From 76c58b27d91bc54cd2175299ccb3bfd03ff6a0e5 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Fri, 14 Jun 2024 15:00:23 -0400 Subject: [PATCH 1/4] Updating RunAsUser template --- scripts/Win_RunAsUser_Example.ps1 | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/scripts/Win_RunAsUser_Example.ps1 b/scripts/Win_RunAsUser_Example.ps1 index 5bbc6dd..c1d95c6 100644 --- a/scripts/Win_RunAsUser_Example.ps1 +++ b/scripts/Win_RunAsUser_Example.ps1 @@ -8,11 +8,12 @@ .NOTES Change Log V1.0 6/25/2022 Initial release by silversword411 + v1.1 6/14/2024 silversword411 Adding -CaptureOutput #> # Make sure RunAsUser is installed if (Get-Module -ListAvailable -Name RunAsUser) { - # Write-Output "RunAsUser Already Installed" + Write-Output "RunAsUser Already Installed" } else { Write-Output "Installing RunAsUser" @@ -27,28 +28,21 @@ If (!(Test-Path "c:\ProgramData\TacticalRMM\temp\")) { Write-Output "Hello from Systemland" -Invoke-AsCurrentUser -ScriptBlock { +Invoke-AsCurrentUser -CaptureOutput -ScriptBlock { # Put all Userland code here - $raulogPath = "c:\ProgramData\TacticalRMM\temp\raulog.txt" $exit1Path = "c:\ProgramData\TacticalRMM\temp\exit1.txt" - Write-Output "Hello from Userland" | Out-File -append -FilePath $raulogPath + Write-Output "Hello from Userland" If (test-path "c:\temp\") { - Write-Output "Test for c:\temp\ folder passed which is Exit 0" | Out-File -append -FilePath $raulogPath + Write-Output "Test for c:\temp\ folder passed which is Exit 0" } else { - Write-Output "Test for c:\temp\ folder failed which is Exit 1" | Out-File -append -FilePath $raulogPath + Write-Output "Test for c:\temp\ folder failed which is Exit 1" # Writing exit1.txt for Userland Exit 1 passing to Systemland for returning to Tactical Write-Output "Exit 1" | Out-File -append -FilePath $exit1Path } } -# Get userland return info for Tactical Script History -$exitdata = Get-Content -Path "c:\ProgramData\TacticalRMM\temp\raulog.txt" -ErrorAction SilentlyContinue -Write-Output $exitdata -# Cleanup raulog.txt File -Remove-Item -Path "c:\ProgramData\TacticalRMM\temp\raulog.txt" -ErrorAction SilentlyContinue - # Checking for Userland Exit 1 If (Test-Path -Path "c:\ProgramData\TacticalRMM\temp\exit1.txt" -PathType Leaf) { Write-Output 'Return Exit 1 to Tactical from Userland' From 40ac6642e238d4012d3e9fdaa02bc5e13942d48c Mon Sep 17 00:00:00 2001 From: silversword411 Date: Fri, 14 Jun 2024 15:02:03 -0400 Subject: [PATCH 2/4] Rename MDM for keyword searching --- scripts_wip/{Win_WipeviaMDM.ps1 => Win_ResetviaMDM.ps1} | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) rename scripts_wip/{Win_WipeviaMDM.ps1 => Win_ResetviaMDM.ps1} (85%) diff --git a/scripts_wip/Win_WipeviaMDM.ps1 b/scripts_wip/Win_ResetviaMDM.ps1 similarity index 85% rename from scripts_wip/Win_WipeviaMDM.ps1 rename to scripts_wip/Win_ResetviaMDM.ps1 index 0f33953..33c0990 100644 --- a/scripts_wip/Win_WipeviaMDM.ps1 +++ b/scripts_wip/Win_ResetviaMDM.ps1 @@ -1,4 +1,4 @@ -#Uses MDM features of windows to perform a Windows Reset clearing all data +# Uses MDM features of windows to perform a Windows Reset clearing all data $namespaceName = "root\cimv2\mdm\dmmap" $className = "MDM_RemoteWipe" @@ -10,12 +10,10 @@ $params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersColl $param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", "", "String", "In") $params.Add($param) -try -{ +try { $instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT' and InstanceID='RemoteWipe'" $session.InvokeMethod($namespaceName, $instance, $methodName, $params) } -catch [Exception] -{ +catch [Exception] { write-host $_ | out-string } \ No newline at end of file From c6a8e1be08a3fde1d6b3ba56914e7081aacd7d2e Mon Sep 17 00:00:00 2001 From: silversword411 Date: Thu, 20 Jun 2024 16:25:37 -0400 Subject: [PATCH 3/4] WIP: Adding urbackup scripts --- scripts_wip/Win_3rdparty_Urbackup_Monitor.ps1 | 110 ++++++++++++++++++ .../Win_3rdparty_Urbackup_Uninstall.bat | 1 + 2 files changed, 111 insertions(+) create mode 100644 scripts_wip/Win_3rdparty_Urbackup_Monitor.ps1 create mode 100644 scripts_wip/Win_3rdparty_Urbackup_Uninstall.bat diff --git a/scripts_wip/Win_3rdparty_Urbackup_Monitor.ps1 b/scripts_wip/Win_3rdparty_Urbackup_Monitor.ps1 new file mode 100644 index 0000000..fee729b --- /dev/null +++ b/scripts_wip/Win_3rdparty_Urbackup_Monitor.ps1 @@ -0,0 +1,110 @@ +<# +.SYNOPSIS + Script to check the status of Urbackup file backup and log events. + +.DESCRIPTION + This script checks the status of Urbackup file backup and logs events in the Windows Event Log. It performs the following steps: + - Checks if the UrbackupCheck parameter is enabled. If enabled, the script exits. + - Checks if the UrBackup client is installed. If not installed, the script exits. + - Checks if the Urbackup postfile exists. If not, it creates the file. + - Checks if the "Write event to Event Log" line already exists in the file. If not, it adds the line. + - Retrieves Urbackup events from the Application event log that match a specific description. + - Determines the days elapsed since the latest event and compares it with the NumberOfDaysBeforeError parameter. + - Displays the relevant event log information if the event is found and within the specified number of days. + - Exits with a status code of 1 if the event is older than the specified number of days. + +.PARAMETER UrbackupCheck + Specifies whether Urbackup check is enabled or disabled. Use Custom Fields to enable or disable as needed + +.PARAMETER NumberOfDaysBeforeError + Specifies the number of days before considering an event as an error. + +.EXAMPLE + -UrbackupCheck {{agent.UrbackupDisableCheck}} -NumberOfDaysBeforeError 30 + +.NOTES + Version: 1.5 6/20/2024 silversword411 +#> + +param ( + [Int]$UrbackupCheck, + [Int]$NumberOfDaysBeforeError +) + + + +#Write-Output "NumberOfDaysBeforeError: $NumberOfDaysBeforeError" + +# See if Custom Field has disabled VeeamCheck +#Write-Output "VeeamCheck: $VeeamCheck" +if ($UrbackupCheck) { + Write-Output "Urbackup check disabled." + Exit 0 +} + +# Stop if Urbackup is not installed +$clientExecutable = 'C:\Program Files\UrBackup\UrBackupClient.exe' +if (-not (Test-Path -Path $clientExecutable)) { + Write-Output "UrBackup client is not installed. Quitting" + exit 0 +} + +function UpdateUrbackupPostFile { + $file = 'C:\Program Files\UrBackup\postfilebackup.bat' + $lineToAdd = 'EVENTCREATE /T SUCCESS /L APPLICATION /SO URBACKUP /ID 100 /D "File backup succeeded."' + + # Check if the Urbackup postfile exists + if (-not (Test-Path -Path $file)) { + # Create the file if it doesn't exist + New-Item -Path $file -ItemType File | Out-Null + Write-Output "Post backup .bat file has been created." + } + + # Check if the line already exists in the file + $lineExists = Get-Content -Path $file | Select-String -Pattern $lineToAdd + + if ($lineExists) { + Write-Output "Write event to Event Log already exists in the file." + } + else { + # Add the line to the file + Add-Content -Path $file -Value $lineToAdd + Write-Output "Write event to Event Log line has been added to the file." + } +} + +UpdateUrbackupPostFile + +######################################################################### +Write-Output "------------ CHECK FOR LOG ------------" +$source = "URBACKUP" +$logName = "Application" +$eventID = 100 +$description = "File backup succeeded." + +$UrbackupEvents = Get-WinEvent -FilterHashtable @{ + LogName = $logName + ProviderName = $source + ID = $eventID +} | Where-Object { $_.Message -like "*$description*" } | Sort-Object TimeCreated -Descending + +if ($UrbackupEvents -ne $null) { + $latestEvent = $UrbackupEvents[0] + $daysSinceEvent = (Get-Date) - $latestEvent.TimeCreated + if ($daysSinceEvent.Days -gt $NumberOfDaysBeforeError) { + Write-Output "WARNING: The last event is older than $NumberOfDaysBeforeError days." + Write-Output "Last Backup: $($latestEvent.TimeCreated)" + exit 1 + } + else { + Write-Output "ALL GOOD: The last event is newer than $NumberOfDaysBeforeError days." + #Write-Output "Event Log found:" + #Write-Output "Source: $($latestEvent.ProviderName)" + #Write-Output "Event ID: $($latestEvent.Id)" + #Write-Output "Message: $($latestEvent.Message)" + Write-Output "Last Backup: $($latestEvent.TimeCreated)" + } +} +else { + Write-Output "Event Log not found." +} \ No newline at end of file diff --git a/scripts_wip/Win_3rdparty_Urbackup_Uninstall.bat b/scripts_wip/Win_3rdparty_Urbackup_Uninstall.bat new file mode 100644 index 0000000..3dac42a --- /dev/null +++ b/scripts_wip/Win_3rdparty_Urbackup_Uninstall.bat @@ -0,0 +1 @@ +"C:\Program Files\UrBackup\Uninstall.exe" /S \ No newline at end of file From b81e7509ee6dddc2f25a28f2cd1ef93d9003aa95 Mon Sep 17 00:00:00 2001 From: silversword411 Date: Wed, 17 Jul 2024 07:02:39 -0400 Subject: [PATCH 4/4] chore: Refactor Win_RunAsUser_Example.ps1 to simplify CaptureOutput --- scripts/Win_RunAsUser_Example.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/Win_RunAsUser_Example.ps1 b/scripts/Win_RunAsUser_Example.ps1 index c1d95c6..1daea9b 100644 --- a/scripts/Win_RunAsUser_Example.ps1 +++ b/scripts/Win_RunAsUser_Example.ps1 @@ -28,7 +28,7 @@ If (!(Test-Path "c:\ProgramData\TacticalRMM\temp\")) { Write-Output "Hello from Systemland" -Invoke-AsCurrentUser -CaptureOutput -ScriptBlock { +Invoke-AsCurrentUser -ScriptBlock { # Put all Userland code here $exit1Path = "c:\ProgramData\TacticalRMM\temp\exit1.txt" @@ -41,7 +41,7 @@ Invoke-AsCurrentUser -CaptureOutput -ScriptBlock { # Writing exit1.txt for Userland Exit 1 passing to Systemland for returning to Tactical Write-Output "Exit 1" | Out-File -append -FilePath $exit1Path } -} +} -CaptureOutput # Checking for Userland Exit 1 If (Test-Path -Path "c:\ProgramData\TacticalRMM\temp\exit1.txt" -PathType Leaf) {