Powershell script provides different results from SMA vs directly at Command Prompt
I have a simple Powershell script that searches an "uninstall location" in the Windows registry for the uninstall strings for all Sophos products there, and simply prints them out:
[Int]$i = 0
$Reg32Items = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*Sophos*" }
ForEach ($element in $Reg32Items) {
$i++
Write-Host "$($i). $($element.DisplayName) - $($element.UninstallString)"
}
When I run this script from the SMA (either as the System user or the logged-on user) as on "Online Kscript", the log shows empty results. But I can open a Command Prompt window on the target computer (elevated or not), open Powershell, cd into the appropriate kbot directory, and run the script there and get two items (as expected). Here's part of my Kscript:
Any clues?
Thanks!
--
Kent
UPDATE:
After posting the above, I did some additional testing, which was enlightening.
I created an Online Shell Script (instead of an Online Kscript), and then called the Powershell script with this line:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File SophosUninstall.ps1
Still getting no results, I added in some test lines:
@echo off
echo Running powershell script now.
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File SophosUninstall.ps1
echo The powershell script has now completed.
Still nothing of help.
Then I modified the Powershell script to read everything, not just the Sophos-related items:
Write-Host "In Powershell now"
[Int]$i = 0
Write-Host "Loop counter = $($i)."
$Reg32Items = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*
#| Where-Object { $_.DisplayName -like "*Sophos*" }
Write-Host "We've read the registry now."
ForEach ($element in $Reg32Items) {
$i++
Write-Host "$($i). $($element.DisplayName) - $($element.UninstallString)"
}
Write-Host "The above should be what we read from the registry."
Finally, I'm getting some output. But there is no "Sophos" items in the output, which is crazy, 'cause I know they're in there. So I tried running the Powershell script again directly from the Command Prompt, and got a completely different set of responses, including Sophos-related items.
This triggered a vague memory of mine where I've run into something similar to this, something about Windows changing the paths or executables or something, under the hood, and hidden from the user, when running certain types of apps (32-bit vs 64, maybe?; related to "SysWow" maybe?).
I think Nick the Ninja is hammering real close to the nail when he mentions the 32-bit client issue.
--
Kent
Answers (2)
if you run this from the cli you are using your local credentials (local admin I assume?)
if you run it from KACE it is run as SYSTEM.
Also the agent is 32Bit, so some additional issues may occur.
You can setup the scrip to run as "special user" to fix it.
Comments:
-
I'm confident it's not user-related; I've just come up with an additional test that was enlightening. I'll detail this above. - kentwest 4 years ago
Top Answer
Yep, these two commands, when executed via a KACE script, give identical results:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*
So it would appear that when running from the 32-bit KACE agent, the call to the non-Wow6432 area of the registry gets rerouted by Windows into the Wow6432 area of the registry.
All I can say is, "Wow".