Did anyone else notice after patching Windows last month any strange errors with Custom Inventory rules? I had a very simple rule: 


For all intents and purposes, it was inactive. However, within the last week there were complaints that a notepad window was opened on a client computer. The notepad session was opened, looking at the file referenced by the above CIR rule.

I looked through the May patches and there was one that seems possibly related: MS14-027 (Vulnerability in Windows Shell Handler Could Allow Elevation of Privelage).

Answer Summary:
0 Comments   [ - ] Hide Comments


Please log in to comment

Answer this question or Comment on this question for clarity



Hard to say if that would have been caused by MS Patches, or if you just recently updated your KBOX, as I know they changed how some of those functions work with the 5.5 update.

That being said, though, you could just change it to something like:

ShellCommandTextReturn(cmd /c type c:\printers_18Oct_2012.txt)

I have some similar CIRs for returning contents of a file, and that's what I've had to use.

Answered 06/10/2014 by: BHC-Austin
Fourth Degree Black Belt

  • From the date, you can tell this was an old rule. My solution was to delete it as I do not know what it was used for. However, thanks for the alternate syntax, i'll try that next time I need something like this!
Please log in to comment