Did anyone else notice after patching Windows last month any strange errors with Custom Inventory rules? I had a very simple rule: 


For all intents and purposes, it was inactive. However, within the last week there were complaints that a notepad window was opened on a client computer. The notepad session was opened, looking at the file referenced by the above CIR rule.

I looked through the May patches and there was one that seems possibly related: MS14-027 (Vulnerability in Windows Shell Handler Could Allow Elevation of Privelage).

Answer Summary:
0 Comments   [ + ] Show Comments


Please log in to comment



Hard to say if that would have been caused by MS Patches, or if you just recently updated your KBOX, as I know they changed how some of those functions work with the 5.5 update.

That being said, though, you could just change it to something like:

ShellCommandTextReturn(cmd /c type c:\printers_18Oct_2012.txt)

I have some similar CIRs for returning contents of a file, and that's what I've had to use.

Answered 06/10/2014 by: BHC-Austin
Fourth Degree Black Belt

  • From the date, you can tell this was an old rule. My solution was to delete it as I do not know what it was used for. However, thanks for the alternate syntax, i'll try that next time I need something like this!
Please log in to comment
Answer this question or Comment on this question for clarity