Topic
24 replies Latest Post - ‏2014-09-13T04:23:52Z by JasonWalker
Matt.Johnson
Matt.Johnson
83 Posts
ACCEPTED ANSWER

Pinned topic Failed Action Command - Executing a Batch File (.BAT)

‏2012-05-03T15:54:01Z |
New Day - New Challange:
I am trying to write a simple action to:
1. Distribute a small batch file to a workstation
2. Execute that batch file as SYSTEM

So my relevance code works, Now I am working on the action. I have used the following actions to try and complete the task:
download http://SERVER.FQD.DOM:PORT/Uploads/0eede14c0b20352b1c726d415d9ebc898281de3c/TurnOnBIT.bat.tmp
continue if {(size of it = 91 AND sha1 of it = "0eede14c0b20352b1c726d415d9ebc898281de3c") of file "TurnOnBIT.bat.tmp" of folder "__Download"}
extract TurnOnBIT.bat.tmp

wait "{pathname of system folder & "\cmd.exe"}" /Q /C "{(pathname of client folder of current site) & "\__Download\TurnOnBIT.bat"}

(NOTE I changed the server name for security)

It errors out on the WAIT line (5) - Stating that validation failed (Relevance clauses must be surrounded by { and } guards. Now this code was generated by the Software Distrbution Wizzard, and the line does seem to be surrounded by guards. So why is this failing to execute?
Updated on 2012-05-07T13:40:42Z at 2012-05-07T13:40:42Z by Matt.Johnson
  • SystemAdmin
    SystemAdmin
    2808 Posts
    ACCEPTED ANSWER

    Re: Failed Action Command - Executing a Batch File (.BAT)

    ‏2012-05-03T17:00:54Z  in response to Matt.Johnson
    I wonder if it is the missing quotes

    Yours:
    wait "{pathname of system folder & "\cmd.exe"}" /Q /C "{(pathname of client folder of current site) & "\__Download\TurnOnBIT.bat"}

    With extra quote at the end:
    wait "{pathname of system folder & "\cmd.exe"}" /Q /C "{(pathname of client folder of current site) & "\__Download\TurnOnBIT.bat"}"

    Quick glance :)

    Martin Carnegie
    Gulf Breeze Software Partners
    http://www.gulfsoft.com
    • Matt.Johnson
      Matt.Johnson
      83 Posts
      ACCEPTED ANSWER

      Re: Failed Action Command - Executing a Batch File (.BAT)

      ‏2012-05-03T18:08:52Z  in response to SystemAdmin
      Thanks Martin. I'm sorry to say it still shows Syntax Error on that line.
      • SystemAdmin
        SystemAdmin
        2808 Posts
        ACCEPTED ANSWER

        Re: Failed Action Command - Executing a Batch File (.BAT)

        ‏2012-05-04T03:49:29Z  in response to Matt.Johnson
        Hi Matt,

        I assume you are trying to test the action script command in the fixlet debugger. The (pathname of client folder of current site) embedded relevance in your action script cannot be evaluated by the debugger which results in the Syntax error you see. It should work fine when taking actions from the console.
        • Matt.Johnson
          Matt.Johnson
          83 Posts
          ACCEPTED ANSWER

          Re: Failed Action Command - Executing a Batch File (.BAT)

          ‏2012-05-04T13:20:15Z  in response to SystemAdmin
          Thank you Mayank.

          I tried the action and it shows failed. I will try to find the logs of what happend. However any other thoughts are appreciated.
        • Matt.Johnson
          Matt.Johnson
          83 Posts
          ACCEPTED ANSWER

          Re: Failed Action Command - Executing a Batch File (.BAT)

          ‏2012-05-04T13:44:04Z  in response to SystemAdmin
          I attached part of the log for the BES client on the device.(modified the server for security. Any insight on the failure, and how to resolution is greatly appreciated.
          • Matt.Johnson
            Matt.Johnson
            83 Posts
            ACCEPTED ANSWER

            Re: Failed Action Command - Executing a Batch File (.BAT)

            ‏2012-05-04T17:38:03Z  in response to Matt.Johnson
            More information:

            It seems most of the process runs as intended. However, when trying to execute MANAGE-BDE.EXE as system it errors out stating that manage-bde.exe is not a recognized interal or external command...

            It is present in C:\windows\System32\ and I can do it from an admin prompt. Where is the failure.
            • Matt.Johnson
              Matt.Johnson
              83 Posts
              ACCEPTED ANSWER

              Re: Failed Action Command - Executing a Batch File (.BAT)

              ‏2012-05-07T13:40:42Z  in response to Matt.Johnson
              I found a solution in the end.

              If you're using BigFix to execute the batch file, and you are calling on a function in System32 you need to specify the call via the following:

              %windir%\sysnative\APPLICATION

              For example, in my case the solution was to use:

              %windir%\sysnative\Manage-BDE.exe
              • ortalbeny12345654321
                18 Posts
                ACCEPTED ANSWER

                Re: Failed Action Command - Executing a Batch File (.BAT)

                ‏2014-05-28T06:47:31Z  in response to Matt.Johnson

                Hello,

                I'm facing the same problem that you had, and it still didn't work even when i add the via:

                %windir%\system32\net.exe

                With this error:

                cmd file is not recognized as an internal or external command,
                operable program or batch file.
                Return code: 9009

                 

                what you suggest?

                 

                • Matt.Johnson
                  Matt.Johnson
                  83 Posts
                  ACCEPTED ANSWER

                  Re: Failed Action Command - Executing a Batch File (.BAT)

                  ‏2014-05-28T12:24:33Z  in response to ortalbeny12345654321

                  I am not sure which version of Windows you're running, but ensure that the file is in the System32 directory. Error 9009 (according to Microsoft) likely means the executable "net.exe" was not found in the specified location.

                  If you're sure it's there, and accessible from NT AUTHROITY\SYSTEM (or service account you specified for BigFix), I would write the action as a batch file.. I am not sure that pointers such as %windir% will work being executed by the DOS action command In the context of a .BAT file. You may want to try it providing the full path, if your environment is uniform enough to allow it. Here are a few examples

                  Here's  an example I've used in the past:

                  Using the WAIT command to execute a BAT

                  wait C:\APPS\TPM\bigfixstart.bat

                  If this doesn't answer your question, please post with the version of windows you're applying this to, and maybe an overview of what your batch is doing.

                  Hope this helps,

                  Matt  

                   
                • Matt.Johnson
                  Matt.Johnson
                  83 Posts
                  ACCEPTED ANSWER

                  Re: Failed Action Command - Executing a Batch File (.BAT)

                  ‏2014-05-28T12:32:28Z  in response to ortalbeny12345654321

                  2 simple fixes I've also missed when I started authoring BigFix actions were:

                  1. Make sure anything using that may have a space in the name, or is literal in nature, is encapsulated in quotes (If in doubt, quote it out).

                  2. The Fixlet Debugger will run in local mode by default. This means it's executing actions using local credentials (or supplied during the RunAs). If a failure is occurring, try testing with the local BigFix Client by selecting Debug > Evaluate Using > Local Client Evaluator. While this takes a little longer to evaluate, it's running it through the true client on the local device, not just the Debugger application.

                  Matt

                  • ortalbeny12345654321
                    18 Posts
                    ACCEPTED ANSWER

                    Re: Failed Action Command - Executing a Batch File (.BAT)

                    ‏2014-05-28T14:02:04Z  in response to Matt.Johnson

                    Hi Matt,

                    Thanks for your answer.

                    What the command wait will do?

                     

                    We have version win7, winxp, win8

                    The station i'm checking is win7  ( there some stations that works an some don't)

                     

                    On the action i select that the action will run with the current user.

                    I have also added to the task the exe file (net.exe)

                    And then i run the command (in a batch file)

                    I checked that the command is ok, i also run it and it runs ok.

                    i tried to run the batch on the remote computer by runas - and with other user name, and it also works fine.

                     

                    Any suggestions?

                     

                    Thanks,

                    Ortal

                     

                    • Matt.Johnson
                      Matt.Johnson
                      83 Posts
                      ACCEPTED ANSWER

                      Re: Failed Action Command - Executing a Batch File (.BAT)

                      ‏2014-05-28T14:18:14Z  in response to ortalbeny12345654321

                      Hi Ortal,

                      The command wait C:\APPS\TPM\bigfixstart.bat will launch "bigfixstart.bat" from C:\APPS\TPM, and wait for it to close before continuing. It's important to note the WAIT command can be problematic. If a step fails to end WAIT could leave an action hanging.

                      I've used TEM (BigFix) with both Windows 7 and 8. I am curious why you're running as the local user. Do your users have local admin rights on this Windows box?  From what I understand, out of the box TEM will run actions as NT AUTHORITY\SYSTEM which should have local admin rights.

                      I'd suggest trying to run it without selecting Run As Current User, and if using RunAsCurrentUser.exe - exclude it. Remember that when you're issuing remote commands you're logged in as a user that has specific rights. When TEM executes an action it will act as the SYSTEM account which has different rights on the local box.

                      If you like, you can post your action in a reply and I can give more feedback. If you have batch file, paste post that code as well (redacting any confidential information)

                      Trust me, this gets easier as you go. The community in this forum is amazing at helping out.

                       

                      Matt C. Johnson

                      Sr. Technical User Support Analyst | Medtronic, Inc.

                      • ortalbeny12345654321
                        18 Posts
                        ACCEPTED ANSWER

                        Re: Failed Action Command - Executing a Batch File (.BAT)

                        ‏2014-05-28T14:42:12Z  in response to Matt.Johnson

                        Hi,

                        I want to add the users to remote desktop users, everytime they are logged in to the station.

                        that's why the action is runing with current user.

                         

                        thats what i'm runing in the batch:

                        %windir%\System32\net.exe localgroup "Remote Desktop Users" "%userdomain%\%username%" /add

                         

                        it's very strange that in some stations it works fine (the same version)

                        i also checked that the user thats runing the batch have privilage. (works fine in cmd)

                         

                        thanks again :)

                        ortal

                         

                         

                      • ortalbeny12345654321
                        18 Posts
                        ACCEPTED ANSWER

                        Re: Failed Action Command - Executing a Batch File (.BAT)

                        ‏2014-06-10T06:26:10Z  in response to Matt.Johnson

                        Hi,

                        I tried to uninstall and install the client , and when i deploy the task on that station it finally worked!!

                        But unfortunately there are more 500 stations that i need to deploy that task.

                        I tried to use the tool of bigfix "BESClientDeploy" on some station, but it still didn't work.

                        did you find something? do you have any ideas?

                         

                        thanks,

                        Ortal

                        • MattPeterson
                          MattPeterson
                          69 Posts
                          ACCEPTED ANSWER

                          Re: Failed Action Command - Executing a Batch File (.BAT)

                          ‏2014-06-10T20:07:24Z  in response to ortalbeny12345654321

                          If I'm understanding what your looking to accomplish then there is no reason to run as the current user. Running as the current user adds another layer of unnessisary complexity. I would suggest the following:

                          Fixlet Relevance:

                          exist current user and exists member whose (it as string as lowercase contains (name of current user)) of local group "Remote Desktop Users"

                          Action Script:

                          waithidden cmd.exe /c net.exe localgroup "Remote Desktop users"  {(value "LastLoggedOnUser" of (key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of native registry) as string)} /add

                           

                          Another consideration is that net.exe is limited to 20 characters (I believe this includes the domain name), so if you have any long domain\username combos this will fail. So instead I would suggest the following which will create a .vbs file to handle this and get around the 20 character limitation.

                           

                          parameter "User" = "{(value "LastLoggedOnUser" of (key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of native registry) as string)}"
                          createfile until ENDOFSCRIPT
                          Dim localGroupName, ADUserName, strComputer, objLocalGroup, objADUser
                          strComputer = "."

                          '''Parse the command line arguments (if it exists)
                          If Wscript.Arguments.Count < 2 then
                              Err.Raise 1, "Invalid argument", "Missing parameters"
                          Else
                              ADUserName = Wscript.Arguments.Item(0)
                              localGroupName = Wscript.Arguments.Item(1)
                          End If
                          ADUserName = REPLACE(ADUserName, "\", "/")

                          Set objLocalGroup = GetObject("WinNT://" & strComputer & "/" & localGroupName & ",group")
                          Set objUser = GetObject("WinNT://" & ADUserName & ",user")

                          objLocalGroup.Add(objUser.ADsPath)
                          wscript.echo "Successfully added " & ADUserName & " to " & localGroupName
                          ENDOFSCRIPT

                          delete AddUserToLocalGroup.vbs
                          copy __createfile AddUserToLocalGroup.vbs

                          waithidden cscript.exe AddUserToLocalGroup.vbs "{parameter "User"}" "Remote Desktop Users"

                           

                           

                          • ortalbeny12345654321
                            18 Posts
                            ACCEPTED ANSWER

                            Re: Failed Action Command - Executing a Batch File (.BAT)

                            ‏2014-06-11T06:52:07Z  in response to MattPeterson

                            Hi,

                            Thank you for your response.

                            I'm not sure i understand what you wrote.

                            On the Fixlet Relevance: it check if the current user is a member of the local group?

                            On the action Script:is it suppose to be on a batch file? or is it a relevance too? beacause on the cmd it dosen't recognize the commands, and when i try to debug it on the relevance debgger it didn't recongnize the commands too.

                             

                            Is it mean that the net.exe is limited for the all expression domain-name\username?

                             

                            Thanks,

                            Ortal

                             

                             

                            • ortalbeny12345654321
                              18 Posts
                              ACCEPTED ANSWER

                              Re: Failed Action Command - Executing a Batch File (.BAT)

                              ‏2014-06-11T11:56:30Z  in response to ortalbeny12345654321

                              Hi,

                              It now works!!!

                              But now i have another problem, there are users that aren't member of power users or administrators, and they get access denied when i deploy the action.

                              Is there a way to run action in bigfix that will run with another user permissions?

                               

                              Thanks,

                              Ortal



                               

                              • MattPeterson
                                MattPeterson
                                69 Posts
                                ACCEPTED ANSWER

                                Re: Failed Action Command - Executing a Batch File (.BAT)

                                ‏2014-06-11T15:55:07Z  in response to ortalbeny12345654321

                                Ortal,

                                Yes the fixlet relevance I wrote will check for the existance of "current user", and for that user not to already be in the remote desktop users group. meaning someone will need to be logged into the computer, and that user ID is not already in the remote desktop users group for the task to be applicable. This will allow you to target only computers that need action, this also can help you determine how many computers are out of compliance by looking at how many computers are applicable to this task.

                                The action script I included was bigfix action script. It should work using the action tab in the fixlet debugger. I've uploaded the fixlet (using the vbs method) to bigfix.me. You should be able to download this fixlet and use it as is.

                                net.exe is limited to 20 characters http://support.microsoft.com/kb/324639. As I understand if your domain\username string is over 20 characters net.exe will not work.

  • JasonWalker
    JasonWalker
    51 Posts
    ACCEPTED ANSWER

    Re: Failed Action Command - Executing a Batch File (.BAT)

    ‏2014-06-11T21:09:19Z  in response to Matt.Johnson

    Sorry if I'm a bit late to the party, but I didn't see this covered earlier.  There was some confusion over using binaries in \windows\system32.  That's because BigFix is a 32-bit client, so by default its actions use the 32-bit redirection, and it actually sees \windows\syswow64 as its system32 folder.  Similar, Registry calls for HKLM\Software get redirected to HKLM\Software\Wow6432Node.

    You can avoid this in both cases by putting "action uses wow64 redirection false" in your Action Script, anywhere before you make your calls to system32 or HKLM\Software.

    • ortalbeny12345654321
      18 Posts
      ACCEPTED ANSWER

      Re: Failed Action Command - Executing a Batch File (.BAT)

      ‏2014-09-07T09:06:48Z  in response to JasonWalker

      HI Jason,

      i didn't understand, where should i add the  "action uses wow64 redirection false"  ?

      i have a batch that uses the command query.exe, and i get the error :

      '"c:\windows\system32\query.exe"' is not recognized as an internal or external command.

      i also tried to add the command to the same folder of the task, but it didn't work.

       

      if i added what you wrote above it should fix it? please write where should i write it in the action.

       

      Thanks,

      Ortal

      • ortalbeny12345654321
        18 Posts
        ACCEPTED ANSWER

        Re: Failed Action Command - Executing a Batch File (.BAT)

        ‏2014-09-07T12:40:35Z  in response to ortalbeny12345654321

        HI,

        I've also checked that it happend only on 64bit on win8!

        Updated on 2014-09-07T12:41:11Z at 2014-09-07T12:41:11Z by ortalbeny12345654321
      • JasonWalker
        JasonWalker
        51 Posts
        ACCEPTED ANSWER

        Re: Failed Action Command - Executing a Batch File (.BAT)

        ‏2014-09-13T04:23:52Z  in response to ortalbeny12345654321

        You'd put "action uses wow64 redirection false" anywhere before your call to "wait" or "waithidden" to use the real \windows\system32 directories.  I usually put it as the first line of my action script.

        //actionscript here

        action uses wow64 redirection false

        //with wow64 redirection disabled, this runs the native (i.e. x64) version of query.exe

        waithidden "{pathname of system folder}\query.exe"  (parameters for what you want it to do)

        // and this runs the 64-bit version of cscript to execute vbscript:

        waithidden "{pathname of system folder}\cscript.exe" "__Download\myscript.vbs"

         

         

  • JasonWalker
    JasonWalker
    51 Posts
    ACCEPTED ANSWER

    Re: Failed Action Command - Executing a Batch File (.BAT)

    ‏2014-06-11T21:10:24Z  in response to Matt.Johnson

    Oh, and if you don't set "action uses wow64 redirection false", the cmd.exe that you spawn will be the 32-bit redirected \windows\syswow64\cmd.exe as well. 

    • ortalbeny12345654321
      18 Posts
      ACCEPTED ANSWER

      Re: Failed Action Command - Executing a Batch File (.BAT)

      ‏2014-06-12T06:20:59Z  in response to JasonWalker

      Hi,

      Thank you for your reply.

      Is there a way to run action in bigfix that will run with another user permissions?

      Beacuse now it works, but for users that are not member of administrators get access denied.

       

      Thanks,

      Ortal