none
A script is running on many machines, many times RRS feed

  • Question

  • I'm trying to track down and understand why a certain script has many processes running on many PCs in our org. What I see is about 10-30 powershell.exe processes running in task manager, the command line for these processes is something like:

    powershell.exe -NoLogo -Noninteractive -NoProfile -ExecutionPolicy bypass & 'C:\Windows\CCM\SystemTemp\99c479b0-****-****-****-**********.ps1'

    There are like I said many of these running yet the folder C:\Windows\CCM\SystemTemp\ is empty so I have no idea what the script is or why it's there.

    I checked the Scripts.log log on the client and it hasn't changed for over 3 months so it's not a script we've deployed, rather it seems like some kind of client activity, but I have no idea what or why it's there.

    SCCM version is 1906 and clients are all Win 10, some 1703, some 1809, some 1903, some 1909.

    Any insight on this would be very appreciated.



    • Edited by MercuryZ Monday, December 2, 2019 11:44 AM
    Monday, December 2, 2019 11:29 AM

Answers

  • I have my answer, it seems we had a baseline running with a script that wasn't written well and simply never ended. With help from a PFE we found it by making a script that constantly tries to copy files from the folder C:\WINDOWS\CCM\SystemTemp. As soon as the problematic baseline started running the ps1 file was copied and I was able to inspect it.

    the script for anyone interested :

    $destination = "$env:userprofile\desktop\temp"

    if (-not (test-path $destination)){mkdir $destination}

    $i = 1

    Do{

      copy C:\WINDOWS\CCM\SystemTemp\*.ps1 $destination

    } while ($i -lt 100)


    • Edited by MercuryZ Sunday, December 8, 2019 11:22 AM
    • Marked as answer by MercuryZ Sunday, December 8, 2019 11:22 AM
    Sunday, December 8, 2019 11:21 AM

All replies

  • CMPivot uses a "master" PowerShell script to do its work so it could be CMPivot. It could also be configuration items using discovery and remediation scripts.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, December 2, 2019 2:37 PM
  • CMPivot uses a "master" PowerShell script to do its work so it could be CMPivot. It could also be configuration items using discovery and remediation scripts.

    Jason | https://home.configmgrftw.com | @jasonsandys

    We don't use CMPivot so I doubt it's that. We do however have plenty of baselines checking for stuff, any way to make sure that is in-fact what it is?
    Monday, December 2, 2019 3:14 PM
  • Check CIAgent.log and/or DCMAgent.log on the client(s) -- I don't remember which one. These will say what's running as far as CI's go (and other things as well as many other things are actually CIs under the covers).

    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, December 2, 2019 3:34 PM
  • Hi,
     
    Based as I know, AppDiscovery.log will also include the information when load the script under “C:\Windows\CCM\System\Temp”. We can also check the log.
     
    Hope it can help.
     
    Best regards.
    Crystal

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 3, 2019 3:12 AM
  • I found nothing in all 3 logs. I restarted my PC yesterday and I already have 7 processes running.
    Tuesday, December 3, 2019 10:03 AM
  • have any Script packages from SCCM been pushed out to a collection at all? Wondering if perhaps the tasks are stilll running on machines it hasnt finished the jobs on?

    Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro

    Tuesday, December 3, 2019 10:22 AM
  • have any Script packages from SCCM been pushed out to a collection at all? Wondering if perhaps the tasks are stilll running on machines it hasnt finished the jobs on?

    Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro

    Not in the last few months, and anyways if it was deployed scripts I would see something in Scripts.log
    Tuesday, December 3, 2019 11:25 AM
  • Depending on the version of PowerShell on clients it's worth enabling logging. This will probably give you more of an idea of what is occuring.

    https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html


    Richard Knight | Collection Refresh Manager | Automate detection rules for patch \ msp files | Twitter

    Tuesday, December 3, 2019 3:28 PM
  • Depending on the version of PowerShell on clients it's worth enabling logging. This will probably give you more of an idea of what is occuring.

    https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html


    Richard Knight | Collection Refresh Manager | Automate detection rules for patch \ msp files | Twitter

    Great idea! Thanks, I'm setting it right now and we'll see what's what.
    Thursday, December 5, 2019 7:38 AM
  • OK unfortunately all I see in the log is :

    **********************
    Windows PowerShell transcript start
    Start time: 20191205045207
    Username: ***\SYSTEM
    RunAs User: ***\SYSTEM
    Configuration Name: 
    Machine: ***(Microsoft Windows NT 10.0.17763.0)
    Host Application: C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass & 'C:\WINDOWS\CCM\SystemTemp\0a30f14e-1f15-46be-9b74-9436f40b57af.ps1'
    Process ID: 1256
    PSVersion: 5.1.17763.771
    PSEdition: Desktop
    PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17763.771
    BuildVersion: 10.0.17763.771
    CLRVersion: 4.0.30319.42000
    WSManStackVersion: 3.0
    PSRemotingProtocolVersion: 2.3
    SerializationVersion: 1.1.0.1
    **********************
    PS>& 'C:\WINDOWS\CCM\SystemTemp\0a30f14e-1f15-46be-9b74-9436f40b57af.ps1'
    YES
    PS>$global:?
    True
    **********************
    Windows PowerShell transcript end
    End time: 20191205045208
    **********************

    So not much help there :(

    Thursday, December 5, 2019 10:24 AM
  • As those scripts are running from the CCM folder, is it worth trying to reinstall the client on that machine and see if those PowerShell scripts continue to run after that?
    Also are you also using SCCM 1906 with the hotfix?

    Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro

    Thursday, December 5, 2019 10:28 AM
  • Hi,

    Did these scripts run in a specific time? if yes, we can open process monitor to see if there's any more finding.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 6, 2019 9:29 AM
  • As those scripts are running from the CCM folder, is it worth trying to reinstall the client on that machine and see if those PowerShell scripts continue to run after that?
    Also are you also using SCCM 1906 with the hotfix?

    Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro

    This happens in many different computers so no point in reinstalling clients. However I'm now thinking this started with the 1906 client. It doesn't happen with 1902 clients.

    Yes, 1906 with the hotfix installed.

    Sunday, December 8, 2019 8:17 AM
  • Hi,

    Did these scripts run in a specific time? if yes, we can open process monitor to see if there's any more finding.

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    We don't know when these scripts start running, it just happens whenever the client decides something needs to be done. I believe these to be baselines, I just want to prove it.
    Sunday, December 8, 2019 8:18 AM
  • I have my answer, it seems we had a baseline running with a script that wasn't written well and simply never ended. With help from a PFE we found it by making a script that constantly tries to copy files from the folder C:\WINDOWS\CCM\SystemTemp. As soon as the problematic baseline started running the ps1 file was copied and I was able to inspect it.

    the script for anyone interested :

    $destination = "$env:userprofile\desktop\temp"

    if (-not (test-path $destination)){mkdir $destination}

    $i = 1

    Do{

      copy C:\WINDOWS\CCM\SystemTemp\*.ps1 $destination

    } while ($i -lt 100)


    • Edited by MercuryZ Sunday, December 8, 2019 11:22 AM
    • Marked as answer by MercuryZ Sunday, December 8, 2019 11:22 AM
    Sunday, December 8, 2019 11:21 AM
  • Hi,
     
    Thanks for your update. I am glad to hear that we have found our answer. To make our thread clear to read, please let me write a summary:
     
    Question:
    =================
    10-30 powershell.exe processes running in task manager, the command line for these processes is something like: powershell.exe -NoLogo -Noninteractive -NoProfile -ExecutionPolicy bypass & 'C:\Windows\CCM\SystemTemp\99c479b0-****-****-****-**********.ps1'  . Many of these running yet the folder C:\Windows\CCM\SystemTemp\ is empty. Would like to know what the script is or why it's there.
     
    Answer:
    ==================
    It seems a baseline running with a script that wasn't written well and simply never ended. Make a script that constantly tries to copy files from the folder C:\WINDOWS\CCM\SystemTemp. As soon as the problematic baseline started running the ps1 file was copied.
    the script for anyone interested :
    =================================================
    $destination = "$env:userprofile\desktop\temp"
    if (-not (test-path $destination)){mkdir $destination}
    $i = 1
    Do{
      copy C:\WINDOWS\CCM\SystemTemp\*.ps1 $destination
    } while ($i -lt 100)
    =================================================
     
    Thanks for posting in the forum and have a nice day!
     
    Best regards.
    Crystal

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 9, 2019 7:57 AM