Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


DarrenWhite99 last won the day on January 18

DarrenWhite99 had the most liked content!

Community Reputation

476 Excellent

My Information

  • Location
    Redding, California, US
  • Agent Count
    2000 - 3000 Agents


    Senior Systems Engineer

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Take a look at https://github.com/darkoperator/Posh-SSH I have had this in an open tab open for weeks (months?), just waiting for time to dig in...
  2. @ray, if the script delay is blank or 0, it runs like a function (the script waits). If the script delay is 1 or more (minutes), the script is queued to run on the current @computerid@ computer with all the current user (@) variables passed as parameters and the current script continues immediately. The queued script will then run after X minutes as a new, separate instance subject to script run limitations (if the computer is offline, the script won't run unless it is flagged as an offline script, if the agent is in maintenance mode the script won't start unless it is a maintenance script, i
  3. Strange @toril.. Your example worked fine for me? C:\Temp>powershell.exe "$rawinput=$($input) -join \"`n\";[system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKCEoJHJhd2lucHV0KSkgewokaW5wdXRGcm9tVXNlciA9IEAoKTsKRG8gewpJZiAoJE51bGwgLW5lICRyYXdpbnB1dCAtYW5kICRyYXdpbnB1dC5MZW5ndGggLWd0IDApIHskSW5wdXRGcm9tVXNlciArPSAkcmF3aW5wdXR9CiRyYXdpbnB1dCA9ICIkKFJlYWQtSG9zdCAnSW5wdXQgY29tbWFuZHMgKHEgdG8gZXhpdCknKWBuIgp9IFVudGlsKCRyYXdpbnB1dCAtbWF0Y2ggJ15xJCcpCiRyYXdpbnB1dD0kaW5wdXRGcm9tVXNlciAtam9pbiAnJwp9CiciJXdpbmRpciVcU3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4Z
  4. I posted an alternative method of encoding PowerShell so that it can be used with Role Definitions, but also for Remote Monitors and many more applications.
  5. Have you ever used the native PowerShell -encodedcommand feature for a small script, and had a huge command line? Have you ever tried to use PowerShell in a Role Definition and discovered that the '}' character breaks it? Have you ever wanted to easily turn some PowerShell into a one-liner for a remote monitor or some other situation where you can't write the script to a file? Run this to convert your commands into an encoded one-liner: powershell.exe "$rawinput=$($input) -join \"`n\";[system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKCEoJHJhd2lucHV0K
  6. You cannot directly change any internal (%) variables. At most you can call functions that change them, but only according to their design. To change the variables you mentioned you would need to modify the location admin credential and call the function to reload internal variables. I don't suggest attempting to swap the location credentials around to support "per-computer" administrator credentials. You could easily hit a race condition where something else is looking to the credentials (or updates them) as you are changing or loading them causing one of you to get the wrong value.
  7. There are of course exceptions to this "rule". For instance, when you use the Script Run function with a Delay Minutes value > 0. As an example, if your script runs another script with a delay of 600 minutes, it should not start for 10 hours. Nothing is written to ScheduledScripts, it doesn't need to be "scheduled". RunningScripts only contains scripts that have been assigned a ThreadID, whose start time has arrived. So the delayed script from this function is added to the PendingScripts table, with the start time set for 10 hours from now. When the start time arrives, the script
  8. I confirmed the registry check (barring intentional manipulation of the registry) is a better indicator of an appropriate patch being installed than trying to test for specific installed updates. It even flagged systems I thought were patched but on Investigation found had not yet been restarted and thus the patch was installed but not effective. I did update my monitor to not include “in progress” patches so I got the same results, but since the registry check is quick and simple and accurate, I agree it’s the best way to monitor for vulnerable systems.
  9. Basically yeah, that's all that will be returned because that is all that will be written to the DB. But you may have noticed that when you test the monitor it does return more. That's why I made a script to test remote monitors and capture the full result. When the remote monitor alerts, it should trigger this script which will test the monitor again and capture the full output and attach it to the ticket (if already created). NOTE: This only works for monitors where the output can be reproduced. For instance, this cannot be used with event log monitors, SNMP Traps, a monitor t
  10. Yes. But beyond those, you should not change anything in SQL. After you import you could use the GUI to adjust some bits.. But probably not.
  11. Ahh.. The "Limit To" search ID is different for my system. Sorry, I just tossed it up quickly. It doesn't have my usual niceness of validating related IDs based on their name/GUID, etc. Maybe I'll throw an update on it that checks for that.
  12. I dusted off my old WannaCry monitor and came up with this remote monitor. It searches for known KBs installed on the system and will alert and create a ticket is known KBs are not installed. Over time additional KBs will need to be added to the list, but for now I believe it is complete. The Remote Monitor is using this command if you want to test it without importing the SQL: "%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "& {$tpDebug=0;$MVer=1.0;$ProgressPreference='SilentlyContinue';IF (-not ($psversiontable.psversion -gt 1.9)) {'Error:POSH 2.0
  13. That is correct. The Identity (Fieldname) value is what determines if a result is treated as a new alert or as an existing one.
  14. The bundle at https://www.mspgeek.com/applications/core/interface/file/attachment.php?id=8898 includes an XML named "AUTOMATIC - Perform Domain Join.xml". But that XML includes multiple scripts including the "Manual Join" one. (The Automatic join just pre-loads variables for the manual join. It's always using the "Manual Join" script to do the work.)
  15. I managed to make this into an almost 70 line script that can be triggered by a monitor, can create or find an existing ticket, verifies the admin credentials, creates the profile folder, and clears the monitor alert and updates the ticket reporting the outcome. But this is the heart of creating the profile: SHELL as Admin: whoami & whoami /groups | findstr "S-1-5-32-544">NUL&&ECHO SUCCESS - User is Administrator and store the result in %shellresult% IF @shellresult@ Not Contains SUCCESS THEN Jump to :UserIsNotValid SHELL: powershell.exe "$U='%computeruserdomain%'; $U
  • Create New...