K1000 batch file issues
I am trying to run a batch file from the K1000 appliance that will copy some files from a network location down to a PC, execute a command to run the USMT ScanState tool and upload the user state to a network location and then delete the folder with the files initially downloaded.
The script works fine when I run it manually but fails to execute when I push it from the K1000 and don't know why. I run it using my credentials.
Here is the script I am using:
@echo off
XCOPY /i /e \\ITS-USMT01\USMT\%PROCESSOR_ARCHITECTURE% %systemdrive%\USMT
cd %systemdrive%\usmt
cls
ECHO Creating migration store.......
start /b /wait \\its-usmt01\usmt\%PROCESSOR_ARCHITECTURE%\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log
goto Done
:Done
cd..
echo Deleting working directory!!!
timeout 30
rd /s /q %systemdrive%\USMT 1>nul 2>nul
The way I did this is by going to scripts, selecting windows 7 as the OS, added my test box as the device to push the script to, selecting Windows run as "Credentials" and selecting my credentials from the list, selected Notify user before run (just so that I know it is running while testing), allow run without a logged-in user, created a task just entering the commands above in the On Success run a batch file. After saving, Kace created the file Kace1823.bat in the dependencies section. After that I just click on run now. I get notified on my test PC that a task is being ran and then it fails. On the status it logs a failed execution with the following entries:
Output Log:
Running with credntials provided: domain [] user [Testadmin] Creating process returned non-zero: C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\364\kace1823.bat : (4294967295) Error Code: -1 Status Code: 0
Activity Log:
verify - on_verify_success verify - on_verify_failure verify - launch_program Launching program: 'C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\364\kace1823.bat' '' wait='false
Debug Log:
Running kbot: runkbot 364 1571399111 KBotScript::LogScriptInfo - Start id=364 name=ScanState version=1571399109 type=policy execute disconnected=false logged_off=true execute events KBotScript::LogScriptInfo - Finish KBotScript::LogScriptInfo - Start id=364 name=ScanState version=1571399109 type=policy execute disconnected=false logged_off=true execute events KBotScript::LogScriptInfo - Finish KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Quest\KACE\kbots_cache\\packages\kbots\364\ CleanupDependencies: file kace1823.bat is part of the dependency list, keep the file runkbot ----- launching [path='C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\364' program='kace1823.bat' parms='' wait='false'] ----
Answers (2)
Are these x64 machines the bat is failing on? If yes try changing your batch xcopy line to
C:\Windows\Sysnative\XCOPY /i /e \\ITS-USMT01\USMT\%PROCESSOR_ARCHITECTURE% %systemdrive%\USMT
Other thought to try is be logged on machine as your super user and choose run as logged in user to see if that works.
Let us know, that will help eliminate a couple of possibilities.
Comments:
-
^ This is the first thing that comes to mind, you might also have to call the bat via cmd.exe in sysnative so that the %Processor_Architecture& env variable is properly set according to the host os.
When I set up scripts that need to be ran in the OS-Native environment I usually have a verify step that looks for the executable in the 64-Bit native path which will only exist on a 64-Bit OS install.
E.G. IF the file"C:\WIndows\sysnative\cmd.exe" exists, launch c:\windows\sysnative\cmd.exe /c "(Path to bat)"
otherwise on remediation launch c:\Windows\System32\cmd.exe /c
A few additional things I would recommend raul does the following.
- Set the run program task to wait for completion as error messages and echo output during the bat should then be logged to debug.
- If running the script using the System account, verify that the system(s) machine account has sufficient rights to access the network share.
I've gotten in to the habit of making my scripts fairly verbose which makes it worlds easier to troubleshoot and pinpoint issues as they occur. Kace will capture text output from both .bat and powershell scripts when you wait for completion. This has been especially useful on some of my more complicated scripts that span more then 200 lines of code. - Kiyolaka 5 years ago-
Thank you all for the great ideas... I have incorporated some of the suggestions and I have things working currently as long as I run the script as the logged in user but it fails if I try to run the script with credentials (using domain administrator credentials).
The script is as follows:
Task1
Verify a file exists "c:\windows\syswow64\cmd.exe"
on success run batch file:
@echo off
XCOPY /i /e \\ITS-USMT01\USMT\amd64 %systemdrive%\USMT
cd %systemdrive%\usmt
TIMEOUT /T 30
ECHO Creating migration store.......
cd %systemdrive%\usmt
start /b /wait %systemdrive%\usmt\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log
Remediation:
run batch file:
@echo off
XCOPY /i /e \\ITS-USMT01\USMT\x86 %systemdrive%\USMT
cd %systemdrive%\usmt
TIMEOUT /T 30
ECHO Creating migration store.......
cd %systemdrive%\usmt
start /b /wait %systemdrive%\usmt\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log
Any suggestions on running it with other credentials? The idea is to push this to a group of machines after hours to copy the user profiles and then run the loadstate.exe process on a replacement PC. This is part of a Windows 10 migration from Windows 7 and some of the profiles can be rather large so doing this after hours can save us a lot of time. - raul102801 5 years ago-
How are you handling the share permissions for the network folder, is it being granted to a security group or OU? You would need to either give the AD machine objects access to the share or run the script as an adult service account which has access to the share as well as sufficient privaledges on the end user workstations. I would consider the service according route a better practice as you can then limit the share access to just that account and not have users potentially stumble upon it and poke around, it would however require quite a bit more work GPO and permission wise. - Kiyolaka 5 years ago
-
When it runs as logged in user but not with credentials it is usually the software has to have a live profile to stage the temp files thru. We have a few pieces of software like that here. The way to get around that on a machine no is on is to use a task chain and use the first task to set autologin and reboot. then use the next tasks to run what you need to do. the final task clears autologin. - SMal.tmcc 5 years ago
-
The credentials I was testing with have domain admin permissions so the network share permissions should not be an issue I don't think. - raul102801 5 years ago
Verify that the file "c:\windows\syswow64\cmd.exe" exist. On success run batch file:
@echo off
XCOPY /i /e \\ITS-USMT01\USMT\amd64 %systemdrive%\USMT
cd %systemdrive%\usmt
TIMEOUT /T 30
ECHO Creating migration store.......
cd %systemdrive%\usmt
start /b /wait %systemdrive%\usmt\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log
remediation run batch file:
@echo off
XCOPY /i /e \\ITS-USMT01\USMT\x86 %systemdrive%\USMT
cd %systemdrive%\usmt
TIMEOUT /T 30
ECHO Creating migration store.......
cd %systemdrive%\usmt
start /b /wait %systemdrive%\usmt\scanstate.exe \\ITS-USMT01\User_States\%computername% /o /c /i:miguser.xml /i:migapp.xml /i:migprinters.xml /uel:30 /efs:skip /v:13 /l:scan.log
Like I said, this script works when running under the logged user but fails if trying to use saved credentials and I am not sure why. I have verified the credentials already. The idea of this script is to collect a user state and copy it to a network share after hours so we can run the loadstate on to a replacement PC 1st thing in the morning ... Any suggestions: - raul102801 5 years ago