Script creating event which overload the security logs?

Question

Hello,

Our Security department is asking information about the following script:
"The two event ids responsible are eventid 4624 and eventid 4104. While eventid 4624 is a successful logon and can’t be blamed by itself. We think the event id 4104 generated by running the following script contributed to spikes on both events.
c:\windows\ccm\scriptstore\7dc6b6f1-e7f6-43c1-96e0-e1d16bc25c14_c1b6b8aece88cf30fff1fd35bee1461e34f4799eff1406890e079bb2c7bfb9e5.ps1
"

Is it a script

custom?
core?
Microsoft?
Configuration Manager?
What does this script do? I saw the root of CMPivot (7dc6b6f1-e7f6-43c1-96e0-e1d16bc25c14)

Should this script, this folder excluded from the scan? per folder? per process? other?

from https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/recommended-antivirus-exclusions
the folder c:\windows\ccm is excluded as folder but not the processes inside it!!!

FireEye is the anti-virus, etc...

I checked also
C:\Windows\ccm\logs\scripts.log and this script does not appear in it!!!

Thanks,
Dom

Answer

Hi, @Duchemin, Dominique
Thank you for posting in Microsoft Q&A forum.

The scripts under "C:\windows\ccm\scriptstore" are created by Configuration Manager Run Scripts or CMPivot features.
It is recommended to exclude %windir%\CCM\ScriptStore so that the anti-malware software permits those features to run without interference.

Here is the reference:
https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-deploy-scripts

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer

Hello,

The issue is still there. we have a case opened on 11/02/2011 4:07 pm Case 28229106 with Microsoft Premier Support but I id not get any call from them yesterday !!! it is a Severity B with 2 hours SLA but still no call from them. I called myself 4 times yesterday and they said: it has been escalated to the Manager ... not sure what's going on with MS Premier Support!!!

The issue is still existing and the 4104 is flooding the event logs ....
Our tests are:

When the CMPivot SMSDefaultBrowser is launched on 1 Machine ONLINE it completes in seconds...
When the CMPivot SMSDefaultBrowser is launched on 1 Machine OFFLINE it never completes, I waiting hours and the job/task is still in progress 0 of 1 ...?
I checked the event logs on both machine Applications and Services Logs > Microsoft > Windows > Powershell > Operational
3.a Machine online:

Blockquote

Creating Scriptblock text (1 of 25):
param([string] $kustoquery, [string] $wmiquery, [string] $select)

Read the queries and selects

$kustoquery = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($kustoquery.Substring(2))).Split([Environment]::NewLine, [StringSplitOptions]::RemoveEmptyEntries)
$wmiqueries = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($wmiquery.Substring(2))).Split([Environment]::NewLine, [StringSplitOptions]::RemoveEmptyEntries)
$selects = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($select.Substring(2))).Split([Environment]::NewLine, [StringSplitOptions]::RemoveEmptyEntries)

create the result xml writer

$sb = New-Object System.Text.StringBuilder
$sw = New-Object System.IO.StringWriter($sb)
$writer = New-Object System.Xml.XmlTextWriter($sw)
$writer.WriteStartDocument()
$writer.WriteStartElement("result")
$writer.WriteAttributeString("ResultCode", 0x00000000 )

A helper function to create a datatable of properties

function CreateTableFromPropertyList
{
param ([string[]]$properties, [String[]]$propertyTypes)

$dt = New-Object system.Data.DataTable  

# Add Device column first  
$col_device = New-Object system.Data.DataColumn 'Device',([Microsoft.ConfigurationManagement.AdminConsole.CMPivotParser.Device])  
$dt.Columns.Add($col_device)  

# Add the rest properties to columns  
for( $index = 0; $index -lt $properties.Length; $index++ )  
{  
    # Get the column datatype  
    switch($propertyTypes[$index])  
    {  
        "Boolean"  
        {  
            $colType = [System.Boolean]  
            break  
        }  
        "Number"  
        {  
            $colType = [System.Int64]  
            break  
        }  
        "String"  
        {  
            $colType = [System.String]  
            break  
        }  
        "TimeSpan"  
        {  
            $colType = [System.TimeSpan]  
            break  
        }  
        "DateTime"  
        {  
            $colType = [System.DateTime]  
            break                  
        }  
        default  
        {  
            throw  
        }  
    }  
    $column = New-Object system.Data.DataColumn $properties[$index], ($colType)  
    $dt.Columns.Add($column)  
}  

return ,$dt

}

Try
{
# Lookup the CCM directory
$key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
$subKey = $key.OpenSubKey("SOFTWARE\Microsoft\SMS\Client\Configuration\Client Properties")
$ccmdir = $subKey.GetValue("Local SMS Path")
$key.Close()
$binName = 'AdminUI.CMPivotParser.dll'
$binPath = (join-path $ccmdir $binName)

# Try to load AdminUI.CMPivotParser.dll from ccm binary folder  
try  
{  
    [System.Reflection.Assembly]::LoadFile($binPath) | Out-Null  
}  
# If there is any exception, fall back to load dll from memory  
catch  
{  
    # Write the file to the system temp dir  
    $binPath = (Join-Path $ccmdir 'SystemTemp')  

    If(!(Test-Path $binPath))  
    {  
          Throw 'Missing SystemTemp directory'  
    }  

    $binPath = (join-path $binPath $binName)  

    if(!(Test-Path $binPath))  
    {  
        $bin64String = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAESjE4YAAAAAAAAAAOAAIiALATAAADwDAAAIAAAAAAAAQloDAAAgAAAAYAMAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAwAAAgAAKhoEAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAO9ZAwBPAAAAAGADAFgEAAAAAAAAAAAAAABGAwCQIwAAAIADAAwAAABQWQMAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAASDoDAAAgAAAAPAMAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAFgEAAAAYAMAAAYAAAA+AwAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIADAAACAAAARAMAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAjWgMAAAAAAEgAAAACAAUAyK8BABhyAQAJAAAAAAAAAOAhAwDwNgAA0FgDAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwCgAlmwAAAQAAEQIfZY0KAAAbJRYWGBiNSwAAASUXF54XcxMAAAqiJRcWGBiNSwAAASUXF54YcxMAAAqiJRgXFxeNSwAAARlzEwAACqIlGRcaGI1LAAABJRcYnhlzEwAACqIlGhgWFnMUAAAKoiUbGBkYjUsAAAElFheeJRcYnhpzEwAACqIlHBkYF41LAAABJRYXnhtzEwAACqIlHRkYF41LAAABJRYXnhxzEwAACqIlHhkYF41LAAABJRYXnh1zEwAACqIlHwkZGBeNSwAAASUWF54ecxMAAAqiJR8KGRoYjUsAAAElFheeJRcZnh8JcxMAAAqiJR8LGRkXjUsAAAElFhieHwpzEwAACqIlHwwZFxaNSwAAAR8LcxMAAAqiJR8NGRgXjUsAAAElFheeHwxzEwAACqIlHw4ZGhiNSwAAASUWF54lFxmeHw1zEwAACqIlHw8ZGReNSwAAASUWGJ4fDnMTAAAKoiUfEBkYF41LAAABJRYXnh8PcxMAAAqiJR8RGRwYjUsAAAElFheeJRcanh8PcxMAAAqiJR8SGRkYjUsAAAElFheeJRcYnh8QcxMAAAqiJR8TGRsYjUsAAAElFheeJRcZnh8RcxMAAAqiJR8UGhcXjUsAAAEfFnMTAAAKoiUfFRoZGI1LAAABJRcYnh8ycxMAAAqiJR8WGxcXjUsAAAEfFnMTAAAKoiUfFxsZGI1LAAABJRcYnh8mcxMAAAqiJR8YHBcXjUsAAAEfInMTAAAKoiUfGRwZGI1LAAABJRcYnh8jcxMAAAqiJR8aHRcXjUsAAAEfHnMTAAAKoiUfGx0ZGI1LAAABJRcYnh8fcxMAAAqiJR8cHhcXjUsAAAEfFnMTAAAKoiUfHR4ZGI1LAAABJRcYnh8bcxMAAAqiJR8eHwkXF41LAAABHxZzEwAACqIlHx8fCRcXjUsAAAEfFnMTAAAKoiUfIB8JFxeNSwAAAR8WcxMAAAqiJR8hHwkXF41LAAABHxZzEwAACqIlHyIfCRcXjUsAAAEfFnMTAAAKoiUfIx8JFxeNSwAAAR8WcxMAAAqiJR8kHwoXF41LAAABHxZzEwAACqIlHyUfChkYjUsAAAElFxieHxdzEwAACqIlHyYfCxYWjUsAAAEfEnMTAAAKoiUfJx8LGRaNSwAAAR8ScxMAAAqiJR8oHwsZFo1LAAABHxNzEwAACqIlHykfCxkWjUsAAAEfFHMTAAAKoiUfKh8LGRaNSwAAAR8VcxMAAAqiJR8rHwwZF41LAAABJRYYnh8YcxMAAAqiJR8sHwwZGI1LAAABJRcYnh8ZcxMAAAqiJR8tHwwZGI1LAAABJRcYnh8acxMAAAqiJR8uHw0XF41LAAABHxxzEwAACqIlHy8fDRgXjUsAAAEfHXMTAAAKoiUfMB8NGBeNSwAAAR8ccxMAAAqiJR8xHw4XF41LAAABHxZzEwAACqIlHzIfDhkYjUsAAAElFxieHyBzEwAACqIlHzMfDxoYjUsAAAElFxieHyFzEwAACqIlHzQfDxoYjUsAAAElFxieHyFzEwAACqIlHzUfEBYWcxQAAAqiJR82HxAXF41LAAABHyRzEwAACqIlHzcfEBkYjUsAAAElFxieHyVzEwAACqIlHzgfERcXjUsAAAEfFnMTAAAKoiUfOR8RGRiNSwAAASUXGJ4fIHMTAAAKoiUfOh8SFxeNSwAAAR8WcxMAAAqiJR87HxIZGI1LAAABJRcYnh8ncxMAAAqiJR88HxMXF41LAAABHxZzEwAACqIlHz0fExkZjUsAAAElFxieJRgXnh8ocxMAAAqiJR8+HxQXF41LAAABHxZzEwAACqIlHz8fFBkYjUsAAAElFxieHylzEwAACqIlH0AfFBkYjUsAAAElFxieHypzEwAACqIlH0EfFRcWcxQAAAqiJR9CHxUXFnMUAAAKoiUfQx8VFxZzFAAACqIlH0QfFRcWcxQAAAqiJR9FHxUXFnMUAAAKoiUfRh8VFxZzFAAACqIlH0cfFRcWcxQAAAqiJR9IHxUXFnMUAAAKoiUfSR8VFxZzFAAACqIlH0ofFRcWcxQAAAqiJR9LHxUXFnMUAAAKoiUfTB8VFxZzFAAACqIlH00fFRcWcxQAAAqiJR9OHxUXFnMUAAAKoiUfTx8WFxeNSwAAAR8WcxMAAAqiJR9QHxYZGI1LAAABJRcYnh8rcxMAAAqiJR9RHxYZGI1LAAABJRcYnh8scxMAAAqiJR9SHxYZGI1LAAABJRcYnh8tcxMAAAqiJR9THxcXF41LAAABHy5zEwAACqIlH1QfFxcXjUsAAAEfL3MTAAAKoiUfVR8XGBeNSwAAASUWF54fMHMTAAAKoiUfVh8XGReNSwAAASUWF54fFnMTAAAKoiUfVx8XFxeNSwAAAR8WcxMAAAqiJR9YHxgXF41LAAABHzNzEwAACqIlH1kfGBcXjUsAAAEfNHMTAAAKoiUfWh8YFxeNSwAAAR81cxMAAAqiJR9bHxgXF41LAAABHzZzEwAACqIlH1wfGBcXjUsAAAEfN3MTAAAKoiUfXR8YFxeNSwAAAR83cxMAAAqiJR9eHxgXF41LAAABHzhzEwAACqIlH18fGRoYjUsAAAElFxieHzFzEwAACqIlH2AfGhcXjUsAAAEfFnMTAAAKoiUfYR8aGBeNSwAAASUWF54fOXMTAAAKoiUfYh8bFxeNSwAAAR8WcxMAAAqiJR9jHxsYF41LAAABJRYXnh85cxMAAAqiJR9kHxwXFnMUAAAKon2fAAAEAigVAAAKAiChAAAAHz9zFgAACn2dAAAEAnudAAAEFhgXGhZzEAAABigXAAAKAnudAAAEFhwXGxZzEAAABigXAAAKAnudAAAEFh0XHBZzEAAABigXAAAKAnudAAAEFh4XHRZzEAAABigXAAAKAnudAAAEFh8JFx4WcxAAAAYoFwAACgJ7nQAABBYfDRcfCRZzEAAABigXAAAKAnudAAAEFh8RFx8KFnMQAAAGKBcAAAoCe50AAAQWHy0XHwsWcxAAAAYoFwAACgJ7nQAABBYfLxcfDBZzEAAABigXAAAKAnudAAAEFh8xFx8NFnMQAAAGKBcAAAoCe50AAAQWHzkXHw4WcxAAAAYoFwAACgJ7nQAABBcWGRYWcxAAAAYoFwAACgJ7nQAABBgWGBYacxAAAAYoFwAACgJ7nQAABBgfGBgWGnMQAAAGKBcAAAoCe50AAAQYHy4XHxAWcxAAAAYoFwAACgJ7nQAABBkWGBYacxAAAAYoFwAACgJ7nQAABBkfGBgWGnMQAAAGKBcAAAoCe50AAAQZHy4XHxAWcxAAAAYoFwAACgJ7nQAABBoWGBYYcxAAAAYoFwAACgJ7nQAABBofFxcfEhZzEAAABigXAAAKAnudAAAEGh8YGBYYcxAAAAYoFwAACgJ7nQAABBofLhgWGHMQAAAGKBcAAAoCe50AAAQbGBcfFhZzEAAABigXAAAKAnudAAAEGx0XHxcWcxAAAAYoFwAACgJ7nQAABBsfChcfGBZzEAAABigXAAAKAnudAAAEHBYYFh8McxAAAAYoFwAACgJ7nQAABBwfGBgWHwxzEAAABigXAAAKAnudAAAEHB8uGBYfDHMQAAAGKBcAAAoCe50AAAQdGRcfGRZzEAAABigXAAAKAnudAAAEHhkXHxoWcxAAAAYoFwAACgJ7nQAABB8JGBcfJxZzEAAABigXAAAKAnudAAAEHwkZFx8oFnMQAAAGKBcAAAoCe50AAAQfCR8PFx8pFnMQAAAGKBcAAAoCe50AAAQfCR8SFx8qFnMQAAAGKBcAAAoCe50AAAQfCR8UFx8rFnMQAAAGKBcAAAoCe50AAAQfCR8XFx8sFnMQAAAGKBcAAAoCe50AAAQfCR8ZFx8tFnMQAAAGKBcAAAoCe50AAAQfCR8aFx8uFnMQAAAGKBcAAAoCe50AAAQfCR8bFx8vFnMQAAAGKBcAAAoCe50AAAQfCR8rFx8wFnMQAAAGKBcAAAoCe50AAAQfCR8sFx8xFnMQAAAGKBcAAAoCe50AAAQfCh8KFx8yFnMQAAAGKBcAAAoCe50AAAQfCxgXHzQWcxAAAAYoFwAACgJ7nQAABB8LGRcfKBZzEAAABigXAAAKAnudAAAEHwsfDxcfKRZzEAAABigXAAAKAnudAAAEHwsfEhcfKhZzEAAABigXAAAKAnudAAAEHwsfFBcfKxZzEAAABigXAAAKAnudAAAEHwsfFxcfLBZzEAAABigXAAAKAnudAAAEHwsfGRcfLRZzEAAABigXAAAKAnudAAAEHwsfGhcfLhZzEAAABigXAAAKAnudAAAEHwsfGxcfLxZzEAAABigXAAAKAnudAAAEHwsfKxcfMBZzEAAABigXAAAKAnudAAAEHwsfLBcfMRZzEAAABigXAAAKAnudAAAEHwwYFx8nFnMQAAAGKBcAAAoCe50AAAQfDBkXHygWcxAAAAYoFwAACgJ7nQAABB8MHw8XHykWcxAAAAYoFwAACgJ7nQAABB8MHxIXHyoWcxAAAAYoFwAACgJ7nQAABB8MHxQXHysWcxAAAAYoFwAACgJ7nQAABB8MHxcXHywWcxAAAAYoFwAACgJ7nQAABB8MHxkXHy0WcxAAAAYoFwAACgJ7nQAABB8MHxoXHy4WcxAAAAYoFwAACgJ7nQAABB8MHxsXHy8WcxAAAAYoFwAACgJ7nQAABB8MHysXHzAWcxAAAAYoFwAACgJ7nQAABB8MHywXHzEWcxAAAAYoFwAACgJ7nQAABB8NHzMXHzcWcxAAAAYoFwAACgJ7nQAABB8NHzQXHzgWcxAAAAYoFwAACgJ7nQAABB8NHzUXHzkWcxAAAAYoFwAACgJ7nQAABB8NHzYXHzoWcxAAAAYoFwAACgJ7nQAABB8NHzcXHzsWcxAAAAYoFwAACgJ7nQAABB8NHzgXHzwWcxAAAAYoFwAACgJ7nQAABB8OGBgWHyZzEAAABigXAAAKAnudAAAEHw4fFxgWHyZzEAAABigXAAAKAnudAAAEHw4fOhcfPhZzEAAABigXAAAKAnudAAAEHw8WGBYWcxAAAAYoFwAACgJ7nQAABB8PHxgYFhZzEAAABigXAAAKAnudAAAEHxAcFxsWcxAAAAYoFwAACgJ7nQAABB8QHRccFnMQAAAGKBcAAAoCe50AAAQfEB4XHRZzEAAABigXAAAKAnudAAAEHxAfCRceFnMQAAAGKBcAAAoCe50AAAQfEB8NFx8JFnMQAAAGKBcAAAoCe50AAAQfEB8RFx8KFnMQAAAGKBcAAAoCe50AAAQfEB8tFx8LFnMQAAAGKBcAAAoCe50AAAQfEB8vFx8MFnMQAAAGKBcAAAoCe50AAAQfEB8xFx8NFnMQAAAGKBcAAAoCe50AAAQfEB85Fx8OFnMQAAAGKBcAAAoCe50AAAQfERYYFhdzEAAABigXAAAKAnudAAAEHxEfGBgWF3MQAAAGKBcAAAoCe50AAAQfEhkXHygWcxAAAAYoFwAACgJ7nQAABB8SHw8XHykWcxAAAAYoFwAACgJ7nQAABB8SHxQXHysWcxAAAAYoFwAACgJ7nQAABB8SHxkXHy0WcxAAAAYoFwAACgJ7nQAABB8SHxoXHy4WcxAAAAYoFwAACgJ7nQAABB8SHxsXHy8WcxAAAAYoFwAACgJ7nQAABB8SHysXHzAWcxAAAAYoFwAACgJ7nQAABB8SHywXHzEWcxAAAAYoFwAACgJ7nQAABB8TFhgWHwlzEAAABigXAAAKAnudAAAEHxMfChcfQhZzEAAABigXAAAKAnudAAAEHxMfGBgWHwlzEAAABigXAAAKAnudAAAEHxMfLhgWHwlzEAAABigXAAAKAnudAAAEHxQWGBYfGnMQAAAGKBcAAAoCe50AAAQfFB8KGBYfGnMQAAAGKBcAAAoCe50AAAQfFB8YGBYfGnMQAAAGKBcAAAoCe50AAAQfFB8uGBYfGnMQAAAGKBcAAAoCe50AAAQfFB8wFx9DFnMQAAAGKBcAAAoCe50AAAQfFRYYFh8xcxAAAAYoFwAACgJ7nQAABB8VHwoYFh8xcxAAAAYoFwAACgJ7nQAABB8VHxgYFh8xcxAAAAYoFwAACgJ7nQAABB8VHy4YFh8xcxAAAAYoFwAACgJ7nQAABB8VHzAYFh8xcxAAAAYoFwAACgJ7nQAABB8WHxcXH0QWcxAAAAYoFwAACgJ7nQAABB8WHyUXH0UWcxAAAAYoFwAACgJ7nQAABB8XHxcXH0YWcxAAAAYoFwAACgJ7nQAABB8YGBcfJxZzEAAABigXAAAKAnudAAAEHxgZFx8oFnMQAAAGKBcAAAoCe50AAAQfGB8PFx8pFnMQAAAGKBcAAAoCe50AAAQfGB8SFx8qFnMQAAAGKBcAAAoCe50AAAQfGB8UFx8rFnMQAAAGKBcAAAoCe50AAAQfGB8XFx8sFnMQAAAGKBcAAAoCe50AAAQfGB8ZFx8tFnMQAAAGKBcAAAoCe50AAAQfGB8aFx8uFnMQAAAGKBcAAAoCe50AAAQfGB8bFx8vFnMQAAAGKBcAAAoCe50AAAQfGB8rFx8wFnMQAAAGKBcAAAoCe50AAAQfGB8sFx8xFnMQAAAGKBcAAAoCe50AAAQfGRYYFh8NcxAAAAYoFwAACgJ7nQAABB8ZHxgYFh8NcxAAAAYoFwAACgJ7nQAABB8ZHy4YFh8NcxAAAAYoFwAACgJ7nQAABB8aHwoXH0gWcxAAAAYoFwAACgJ7nQAABB8bFhgWHzhzEAAABigXAAAKAnudAAAEHxsfGBgWHzhzEAAABigXAAAKAnudAAAEHxsfLhgWHzhzEAAABigXAAAKAnudAAAEHxsfMBgWHzhzEAAABigXAAAKAnudAAAEHxwWGBYecxAAAAYoFwAACgJ7nQAABB8cHxgYFh5zEAAABigXAAAKAnudAAAEHxwfLhgWHnMQAAAGKBcAAAoCe50AAAQfHRYYFh8YcxAAAAYoFwAACgJ7nQAABB8dHxgYFh8YcxAAAAYoFwAACgJ7nQAABB8dHy4YFh8YcxAAAAYoFwAACgJ7nQAABB8dHzAXH0kWcxAAAAYoFwAACgJ7nQAABB8eFhgWHxZzEAAABigXAAAKAnudAAAEHx4aFx9KFnMQAAAGKBcAAAoCe50AAAQfHhsXH0sWcxAAAAYoFwAACgJ7nQAABB8eHxgYFh8WcxAAAAYoFwAACgJ7nQAABB8eHy4YFh8WcxAAAAYoFwAACgJ7nQAABB8eHzAYFh8WcxAAAAYoFwAACgJ7nQAABB8fFhgWHzpzEAAABigXAAAKAnudAAAEHx8aGBYfOnMQAAAGKBcAAAoCe50AAAQfHxsYFh86cxAAAAYoFwAACgJ7nQAABB8fHxgYFh86cxAAAAYoFwAACgJ7nQAABB8fHxwXH00WcxAAAAYoFwAACgJ7nQAABB8fHx0XH04WcxAAAAYoFwAACgJ7nQAABB8fHx4XH08WcxAAAAYoFwAACgJ7nQAABB8fHx8XH1AWcxAAAAYoFwAACgJ7nQAABB8fHyAXH1EWcxAAAAYoFwAACgJ7nQAABB8fHyEXH1IWcxAAAAYoFwAACgJ7nQAABB8fHyIXH1MWcxAAAAYoFwAACgJ7nQAABB8fHyMXH1QWcxAAAAYoFwAACgJ7nQAABB8fHyQXH1UWcxAAAAYoFwAACgJ7nQAABB8fHyYXH1YWcxAAAAYoFwAACgJ7nQAABB8fHycXH1cWcxAAAAYoFwAACgJ7nQAABB8fHygXH1gWcxAAAAYoFwAACgJ7nQAABB8fHykXH1kWcxAAAAYoFwAACgJ7nQAABB8fHyoXH1oWcxAAAAYoFwAACgJ7nQAABB8fHy4YFh86cxAAAAYoFwAACgJ7nQAABB8fHzAYFh86cxAAAAYoFwAACgJ7nQAABB8gFhgWHzxzEAAABigXAAAKAnudAAAEHyAaGBYfPHMQAAAGKBcAAAoCe50AAAQfIBsYFh88cxAAAAYoFwAACgJ7nQAABB8gHxMXH1sWcxAAAAYoFwAACgJ7nQAABB8gHxQXH1wWcxAAAAYoFwAACgJ7nQAABB8gHxgYFh88cxAAAAYoFwAACgJ7nQAABB8gHxwYFh88cxAAAAYoFwAACgJ7nQAABB8gHx0YFh88cxAAAAYoFwAACgJ7nQAABB8gHx4YFh88cxAAAAYoFwAACgJ7nQAABB8gHx8YFh88cxAAAAYoFwAACgJ7nQAABB8gHyAYFh88cxAAAAYoFwAACgJ7nQAABB8gHyEYFh88cxAAAAYoFwAACgJ7nQAABB8gHyIYFh88cxAAAAYoFwAACgJ7nQAABB8gHyMYFh88cxAAAAYoFwAACgJ7nQAABB8gHyQYFh88cxAAAAYoFwAACgJ7nQAABB8gHyYYFh88cxAAAAYoFwAACgJ7nQAABB8gHycYFh88cxAAAAYoFwAACgJ7nQAABB8gHygYFh88cxAAAAYoFwAACgJ7nQAABB8gHykYFh88cxAAAAYoFwAACgJ7nQAABB8gHyoYFh88cxAAAAYoFwAACgJ7nQAABB8gHy4YFh88cxAAAAYoFwAACgJ7nQAABB8gHzAYFh88cxAAAAYoFwAACgJ7nQAABB8hFhgWHz5zEAAABigXAAAKAnudAAAEHyEaGBYfPnMQAAAGKBcAAAoCe50AAAQfIRsYFh8+cxAAAAYoFwAACgJ7nQAABB8hHw4XH10WcxAAAAYoFwAACgJ7nQAABB8hHxMYFh8+cxAAAAYoFwAACgJ7nQAABB8hHxQYFh8+cxAAAAYoFwAACgJ7nQAABB8hHxUXH14WcxAAAAYoFwAACgJ7nQAABB8hHxYXH18WcxAAAAYoFwAACgJ7nQAABB8hHxgYFh8+cxAAAAYoFwAACgJ7nQAABB8hHxwYFh8+cxAAAAYoFwAACgJ7nQAABB8hHx0YFh8+cxAAAAYoFwAACgJ7nQAABB8hHx4YFh8+cxAAAAYoFwAACgJ7nQAABB8hHx8YFh8+cxAAAAYoFwAACgJ7nQAABB8hHyAYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyEYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyIYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyMYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyQYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyYYFh8+cxAAAAYoFwAACgJ7nQAABB8hHycYFh8+cxAAAAYoFwAACgJ7nQAABB8hHygYFh8+cxAAAAYoFwAACgJ7nQAABB8hHykYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyoYFh8+cxAAAAYoFwAACgJ7nQAABB8hHy4YFh8+cxAAAAYoFwAACgJ7nQAABB8hHzAYFh8+cxAAAAYoFwAACgJ7nQAABB8iFhgWH09zEAAABigXAAAKAnudAAAEHyIaGBYfT3MQAAAGKBcAAAoCe50AAAQfIhsYFh9PcxAAAAYoFwAACgJ7nQAABB8iHw4YFh9PcxAAAAYoFwAACgJ7nQAABB8iHxMYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxQYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxUYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxYYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxgYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxwYFh9PcxAAAAYoFwAACgJ7nQAABB8iHx0YFh9PcxAAAAYoFwAACgJ7nQAABB8iHx4YFh9PcxAAAAYoFwAACgJ7nQAABB8iHx8YFh9PcxAAAAYoFwAACgJ7nQAABB8iHyAYFh9PcxAAAAYoFwAACgJ7nQAABB8iHyEYFh9PcxAAAAY

ScriptBlock ID: aa95a632-9d8e-4884-a2f6-0b93fee7bd93
Path: C:\Windows\CCM\ScriptStore\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c1b6b8aece88cf30fff1fd35bee1461e34f4799eff1406890e079bb2c7bfb9e5.ps1

Blockquote

3.b Machine offline:

I checked on the Primary Server, there are a group of 70 event logs 4104 every hours logged in the event logs!!! not sure how to decrypt it.
it seems there is no message on the Primary Server linked to the launch on the two machines ... but still the 70 events every hours...

Log Name: Microsoft-Windows-PowerShell/Operational

Source: Microsoft-Windows-PowerShell
Date: 11/4/2021 7:05:42 AM
Event ID: 4104
Task Category: Execute a Remote Command
Level: Warning
Keywords: None
User: SYSTEM
Computer: VRPSCCMPR01.ad.medctr.ucla.edu
Description:
Creating Scriptblock text (1 of 1):

requires -version 3.0

try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { }

$script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module

$script:ClassName = 'root/StandardCimv2/MSFT_NetCompartment'
$script:ClassVersion = '1.0.0'
$script:ModuleVersion = '1.0'
$script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter]

$script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new()

Microsoft.PowerShell.Core\Export-ModuleMember -Function @()

function __cmdletization_BindCommonParameters
{
param(
$__cmdletization_objectModelWrapper,
$myPSBoundParameters
)

    if ($myPSBoundParameters.ContainsKey('CimSession')) {   
        $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession']   
    }  


    if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) {   
        $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit']   
    }  


    if ($myPSBoundParameters.ContainsKey('AsJob')) {   
        $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob']   
    }

}

function Get-NetCompartment
{
[CmdletBinding(DefaultParameterSetName='Query (cdxml)', PositionalBinding=$false)]

[OutputType([Microsoft.Management.Infrastructure.CimInstance])]

[OutputType('Microsoft.Management.Infrastructure.CimInstance#root/StandardCimv2/MSFT_NetCompartment')]

param(  

[Parameter(ParameterSetName='Query (cdxml)')]  
[ValidateNotNull()]  
[uint32[]]  
${CompartmentId},  

[Parameter(ParameterSetName='Query (cdxml)')]  
[Alias('Session')]  
[ValidateNotNullOrEmpty()]  
[CimSession[]]  
${CimSession},  

[Parameter(ParameterSetName='Query (cdxml)')]  
[int]  
${ThrottleLimit},  

[Parameter(ParameterSetName='Query (cdxml)')]  
[switch]  
${AsJob})  

DynamicParam {  
    try   
    {  
        if (-not $__cmdletization_exceptionHasBeenThrown)  
        {  
            $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new()  
            $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData)  

            if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters])  
            {  
                ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters()  
            }  
        }  
    }  
    catch  
    {  
        $__cmdletization_exceptionHasBeenThrown = $true  
        throw  
    }  
}  

Begin {  
    $__cmdletization_exceptionHasBeenThrown = $false  
    try   
    {  
        __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters  
        $__cmdletization_objectModelWrapper.BeginProcessing()  
    }  
    catch  
    {  
        $__cmdletization_exceptionHasBeenThrown = $true  
        throw  
    }  
}  


Process {  
    try   
    {  
        if (-not $__cmdletization_exceptionHasBeenThrown)  
        {  
$__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder()  
if ($PSBoundParameters.ContainsKey('CompartmentId') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) {  
    $__cmdletization_values = @(${CompartmentId})  
    $__cmdletization_queryBuilder.FilterByProperty('CompartmentId', $__cmdletization_values, $false, 'Default')  
}  


$__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder)  
        }  
    }  
    catch  
    {  
        $__cmdletization_exceptionHasBeenThrown = $true  
        throw  
    }  
}  


End {  
    try  
    {  
        if (-not $__cmdletization_exceptionHasBeenThrown)  
        {  
            $__cmdletization_objectModelWrapper.EndProcessing()  
        }  
    }  
    catch  
    {  
        throw  
    }  
}  

# .EXTERNALHELP MSFT_NetCompartment.cdxml-Help.xml

}
Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetCompartment' -Alias '*'

ScriptBlock ID: b1133d52-5435-410c-8606-989d808d0328
Path:
Event Xml:

4104
1
3
2
15
0x0

402731

Microsoft-Windows-PowerShell/Operational
VRPSCCMPR01.ad.medctr.ucla.edu

1
1

requires -version 3.0

try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { }

$script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module

$script:ClassName = 'root/StandardCimv2/MSFT_NetCompartment'
$script:ClassVersion = '1.0.0'
$script:ModuleVersion = '1.0'
$script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter]

$script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new()

Microsoft.PowerShell.Core\Export-ModuleMember -Function @()

function __cmdletization_BindCommonParameters
{
param(
$__cmdletization_objectModelWrapper,
$myPSBoundParameters
)

    if ($myPSBoundParameters.ContainsKey('CimSession')) {   
        $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession']   
    }  


    if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) {   
        $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit']   
    }  


    if ($myPSBoundParameters.ContainsKey('AsJob')) {   
        $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob']   
    }

}

function Get-NetCompartment
{
[CmdletBinding(DefaultParameterSetName='Query (cdxml)', PositionalBinding=$false)]

[OutputType([Microsoft.Management.Infrastructure.CimInstance])]

[OutputType('Microsoft.Management.Infrastructure.CimInstance#root/StandardCimv2/MSFT_NetCompartment')]

param(  

[Parameter(ParameterSetName='Query (cdxml)')]  
[ValidateNotNull()]  
[uint32[]]  
${CompartmentId},  

[Parameter(ParameterSetName='Query (cdxml)')]  
[Alias('Session')]  
[ValidateNotNullOrEmpty()]  
[CimSession[]]  
${CimSession},  

[Parameter(ParameterSetName='Query (cdxml)')]  
[int]  
${ThrottleLimit},  

[Parameter(ParameterSetName='Query (cdxml)')]  
[switch]  
${AsJob})  

DynamicParam {  
    try   
    {  
        if (-not $__cmdletization_exceptionHasBeenThrown)  
        {  
            $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new()  
            $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData)  

            if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters])  
            {  
                ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters()  
            }  
        }  
    }  
    catch  
    {  
        $__cmdletization_exceptionHasBeenThrown = $true  
        throw  
    }  
}  

Begin {  
    $__cmdletization_exceptionHasBeenThrown = $false  
    try   
    {  
        __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters  
        $__cmdletization_objectModelWrapper.BeginProcessing()  
    }  
    catch  
    {  
        $__cmdletization_exceptionHasBeenThrown = $true  
        throw  
    }  
}  


Process {  
    try   
    {  
        if (-not $__cmdletization_exceptionHasBeenThrown)  
        {  
$__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder()  
if ($PSBoundParameters.ContainsKey('CompartmentId') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) {  
    $__cmdletization_values = @(${CompartmentId})  
    $__cmdletization_queryBuilder.FilterByProperty('CompartmentId', $__cmdletization_values, $false, 'Default')  
}  


$__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder)  
        }  
    }  
    catch  
    {  
        $__cmdletization_exceptionHasBeenThrown = $true  
        throw  
    }  
}  


End {  
    try  
    {  
        if (-not $__cmdletization_exceptionHasBeenThrown)  
        {  
            $__cmdletization_objectModelWrapper.EndProcessing()  
        }  
    }  
    catch  
    {  
        throw  
    }  
}  

# .EXTERNALHELP MSFT_NetCompartment.cdxml-Help.xml

}
Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetCompartment' -Alias '*'

b1133d52-5435-410c-8606-989d808d0328

Blockquote

Any comments?

Thanks,
Dom

Answer

Hello,

How could we verify the task is no more running?

Thanks,
Dom

Script creating event which overload the security logs?

3 answers

Read the queries and selects

create the result xml writer

A helper function to create a datatable of properties

requires -version 3.0

requires -version 3.0