/build/static/layout/Breadcrumb_cap_w.png

Powershell script provides different results from SMA vs directly at Command Prompt

I have a simple Powershell script that searches an "uninstall location" in the Windows registry for the uninstall strings for all Sophos products there, and simply prints them out:

[Int]$i = 0
$Reg32Items = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*Sophos*" }
ForEach ($element in $Reg32Items) {
    $i++
    Write-Host "$($i). $($element.DisplayName) - $($element.UninstallString)"
}

When I run this script from the SMA (either as the System user or the logged-on user) as on "Online Kscript", the log shows empty results. But I can open a Command Prompt window on the target computer (elevated or not), open Powershell, cd into the appropriate kbot directory, and run the script there and get two items (as expected). Here's part of my Kscript:
x8mvM1isWfG6AAAAABJRU5ErkJggg==

Any clues?

Thanks!


--

Kent


UPDATE:

After posting the above, I did some additional testing, which was enlightening.

I created an Online Shell Script (instead of an Online Kscript), and then called the Powershell script with this line:

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File SophosUninstall.ps1

Still getting no results, I added in some test lines:

@echo off

echo Running powershell script now.
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File SophosUninstall.ps1
echo The powershell script has now completed.

Still nothing of help.

Then I modified the Powershell script to read everything, not just the Sophos-related items:

Write-Host "In Powershell now"
[Int]$i = 0
Write-Host "Loop counter = $($i)."
$Reg32Items = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*
#| Where-Object { $_.DisplayName -like "*Sophos*" }
Write-Host "We've read the registry now."
ForEach ($element in $Reg32Items) {
    $i++
    Write-Host "$($i). $($element.DisplayName) - $($element.UninstallString)"
}
Write-Host "The above should be what we read from the registry."


Finally, I'm getting some output. But there is no "Sophos" items in the output, which is crazy, 'cause I know they're in there. So I tried running the Powershell script again directly from the Command Prompt, and got a completely different set of responses, including Sophos-related items.

This triggered a vague memory of mine where I've run into something similar to this, something about Windows changing the paths or executables or something, under the hood, and hidden from the user, when running certain types of apps (32-bit vs 64, maybe?; related to "SysWow" maybe?).

I think Nick the Ninja is hammering real close to the nail when he mentions the 32-bit client issue.


--

Kent



0 Comments   [ + ] Show comments

Answers (2)

Answer Summary:
Posted by: Nico_K 4 years ago
Red Belt
0

if you run this from the cli you are using your local credentials (local admin I assume?)
if you run it from KACE it is run as SYSTEM.
Also the agent is 32Bit, so some additional issues may occur.
You can setup the scrip to run as "special user" to fix it.


Comments:
  • I'm confident it's not user-related; I've just come up with an additional test that was enlightening. I'll detail this above. - kentwest 4 years ago
Posted by: kentwest 4 years ago
Second Degree Brown Belt
0

Top Answer

Yep, these two commands, when executed via a KACE script, give identical results:

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*

So it would appear that when running from the 32-bit KACE agent, the call to the non-Wow6432 area of the registry gets rerouted by Windows into the Wow6432 area of the registry.

All I can say is, "Wow".

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ