starts with âWinâ ) then platform id of operating system != 3 else true)
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, not exists (select objects âname from Win32_Product where name='Google chromeâand version>=â47.0.2526.106ââ of WMIs )
A: 499496, Install_Google_Chrome_V65.96.32832, ********_SD_Prod, false
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, ( (if(name of operating system starts with âWinâ) then free space of drive of client > 70071680 else if ((mac of it) of operating system) then free space of filesystem of folder (pathname of client) > 70071680 else free space of filesystem of client > 70071680) )
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, version of client >= "9.5.6.63"
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, windows of operating system AND (if( name of operating system starts with âWinâ ) then platform id of operating system != 3 else true)
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, not exists (select objects âname from Win32_Product where name='Google chromeâand version>=â47.0.2526.106ââ of WMIs )
A: 440445, Install_Google_Chrome_V65.96.32832, ********_Software_Distribution, false
Thatâs a custom fixlet with relevance that queries win32_products, meaning someone in your organization created it. Suggestion? Rewrite itâŚ
Removing those relevance in custom task will solve my issue ??
That may make it worse. Donât delete it yet. Standby.
okay !! But evaluation criteria is set to false, none of the computers are applicable under this custom fixlet?? Hope it wont cause any issue until computer are subscribedâŚ
Are you using that particular fixlet for anything? Thatâs an old version of Chrome, anywayâŚ
Removing that relevance would change the fixlet functionality, which you should know if you are writing custom content. If this is news to you, I would suggest attending a training course on the automation tool your organization is usingâŚ
So at first I was concerned the âManage Software Distribution Dashboardâ might be generating fixlets with that in their relevance, but that doesnât seem to be the case. I donât use the SWD dashboards, but I went ahead and created a test package of Google Chrome. The generated content did not use WMI to query for the product install, so thatâs good.
Looks like someone in your organization either wrote, or modified, a fixlet to use Win32_Product in the relevance. Donât know if you noticed, but they are also not checking for the correct Chrome version - the title says version 65.96.32832, but in the Relevance theyâre checking for version 47.0.2526.106.
The relevance that the SWD dashboard generated for my Chrome installer included
(disjunction of (NOT exists keys "{21BED74A-2399-33DA-A4C2-DA59444ADEC4}" whose ( value "DisplayVersion" of it as string as version >= "67.92.106" as version AND value "Language" of it as string = "1033") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of ( x32 registry; (if exists x64 registry then x64 registry else nothing) )))
so that might be a better check to replace the WMI query in your fixlet (again, substituting in the correct version number for what you are deploying).
Iâm afraid I have to echo @mwolffâs concernâŚyou should take some care in authoring content in BigFix, because (as youâre seeing) you can easily impact massive numbers of systems while youâre learning. You should definitely work in a test/training environment before authoring in production, and the HCL / IBM-provided training are worth every penny. You can also search for the âBigFix Relevance Guideâ and âBigFix Action Authoring Guideâ to read the book on how to develop content.
Thanks for the solution around this, havenât seen any 1035 event after modifying relevance which was querying win32_class. Continuing to monitor for next 12 hrs, if i found any will communicate same in the same thread.
Thanks @JasonWalker @mwolff