Blogs

How to create a K1000 notification to monitor the status of your Windows services

If you are concerned that some of the Windows services that should normally run on all your computers are not running and you want to keep an eye on these kind of situations you can the following custom K1000 Notifications to monitor them.

In the current version of K1000 is not possible to creare this kind of notification using the wizard but we need to use a custom SQL to achieve what we need.
A bit of background before to put the hands on the SQL code.
The following SQL use many differente tables and the most important to consider are:

MACHINE        contains all the machines that are in our inventory
NTSERVICE     contains information about the services discovered on the machine, their name, version, status and other details about them.
The most important field in this table are:
NAME                     represents the name of the service
STARTUP_TYPE    represents the service startup type (if starts automatically, manually or disabled).
the most common status types are:
SERVICE_AUTO_START
SERVICE_DEMAND_START
SERVICE_DISABLED

STATUS        represents the current status of the service. The most common values are:
    SERVICE_RUNNING
    SERVICE_STOPPED
NTSERVICE_JT It is used to link the MACHINE table with the NTSERVICE table

In the following example we want to monitor the DHCP Server (DHCPServer) and the DNS server status and send an email notification to the administrator when one of these two services is stopped.
First of all we need to create our notification using the wizard:
  1. Under Reporting click on Notifications
  2. Click on Choose Action -> New -> Device Notification
  3. Enter the title, the recipients (at least one) and the frequency and press Create
  4. Click on the name of the notification that you just created and, as editor option, select : "To edit the Notification using this editor, Click Here"
  5. Remove all the SQL code and replace it with the following one:

SELECT MACHINE.NAME AS SYSTEM_NAME,
       SYSTEM_DESCRIPTION,
       MACHINE.IP,
       MACHINE.MAC,
       MACHINE.ID AS TOPIC_ID
  FROM MACHINE
       LEFT JOIN ORG1.MACHINE_NTSERVICE_JT
          ON ORG1.MACHINE.ID = ORG1.MACHINE_NTSERVICE_JT.MACHINE_ID
       LEFT JOIN NTSERVICE
          ON ORG1.MACHINE_NTSERVICE_JT.NTSERVICE_ID = NTSERVICE.ID
 WHERE     NTSERVICE.STATUS = 'SERVICE_STOPPED'
       AND NTSERVICE.NAME IN ('DHCPServer', 'DNS')


Changing the where clause and modifying the IN clause adding other services you can keep an eye on different situations.

Some important points to remember:

  1. It is recommended that you test your SQL code before to sue in a notification or in a report: you can easily connect to the internal database of the K1000 using TOAD for MySql or the native tools of MySQL
  2. Remember that the data is collected thought the Inventory and so it is not realtime: by default the inventory is sent to the machine every 2 hours. So do not exaggerate with the frequency of the notification
  3. the field NAME of the table NTSTATUS contains the real name of the service and not the descriptive one. To find out the real name of a service open the services.msc snap-in and double click on the service
    The real name of the service in the one stated in the General tab, Service name
    14yI3l.png

Be the first to comment

Why do you have to type in your PIN after rebooting your phone or after a certain amount of time?

iPhone 5s/6/6 Plus users (and the newer breed of iPad users, too), have you ever wondered why you need to enter your pin after rebooting your device, why wont the Touch ID just work?

Here's the answer from Apple Support Blog itself.


iYPvjx.png
"Touch ID doesn’t store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn’t possible for your actual fingerprint image to be reverse-engineered from this mathematical representation. iPhone 5s also includes a new advanced security architecture called the Secure Enclave within the A7 chip, which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of A7 and the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it, and it can’t be used to match against other fingerprint databases."
Be the first to comment

Understanding Pipe commands to enhance your scripts

Since the Kace 1000 scripts and CIR's can call the command interpreter use can use pipe commands to chain code together for better flow

y2B96v.jpeg

examples of pipes I use within the k1000

In CIR's

ShellCommandTextReturn(cmd /c cscript /b c:\programdata\dell\kace\user\fadmins.vbs & type c:\programdata\dell\kace\user\filteredadmins.txt )

In Kscripts and batch commands

reg.exe query hkcu\software\microsoft\windows\currentversion\run /s > C:\ProgramData\Dell\KACE\user\hkcuRunKeys.txt && if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe query hkcu\software\wow6432node\microsoft\windows\currentversion\run /s >> C:\ProgramData\Dell\KACE\user\hkcuRunKeys.txt

for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"ECHO is" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"Public" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM  ::THIS SECTION BUILDS THE FILTERS TO REMOVE SOFTWARE THAT IS DEEMED OK BY IT::
REM ::this line removes Windows sidebar from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"Sidebar" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q

 
Be the first to comment

Using the K1000 to help manage your PUPs. Presented at Dell World User Forum 2014 - lessons from the field

Use the K1000 to help control your potentially unwanted programs. (Malware. Adware, User Installed software)

Use CIR's to gather information from the common area where the PUPs like to hide

The information gathered in the first 2 CIRS require them to run the query as the current logged in user.  CIR's run as system so that makes it difficult to create a workable CIR script.  I settled on using a Kscript that runs as the current logged in user.  (I piggybacked those couple of extra commands with my script to read the users network drives and printers).  see http://www.itninja.com/blog/view/create-cirs-to-show-current-users-mapped-drives-and-networled-printers-presented-at-dell-world-user-forum-2014-lessions-from-the-field.

Here is the user info gatherer Kscript:  I run it using a custom cron schedule 0 10,12,14,16 * * 1,2,3,4,5
7eL94K.jpeg
This runs it every couple of hours during the work day Monday thru Friday only.



ksadad.jpeg

Invisible.vbs
CreateObject("Wscript.Shell").Run "run.bat",0,True
run.bat
reg.exe query hkcu\software\microsoft\windows\currentversion\run /s > C:\ProgramData\Dell\KACE\user\hkcuRunKeys.txt && if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe query hkcu\software\wow6432node\microsoft\windows\currentversion\run /s >> C:\ProgramData\Dell\KACE\user\hkcuRunKeys.txt

reg.exe query hkcu\software\microsoft\windows\currentversion\uninstall /s /f DisplayName > C:\ProgramData\Dell\KACE\user\hkcuSoftware.txt && if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe query hkcu\software\wow6432node\microsoft\windows\currentversion\uninstall /s /f DisplayName >> C:\ProgramData\Dell\KACE\user\hkcuSoftware.txt

wmic logicaldisk where "drivetype='4'" get deviceid,providername > C:\ProgramData\Dell\KACE\user\NetworkDrives.txt

wmic printer where 'network="true"' get name, default, network > C:\ProgramData\Dell\KACE\user\NetworkPrinters.txt

exit


CIRs:

CIR - HKCU run keys

ShellCommandTextReturn(cmd /c type C:\ProgramData\Dell\KACE\user\hkcurunkeys.txt)

CIR - User Installed software
ShellCommandTextReturn(cmd /c type C:\ProgramData\Dell\KACE\user\hkcuSoftware.txt)

Other CIRS that can run a system

CIR - Running Processes from appdata
ShellCommandTextReturn(cmd /c c:\windows\system32\wbem\WMIC.exe PROCESS where (executablepath like "%%AppDat%%") get executablepath)

CIR - Running Processes from downloads
ShellCommandTextReturn(cmd /c c:\windows\system32\wbem\WMIC.exe PROCESS where (executablepath like "%%downloads%%") get executablepath)

CIR - HKLM run keys
ShellCommandTextReturn(cmd /c reg.exe query hklm\software\microsoft\windows\currentversion\run)

CIR - List jobs in task scheduler
ShellCommandTextReturn(dir c:\windows\tasks\*.job /b)

CIR - Software running from startup
ShellCommandTextReturn(cmd /c cscript /b c:\programdata\dell\kace\user\fsoftware.vbs&type c:\programdata\dell\kace\user\allsw.txt )

Use file sync to load the needed files for this CIR - this allows you to update and resync the bat file when needed.  I rewrote this one to make it more tech friendly by allowing you to document what the filters actually apply to in the batch file.
CROseT.jpeg
Create the vbs and batch file - zip the files and add the zip as a dependancy to the CIR

7cpKuy.jpeg
fsoftware.vbs
CreateObject("Wscript.Shell").Run "C:\ProgramData\Dell\KACE\user\filteredsoftware.bat",0,True
filteredsoftware.bat
for /f "tokens=* skip=1" %%g in ('WMIC.exe startup list brief') do echo %%g >> c:\programdata\dell\kace\user\tempsw.txt
for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"ECHO is" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"Public" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::THIS SECTION BUILDS THE FILTERS TO REMOVE SOFTWARE THAT IS DEEMED OK BY IT::
REM ::this line removes Windows sidebar from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"Sidebar" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Intels privacy icon from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"picon" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Realtek audio from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"RtHDVCpl" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Itunes helper from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"iTunesHelper" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Citrix receiver from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"Citrix Receiver" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Tight VNC from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"tvncontrol" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Intel Rapid store tech from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"IAStorIcon" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes Apple Application Support from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"APSDaemon" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
REM ::this line removes K2000 taskengine from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"KACETaskEngine" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q
as you see more OK software in the report just add it to the bottom of the batch files to filter that also
REM ::this line removes MS Office 14 sync from the list::
rename c:\programdata\dell\kace\user\allsw.txt tempsw.txt & for %%g in (c:\programdata\dell\kace\user\tempsw.txt) do (findstr /v /b /c:"BCSSync" %%g > c:\programdata\dell\kace\user\allsw.txt) & del c:\programdata\dell\kace\user\tempsw.txt /q

The key is part of the line to change is what is after the  /c:"  this is what tells the for-do loop to filter out.
To figure out what text to add to that area use the report you are going to create later.  the items underlined in red are the names you need to use
if5LiN.jpeg


So what do all these CIRs get me, lots of data!
 sample reports:
AVbtPD.jpeg4OlNMv.jpeg

cVbs4K.jpegBRtZmJ.jpeg

now that you got this info create kscripts to get rid of the startup commands
I run all by cleanup scripts using a vb script to call a batch file invisibly to the user.

http://www.itninja.com/blog/view/how-to-hide-running-a-batch-file-from-a-kscript-with-version-5-5

I run them on a cron schedule so they run monday thru friday at staggered intervals.
as example:
7gqXt9.jpeg
the common batch files I run:
cleanuphklm this runs as system
echo off
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v lync /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v lync /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v swg /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v swg /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v "QuickTime Task" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v "QuickTime Task" /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v "Google Update" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v "Google Update" /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v OfficeSyncProcess /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v OfficeSyncProcess /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v searchprotect /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v searchprotect /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v isuspm /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v isuspm /f
reg.exe delete hklm\software\microsoft\windows\currentversion\run /v "Novell Messenger" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hklm\software\wow6432node\microsoft\windows\currentversion\run /v "Novell Messenger" /f

cleanuphkcu this runs as all logged on users
echo off
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v lync /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v lync /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v swg /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v swg /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v "QuickTime Task" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v "QuickTime Task" /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v "Google Update" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v "Google Update" /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v OfficeSyncProcess /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v OfficeSyncProcess /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v searchprotect /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v searchprotect /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v isuspm /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v isuspm /f
reg.exe delete hkcu\software\microsoft\windows\currentversion\run /v "Novell Messenger" /f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" reg.exe delete hkcu\software\wow6432node\microsoft\windows\currentversion\run /v "Novell Messenger" /f

kill unwanted jobs this runs as system
del "c:\windows\tasks\Google Software*.job" /q
del "c:\windows\tasks\GoogleUpdateTaskUser*.job" /q
del "c:\windows\tasks\Digital Sites.job" /q
del "c:\windows\tasks\DigitalSite.job" /q
del "c:\windows\tasks\MySearchDial.job" /q
del "c:\windows\tasks\G2MUpdate*.job" /q
del "c:\windows\tasks\Adobe Flash Player Updater.job" /q
del "c:\windows\tasks\HP Photo Creations Communicator.job" /q
del "c:\windows\tasks\Security Center Update*.job" /q
del "c:\windows\tasks\FacebookUpdateTaskUser*.job" /q
del "c:\windows\tasks\DriverUpdate Startup.job" /q
del "c:\windows\tasks\AVG-Secure-Search-Update*.job" /q
del "c:\windows\tasks\DSite.job" /q
del "c:\windows\tasks\pc-dis-upd.job" /q
del "c:\windows\tasks\SystemToolsDailyTest.job" /q
del "c:\windows\tasks\PCDoctorBackgroundMonitorTask.job" /q
del "c:\windows\tasks\OpenCandy Download Manager.job" /q
del "c:\windows\tasks\Regwork.job" /q
del "c:\windows\tasks\Plus-HD-1.6*.job" /q
del "c:\windows\tasks\Plus-HD-1.2*.job" /q
del "c:\windows\tasks\Reclaimer*.job" /q
del "c:\windows\tasks\MediaPlayerEnhance*.job" /q
del "c:\windows\tasks\SuperLyrics*.job" /q
del "c:\windows\tasks\weDownload Manager*.job" /q
del "c:\windows\tasks\FileCure*.job" /q
del "c:\windows\tasks\ParetoLogic*.job" /q
View comments (1)

Deploying the SonicWall Aventail VPN Client with customized INI settings (K1000 6.2)

There is an alternate way to deploy this software from a blog post in 2010

(http://www.itninja.com/question/mst-customaction

But there is also a much easier way.  

You should have an installation file from your SonicWall for install such as "ngsetup64_en.exe".

You can obtain a copy of the client from your SSL VPN server in the section shown below. 

 Once the file is downloaded it can be expanded by running the following command from the containing directory

     -  ngsetup64_en.exe -expand=<path>

(Ideally this path should be the same as the location of the main EXE file.)

 Once expanded, you will have 2 new files.  "ngvpn.msi" and "ngsetup.ini"

 For unattended installation and configuration with your custom settings you will need to modify the INI file using the instructions from the SonicWall administrators guide.  In this case it is 10.5.5. (Page 268, PDF here: http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=520&dl=1 )

 Once your INI file is modified you are ready to distribute the package.  Keep the customized INI file in the same folder as the EXE.  Run the install with the following command "ngsetup64_en.exe -silent -f=ngsetup.ini"  As long as the INI file is in the same folder as the installer you do not need to specify the full path to the INI file.

 

 K1000 Managed installation instructions:

  1.  To distribute this package using the Dell KACE K1000 Systems Management Appliance:
  2.  Take the 3 files created above and zip them up.
  3.  Upload the ZIP file to the correct software record under Inventory > Software
  4.  Create a new Managed Installation under the Distribution tab.
  5.  Choose the Aventail Connect software item from the drop down menu.
  6.  Choose "Override Default Installation" on the command section and enter "ngsetup64_en.exe -silent -  f=ngsetup.ini" in the field.

 It should look like the screenshot below:

 PKGnxv.png

 Configure your machine selection and managed action as needed.

 Save it and you are done.  The installation will deploy based on your choices above.

 Uninstall command: 

MsiExec.exe /X{C338ACAC-7162-42E3-8B8C-85E5746F4A2E} /QN 


11/14/2014 - Update for K1000 version 6.2

Be the first to comment
Showing 1 - 5 of 2625 results