locked
How to determine if all services running on clients. RRS feed

  • Question

  • Is there a way from the management server to determine if one of the deployed client has all services running?

    I stopped the "Microsoft Forefront Client Security Antimalware Service" service on one client and the management console still thinks that everything is correct.

    Thanks
    Stephane
    Friday, December 5, 2008 6:40 PM

All replies

  • Hi!

    I'm afraid that the function you are requesting is not available. I'll look into a way to add that and will post back if i find a good way.

    /Johan
    MCSE, forefront spec | www.msforefront.com
    Saturday, December 6, 2008 7:25 AM
  • I've played with some MOM scripts that check for specific services and it works if I run it manually as a task on the management server, but I do not know how to run it automatically and how to trigger an alert.

    Here's what I used.

    '*******************************************************************************
    ' Script Name - QueryServiceStatus
    '
    ' Version     - 1.1 (15-sep-2003)
    '
    ' Purpose     - Determines the state of the specified NT service and raises
    '               the appropriate event if it's not configured to be suppressed.
    '
    ' Events      - 1000 = "The service is RUNNING" (Information)
    '               1001 = "The service is STOPPED" (Warning)
    '               1002 = "The service is PAUSED" (Warning)
    '               1003 = "The service is potentially hung in the START PENDING status" (Error)
    '               1004 = "The service is potentially hung in the STOP PENDING status" (Error)
    '               1005 = "The service is potentially hung in the CONTINUE PENDING status" (Error)
    '               1006 = "The service is potentially hung in the PAUSE PENDING status" (Error)
    '               1007 = "The service could NOT be found as an INSTALLED service" (Error)
    '               1008 = "The service has an UNKNOWN STATUS" (Error)
    '               1009 = "The service could NOT be UNIQUELY IDENTIFIED (multiple instances
    '                       with identical names found)" (Error)
    '
    ' Parameters  - IncludeComputers  = List of computers that should be allowed to run the script.
    '                                   Leave blank to allow all. Seperate multiple values by ";".
    '               ExcludeComputers  = List of computers that should NOT be allowed to run the script.
    '                                   Exclude overrule Include. Seperate multiple values by ";".
    '               ServiceNames      = Names of the services to query for status.
    '                                   Seperate multiple values by ";".
    '               MaxAttempts       = Maximum number of times the script will attempt to retrieve the status.
    '                                   Defaults to 3 if left blank.
    '               RetryInterval     = Interval in seconds between each retry attempt.
    '                                   Defaults to 5 seconds if left blank.
    '               SuppressEvents    = List of events to suppress. Seperate multiple values by ";".
    '                                   (Fx. "1000;1007;1008")
    '
    ' Comments    - ServiceNames should contain the short names of the services, NOT the display names
    '               (Fx. "Spooler" and NOT "Print Spooler").
    '
    '
    '              
    '*************************************************************************

    Option Explicit

    ' --- Define Constants ---
    ' Event types
    Const Event_Type_Success               = 0
    Const Event_Type_Error                 = 1
    Const Event_Type_Warning               = 2
    Const Event_Type_Info                  = 4
    Const Event_Type_Audit_Success         = 8
    Const Event_Type_Audit_Failure         = 16
    ' Event property-IDs
    Const Event_Service_Running            = 0
    Const Event_Service_Stopped            = 1
    Const Event_Service_Paused             = 2
    Const Event_Service_Start_Pending      = 3
    Const Event_Service_Stop_Pending       = 4
    Const Event_Service_Continue_Pending   = 5
    Const Event_Service_Pause_Pending      = 6
    Const Event_Service_Not_Installed      = 7
    Const Event_Service_Status_Unknown     = 8
    Const Event_Service_Multiple_Instances = 9
    ' Default values
    Const Default_Retry_Interval           = 5
    Const Default_Retry_Attempts           = 3
    Const Servicename_Not_Specified        = "FCSAM;FCSSAS"

    ' --- Define variables ---
    ' Integers
    Dim intCurrentServiceStatus, intLastServiceStatus, intCurrentAttempt, intRetryAttempts
    Dim intRetryInterval, intEventMsg, intEventID, intEventSeverity
    ' Strings
    Dim strComputer, strServiceNames, strServiceName, strEventMsg, strEventID, strEventType
    Dim strExcludeComputers, strIncludeComputers, strIncludeComputerName, strExcludeComputerName
    Dim strSuppressEvents, strSuppressEvent, strLocalComputerName
    ' Arrays
    Dim arrServiceNames, arrEventInfo(9), arrIncludeComputers, arrExcludeComputers, arrSuppressEvents
    ' Objects
    Dim objWMIService, objService, objParams, objUtil
    ' Collections
    Dim colServices
    ' Booleans
    Dim bolExcludeComputer, bolExecuteOnComputer, bolSuppressEvents

    InitVars
    SetEventProperties
    GetParameters
    ParseParameters
    CreateObjects
    CheckIfExecute

    ' Start main routine if script is allowed to run on the local agent computer
    If bolExecuteOnComputer = True Then
      ' --- Check each service in the list ---
      For Each strServiceName In arrServiceNames
        ' Reset counter variables
        ResetCounterVars
        ' Get service status
        intCurrentServiceStatus = GetServiceStatus(strServiceName)
     
        ' If status <> running/stopped/paused retry to see if service is trapped
        ' in a pending state or if status cant be read
        If (intCurrentServiceStatus <> Event_Service_Running) And _
           (intCurrentServiceStatus <> Event_Service_Stopped) And _
           (intCurrentServiceStatus <> Event_Service_Paused) Then
          ' Retry until max attempts is reached
          Do
            ' Increment attempt
            intCurrentAttempt = intCurrentAttempt + 1
            ' Get service status
            intCurrentServiceStatus = GetServiceStatus(strServiceName)
            ' If service is running/stopped/paused then exit loop else check again (continue loop)
            If (intCurrentServiceStatus = Event_Service_Running) Or _
               (intCurrentServiceStatus = Event_Service_Stopped) Or _
               (intCurrentServiceStatus = Event_Service_Paused) Then
              Exit Do
            End If
            ' Sleep for number of seconds specified in RetryInterval
            ObjUtil.Sleep intRetryInterval
          ' Continue loop until MaxAttempts is reached
          Loop While intCurrentAttempt < intRetryAttempts
        End If  
        ' Build event-message
        strEventMsg = "The NT service '" & strServiceName & "' on '" & strLocalComputerName & "'"
        ' Get event properties from array
        strEventID = arrEventInfo(intCurrentServiceStatus)(0)
        strEventMsg = strEventMsg & arrEventInfo(intCurrentServiceStatus)(1)
        strEventType = arrEventInfo(intCurrentServiceStatus)(2)
        ' Create and submit event
        If Not CheckSuppressEvent(strEventID) Then
          CreateSubmitEvent strEventMsg, strEventID, strEventType
        End If
      Next
    End If

    DeleteObjects

    ' -------------------- Functions and subs --------------------

    ' Function    : CheckSuppressEvent(intEventID)
    ' Parameters  : intEventID = The eventID that should be checked for suppression
    ' Description : Check if a eventID should be suppressed (specified in the parameters)
    Function CheckSuppressEvent(intEventID)
      If bolSuppressEvents = True Then
        For Each strSuppressEvent In arrSuppressEvents
          If CInt(strSuppressEvent) = CInt(intEventID) Then
            CheckSuppressEvent = True
          End If
        Next
      Else
        CheckSuppressEvent = False
      End If
    End Function

    ' Function    : GetServiceStatus(colServices)
    ' Parameters  : strServiceName = Name of service to get the status of
    ' Description : Get the status of a service
    Function GetServiceStatus(strServiceName)
      Set colServices = objWMIService.ExecQuery ("Select * from Win32_Service Where Name='" & strServiceName & "'")
      Select Case colServices.Count
        Case 0
          GetServiceStatus = Event_Service_Not_Installed
        Case 1
          For Each objService in colServices
            Select Case objService.State
              Case "Running"          GetServiceStatus = Event_Service_Running
              Case "Stopped"          GetServiceStatus = Event_Service_Stopped
              Case "Paused"           GetServiceStatus = Event_Service_Paused
              Case "Start Pending"    GetServiceStatus = Event_Service_Start_Pending
              Case "Stop Pending"     GetServiceStatus = Event_Service_Stop_Pending
              Case "Continue Pending" GetServiceStatus = Event_Service_Continue_Pending
              Case "Pause Pending"    GetServiceStatus = Event_Service_Pause_Pending
              Case "Unknown"          GetServiceStatus = Event_Service_Status_Unknown
            Case Else
              GetServiceStatus = Event_Service_Status_Unknown
            End Select
          Next
        Case Else
          GetServiceStatus = Event_Service_Multiple_Instances
      End Select
      ' Delete collection object
      Set colServices = Nothing
    End Function

    ' Function    : GetLocalComputerName()
    ' Parameters  : None
    ' Description : Gets the name of the local computer
    Function GetLocalComputerName()
      Dim objNetwork
      Set objNetwork = CreateObject("WScript.Network")
      GetLocalComputerName = objNetwork.ComputerName
      Set objNetwork = Nothing
    End Function

    ' Sub         : CreateObjects
    ' Parameters  : None
    ' Description : Creates objects used by the script
    Sub CreateObjects
      Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
      Set objUtil = CreateObject("OpScrUtil.Utility")
    End Sub

    ' Sub         : DeleteObjects
    ' Parameters  : None
    ' Description : Deletes objects used by the script
    Sub DeleteObjects
      Set objWMIService = Nothing
    End Sub

    ' Sub         : GetParameters
    ' Parameters  : None
    ' Description : Retrieves the parameters used in the script
    Sub GetParameters
      ' Create parameter object
      Set objParams = ScriptContext.Parameters
      strServiceNames = objParams.get("ServiceNames")
      'intRetryInterval = CInt(objParams.get("RetryInterval"))
      'intRetryAttempts = CInt(objParams.get("MaxAttempts"))
      strIncludeComputers = LCase(objParams.get("IncludeComputers")) ' Always lowercase
      strExcludeComputers = LCase(objParams.get("ExcludeComputers")) ' Always lowercase
      strSuppressEvents = objParams.get("SuppressEvents")
      Set objParams = Nothing
    End Sub

    ' Sub         : ParseParameters
    ' Parameters  : None
    ' Description : Parses the parameters used in the script
    Sub ParseParameters
      ' Default to value of constant Servicename_Not_Specified if nothing is specified in the parameters (ServiceNames)
      If strServiceNames = "" Then strServiceNames = Servicename_Not_Specified
      ' Split servicenames into array
      arrServiceNames = Split(strServiceNames, ";")
      ' Set to default value if nothing is specified in the parameters (RetryInterval)
      If intRetryInterval = "" Then intRetryInterval = Default_Retry_Interval
      ' Set to default value if nothing is specified in the parameters (RetryAttempts)
      If intRetryAttempts = "" Then intRetryAttempts = Default_Retry_Attempts
      ' Set strIncludeComputer to local computername if it is not specified in the parameters
      ' and split names into array if multiple computernames are specified.
      If strIncludeComputers = "" Then strIncludeComputers = GetLocalComputerName()
      arrIncludeComputers = Split(strIncludeComputers, ";", -1, 1)
      If strSuppressEvents <> "" Then
        bolSuppressEvents = True
        arrSuppressEvents = Split(strSuppressEvents, ";", -1, 1)
      End If
      ' If any computernames are specified in the parameters to be excluded split names into array
      If strExcludeComputers <> "" Then
        bolExcludeComputer = True
        arrExcludeComputers = Split(strExcludeComputers, ";", -1, 1)
      End If
    End Sub

    ' Sub         : InitVars
    ' Parameters  : None
    ' Description : Inits the variables used in the script
    Sub InitVars
      ' Always query WMI on the local machine (".")
      strComputer = "."
      bolExcludeComputer = False
      bolExecuteOnComputer = False
      bolSuppressEvents = False
    End Sub

    ' Sub         : ResetCounterVars
    ' Parameters  : None
    ' Description : Reset the counter variables used in the script
    Sub ResetCounterVars
      intCurrentAttempt = 0
    End Sub

    ' Sub         : CreateSubmitEvent
    ' Parameters  : None
    ' Description : Create and submit an event
    Sub CreateSubmitEvent(varEventMsg, varEventID, varEventType)
      Dim objNewEvent
      Set objNewEvent = ScriptContext.CreateEvent
      objNewEvent.Message = varEventMsg
      objNewEvent.EventNumber = varEventID
      objNewEvent.EventType = varEventType
      ScriptContext.Submit(objNewEvent)
      Set objNewEvent = Nothing
    End Sub

    ' Sub         : CheckIfExecute
    ' Parameters  : None
    ' Description : Check if the local computername matches one of those specified in
    '               the parameters. This prevents the script from running on other agent
    '               computers if otherwise is specified in the parameters.
    Sub CheckIfExecute
      ' Get local computername
      strLocalComputerName = LCase(GetLocalComputerName())
      ' Check is the local computername is specified in the parameter IncludeComputer
      For Each strIncludeComputerName In arrIncludeComputers
       If LCase(strIncludeComputerName) = strLocalComputerName Then bolExecuteOnComputer = True
      Next
      ' Check if the local computername is specified in the parameter ExcludeComputer
      If bolExcludeComputer = True Then
        For Each strExcludeComputerName In arrExcludeComputers
         If LCase(strExcludeComputerName) = strLocalComputerName Then bolExecuteOnComputer = False
        Next
      End If
    End Sub

    ' Sub         : SetEventProperties
    ' Parameters  : None
    ' Description : Sets the properties of the events returned
    Sub SetEventProperties
      arrEventInfo(0) = Array(1000, " is RUNNING.", Event_Type_Success)
      arrEventInfo(1) = Array(1001, " is STOPPED.", Event_Type_Error)
      arrEventInfo(2) = Array(1002, " is PAUSED.", Event_Type_Warning)
      arrEventInfo(3) = Array(1003, " is potentially hung in the START PENDING status.", Event_Type_Error)
      arrEventInfo(4) = Array(1004, " is potentially hung in the STOP PENDING status.", Event_Type_Error)
      arrEventInfo(5) = Array(1005, " is potentially hung in the CONTINUE PENDING status.", Event_Type_Error)
      arrEventInfo(6) = Array(1006, " is potentially hung in the PAUSE PENDING status.", Event_Type_Error)
      arrEventInfo(7) = Array(1007, " could NOT be found as an INSTALLED service.", Event_Type_Error)
      arrEventInfo(8) = Array(1008, " has an UNKNOWN STATUS.", Event_Type_Error)
      arrEventInfo(9) = Array(1009, " could NOT be UNIQUELY IDENTIFIED (multiple instances with identical names found).", Event_Type_Error)
    End Sub

    ' -------------------- END SCRIPT --------------------1



    Monday, December 8, 2008 4:40 PM
  • I left the service not running and overnight it restated, I guess after applying the latest signature update it restarts it.

    Good to know.

    Is this the way it's designed?
    Wednesday, December 10, 2008 3:05 PM
  • The recommended solution for this would be using NAP with the SHA/SHV that are available to check/make sure FCS is in a proper state.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Tuesday, December 16, 2008 3:37 PM