question

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 asked DucheminDominique-7551 answered

Script creating event which overload the security logs?

Hello,

Our Security department is asking information about the following script:
"The two event ids responsible are eventid 4624 and eventid 4104. While eventid 4624 is a successful logon and can’t be blamed by itself. We think the event id 4104 generated by running the following script contributed to spikes on both events.
c:\windows\ccm\scriptstore\7dc6b6f1-e7f6-43c1-96e0-e1d16bc25c14_c1b6b8aece88cf30fff1fd35bee1461e34f4799eff1406890e079bb2c7bfb9e5.ps1
"

Is it a script
- custom?
- core?
- Microsoft?
- Configuration Manager?
What does this script do? I saw the root of CMPivot (7dc6b6f1-e7f6-43c1-96e0-e1d16bc25c14)

Should this script, this folder excluded from the scan? per folder? per process? other?

from https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/recommended-antivirus-exclusions
the folder c:\windows\ccm is excluded as folder but not the processes inside it!!!

FireEye is the anti-virus, etc...

I checked also
C:\Windows\ccm\logs\scripts.log and this script does not appear in it!!!

Thanks,
Dom

mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
1 Vote"
AllenLiu-MSFT answered AllenLiu-MSFT commented

Hi, @DucheminDominique-7551
Thank you for posting in Microsoft Q&A forum.

The scripts under "C:\windows\ccm\scriptstore" are created by Configuration Manager Run Scripts or CMPivot features.
It is recommended to exclude %windir%\CCM\ScriptStore so that the anti-malware software permits those features to run without interference.

145698-1.jpg

Here is the reference:
https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-deploy-scripts


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





1.jpg (30.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

May we know the current status of the problem?

0 Votes 0 ·
DominiqueDUCHEMIN-4668 avatar image
0 Votes"
DominiqueDUCHEMIN-4668 answered AllenLiu-MSFT commented

Hello,

The issue is still there. we have a case opened on 11/02/2011 4:07 pm Case 28229106 with Microsoft Premier Support but I id not get any call from them yesterday !!! it is a Severity B with 2 hours SLA but still no call from them. I called myself 4 times yesterday and they said: it has been escalated to the Manager ... not sure what's going on with MS Premier Support!!!

The issue is still existing and the 4104 is flooding the event logs ....
Our tests are:
1. When the CMPivot SMSDefaultBrowser is launched on 1 Machine ONLINE it completes in seconds...
146581-2021-11-04-6-46-37-vitepsiws1-online.png


  1. When the CMPivot SMSDefaultBrowser is launched on 1 Machine OFFLINE it never completes, I waiting hours and the job/task is still in progress 0 of 1 ...?
    146582-2021-11-04-6-48-00-vitepsirs1-offline.png


  2. I checked the event logs on both machine Applications and Services Logs > Microsoft > Windows > Powershell > Operational

  3. Machine online:

    Blockquote

Creating Scriptblock text (1 of 25):
param([string] $kustoquery, [string] $wmiquery, [string] $select)

Read the queries and selects

$kustoquery = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($kustoquery.Substring(2))).Split([Environment]::NewLine, [StringSplitOptions]::RemoveEmptyEntries)
$wmiqueries = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($wmiquery.Substring(2))).Split([Environment]::NewLine, [StringSplitOptions]::RemoveEmptyEntries)
$selects = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($select.Substring(2))).Split([Environment]::NewLine, [StringSplitOptions]::RemoveEmptyEntries)


create the result xml writer

$sb = New-Object System.Text.StringBuilder
$sw = New-Object System.IO.StringWriter($sb)
$writer = New-Object System.Xml.XmlTextWriter($sw)
$writer.WriteStartDocument()
$writer.WriteStartElement("result")
$writer.WriteAttributeString("ResultCode", 0x00000000 )

A helper function to create a datatable of properties

function CreateTableFromPropertyList
{
param ([string[]]$properties, [String[]]$propertyTypes)

 $dt = New-Object system.Data.DataTable

 # Add Device column first
 $col_device = New-Object system.Data.DataColumn 'Device',([Microsoft.ConfigurationManagement.AdminConsole.CMPivotParser.Device])
 $dt.Columns.Add($col_device)

 # Add the rest properties to columns
 for( $index = 0; $index -lt $properties.Length; $index++ )
 {
     # Get the column datatype
     switch($propertyTypes[$index])
     {
         "Boolean"
         {
             $colType = [System.Boolean]
             break
         }
         "Number"
         {
             $colType = [System.Int64]
             break
         }
         "String"
         {
             $colType = [System.String]
             break
         }
         "TimeSpan"
         {
             $colType = [System.TimeSpan]
             break
         }
         "DateTime"
         {
             $colType = [System.DateTime]
             break                
         }
         default
         {
             throw
         }
     }
     $column = New-Object system.Data.DataColumn $properties[$index], ($colType)
     $dt.Columns.Add($column)
 }

 return ,$dt

}

Try
{
# Lookup the CCM directory
$key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
$subKey = $key.OpenSubKey("SOFTWARE\Microsoft\SMS\Client\Configuration\Client Properties")
$ccmdir = $subKey.GetValue("Local SMS Path")
$key.Close()
$binName = 'AdminUI.CMPivotParser.dll'
$binPath = (join-path $ccmdir $binName)

 # Try to load AdminUI.CMPivotParser.dll from ccm binary folder
 try
 {
     [System.Reflection.Assembly]::LoadFile($binPath) | Out-Null
 }
 # If there is any exception, fall back to load dll from memory
 catch
 {
     # Write the file to the system temp dir
     $binPath = (Join-Path $ccmdir 'SystemTemp')

     If(!(Test-Path $binPath))
     {
           Throw 'Missing SystemTemp directory'
     }

     $binPath = (join-path $binPath $binName)

     if(!(Test-Path $binPath))
     {
         $bin64String = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAESjE4YAAAAAAAAAAOAAIiALATAAADwDAAAIAAAAAAAAQloDAAAgAAAAYAMAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACgAwAAAgAAKhoEAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAO9ZAwBPAAAAAGADAFgEAAAAAAAAAAAAAABGAwCQIwAAAIADAAwAAABQWQMAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAASDoDAAAgAAAAPAMAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAFgEAAAAYAMAAAYAAAA+AwAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIADAAACAAAARAMAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAjWgMAAAAAAEgAAAACAAUAyK8BABhyAQAJAAAAAAAAAOAhAwDwNgAA0FgDAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwCgAlmwAAAQAAEQIfZY0KAAAbJRYWGBiNSwAAASUXF54XcxMAAAqiJRcWGBiNSwAAASUXF54YcxMAAAqiJRgXFxeNSwAAARlzEwAACqIlGRcaGI1LAAABJRcYnhlzEwAACqIlGhgWFnMUAAAKoiUbGBkYjUsAAAElFheeJRcYnhpzEwAACqIlHBkYF41LAAABJRYXnhtzEwAACqIlHRkYF41LAAABJRYXnhxzEwAACqIlHhkYF41LAAABJRYXnh1zEwAACqIlHwkZGBeNSwAAASUWF54ecxMAAAqiJR8KGRoYjUsAAAElFheeJRcZnh8JcxMAAAqiJR8LGRkXjUsAAAElFhieHwpzEwAACqIlHwwZFxaNSwAAAR8LcxMAAAqiJR8NGRgXjUsAAAElFheeHwxzEwAACqIlHw4ZGhiNSwAAASUWF54lFxmeHw1zEwAACqIlHw8ZGReNSwAAASUWGJ4fDnMTAAAKoiUfEBkYF41LAAABJRYXnh8PcxMAAAqiJR8RGRwYjUsAAAElFheeJRcanh8PcxMAAAqiJR8SGRkYjUsAAAElFheeJRcYnh8QcxMAAAqiJR8TGRsYjUsAAAElFheeJRcZnh8RcxMAAAqiJR8UGhcXjUsAAAEfFnMTAAAKoiUfFRoZGI1LAAABJRcYnh8ycxMAAAqiJR8WGxcXjUsAAAEfFnMTAAAKoiUfFxsZGI1LAAABJRcYnh8mcxMAAAqiJR8YHBcXjUsAAAEfInMTAAAKoiUfGRwZGI1LAAABJRcYnh8jcxMAAAqiJR8aHRcXjUsAAAEfHnMTAAAKoiUfGx0ZGI1LAAABJRcYnh8fcxMAAAqiJR8cHhcXjUsAAAEfFnMTAAAKoiUfHR4ZGI1LAAABJRcYnh8bcxMAAAqiJR8eHwkXF41LAAABHxZzEwAACqIlHx8fCRcXjUsAAAEfFnMTAAAKoiUfIB8JFxeNSwAAAR8WcxMAAAqiJR8hHwkXF41LAAABHxZzEwAACqIlHyIfCRcXjUsAAAEfFnMTAAAKoiUfIx8JFxeNSwAAAR8WcxMAAAqiJR8kHwoXF41LAAABHxZzEwAACqIlHyUfChkYjUsAAAElFxieHxdzEwAACqIlHyYfCxYWjUsAAAEfEnMTAAAKoiUfJx8LGRaNSwAAAR8ScxMAAAqiJR8oHwsZFo1LAAABHxNzEwAACqIlHykfCxkWjUsAAAEfFHMTAAAKoiUfKh8LGRaNSwAAAR8VcxMAAAqiJR8rHwwZF41LAAABJRYYnh8YcxMAAAqiJR8sHwwZGI1LAAABJRcYnh8ZcxMAAAqiJR8tHwwZGI1LAAABJRcYnh8acxMAAAqiJR8uHw0XF41LAAABHxxzEwAACqIlHy8fDRgXjUsAAAEfHXMTAAAKoiUfMB8NGBeNSwAAAR8ccxMAAAqiJR8xHw4XF41LAAABHxZzEwAACqIlHzIfDhkYjUsAAAElFxieHyBzEwAACqIlHzMfDxoYjUsAAAElFxieHyFzEwAACqIlHzQfDxoYjUsAAAElFxieHyFzEwAACqIlHzUfEBYWcxQAAAqiJR82HxAXF41LAAABHyRzEwAACqIlHzcfEBkYjUsAAAElFxieHyVzEwAACqIlHzgfERcXjUsAAAEfFnMTAAAKoiUfOR8RGRiNSwAAASUXGJ4fIHMTAAAKoiUfOh8SFxeNSwAAAR8WcxMAAAqiJR87HxIZGI1LAAABJRcYnh8ncxMAAAqiJR88HxMXF41LAAABHxZzEwAACqIlHz0fExkZjUsAAAElFxieJRgXnh8ocxMAAAqiJR8+HxQXF41LAAABHxZzEwAACqIlHz8fFBkYjUsAAAElFxieHylzEwAACqIlH0AfFBkYjUsAAAElFxieHypzEwAACqIlH0EfFRcWcxQAAAqiJR9CHxUXFnMUAAAKoiUfQx8VFxZzFAAACqIlH0QfFRcWcxQAAAqiJR9FHxUXFnMUAAAKoiUfRh8VFxZzFAAACqIlH0cfFRcWcxQAAAqiJR9IHxUXFnMUAAAKoiUfSR8VFxZzFAAACqIlH0ofFRcWcxQAAAqiJR9LHxUXFnMUAAAKoiUfTB8VFxZzFAAACqIlH00fFRcWcxQAAAqiJR9OHxUXFnMUAAAKoiUfTx8WFxeNSwAAAR8WcxMAAAqiJR9QHxYZGI1LAAABJRcYnh8rcxMAAAqiJR9RHxYZGI1LAAABJRcYnh8scxMAAAqiJR9SHxYZGI1LAAABJRcYnh8tcxMAAAqiJR9THxcXF41LAAABHy5zEwAACqIlH1QfFxcXjUsAAAEfL3MTAAAKoiUfVR8XGBeNSwAAASUWF54fMHMTAAAKoiUfVh8XGReNSwAAASUWF54fFnMTAAAKoiUfVx8XFxeNSwAAAR8WcxMAAAqiJR9YHxgXF41LAAABHzNzEwAACqIlH1kfGBcXjUsAAAEfNHMTAAAKoiUfWh8YFxeNSwAAAR81cxMAAAqiJR9bHxgXF41LAAABHzZzEwAACqIlH1wfGBcXjUsAAAEfN3MTAAAKoiUfXR8YFxeNSwAAAR83cxMAAAqiJR9eHxgXF41LAAABHzhzEwAACqIlH18fGRoYjUsAAAElFxieHzFzEwAACqIlH2AfGhcXjUsAAAEfFnMTAAAKoiUfYR8aGBeNSwAAASUWF54fOXMTAAAKoiUfYh8bFxeNSwAAAR8WcxMAAAqiJR9jHxsYF41LAAABJRYXnh85cxMAAAqiJR9kHxwXFnMUAAAKon2fAAAEAigVAAAKAiChAAAAHz9zFgAACn2dAAAEAnudAAAEFhgXGhZzEAAABigXAAAKAnudAAAEFhwXGxZzEAAABigXAAAKAnudAAAEFh0XHBZzEAAABigXAAAKAnudAAAEFh4XHRZzEAAABigXAAAKAnudAAAEFh8JFx4WcxAAAAYoFwAACgJ7nQAABBYfDRcfCRZzEAAABigXAAAKAnudAAAEFh8RFx8KFnMQAAAGKBcAAAoCe50AAAQWHy0XHwsWcxAAAAYoFwAACgJ7nQAABBYfLxcfDBZzEAAABigXAAAKAnudAAAEFh8xFx8NFnMQAAAGKBcAAAoCe50AAAQWHzkXHw4WcxAAAAYoFwAACgJ7nQAABBcWGRYWcxAAAAYoFwAACgJ7nQAABBgWGBYacxAAAAYoFwAACgJ7nQAABBgfGBgWGnMQAAAGKBcAAAoCe50AAAQYHy4XHxAWcxAAAAYoFwAACgJ7nQAABBkWGBYacxAAAAYoFwAACgJ7nQAABBkfGBgWGnMQAAAGKBcAAAoCe50AAAQZHy4XHxAWcxAAAAYoFwAACgJ7nQAABBoWGBYYcxAAAAYoFwAACgJ7nQAABBofFxcfEhZzEAAABigXAAAKAnudAAAEGh8YGBYYcxAAAAYoFwAACgJ7nQAABBofLhgWGHMQAAAGKBcAAAoCe50AAAQbGBcfFhZzEAAABigXAAAKAnudAAAEGx0XHxcWcxAAAAYoFwAACgJ7nQAABBsfChcfGBZzEAAABigXAAAKAnudAAAEHBYYFh8McxAAAAYoFwAACgJ7nQAABBwfGBgWHwxzEAAABigXAAAKAnudAAAEHB8uGBYfDHMQAAAGKBcAAAoCe50AAAQdGRcfGRZzEAAABigXAAAKAnudAAAEHhkXHxoWcxAAAAYoFwAACgJ7nQAABB8JGBcfJxZzEAAABigXAAAKAnudAAAEHwkZFx8oFnMQAAAGKBcAAAoCe50AAAQfCR8PFx8pFnMQAAAGKBcAAAoCe50AAAQfCR8SFx8qFnMQAAAGKBcAAAoCe50AAAQfCR8UFx8rFnMQAAAGKBcAAAoCe50AAAQfCR8XFx8sFnMQAAAGKBcAAAoCe50AAAQfCR8ZFx8tFnMQAAAGKBcAAAoCe50AAAQfCR8aFx8uFnMQAAAGKBcAAAoCe50AAAQfCR8bFx8vFnMQAAAGKBcAAAoCe50AAAQfCR8rFx8wFnMQAAAGKBcAAAoCe50AAAQfCR8sFx8xFnMQAAAGKBcAAAoCe50AAAQfCh8KFx8yFnMQAAAGKBcAAAoCe50AAAQfCxgXHzQWcxAAAAYoFwAACgJ7nQAABB8LGRcfKBZzEAAABigXAAAKAnudAAAEHwsfDxcfKRZzEAAABigXAAAKAnudAAAEHwsfEhcfKhZzEAAABigXAAAKAnudAAAEHwsfFBcfKxZzEAAABigXAAAKAnudAAAEHwsfFxcfLBZzEAAABigXAAAKAnudAAAEHwsfGRcfLRZzEAAABigXAAAKAnudAAAEHwsfGhcfLhZzEAAABigXAAAKAnudAAAEHwsfGxcfLxZzEAAABigXAAAKAnudAAAEHwsfKxcfMBZzEAAABigXAAAKAnudAAAEHwsfLBcfMRZzEAAABigXAAAKAnudAAAEHwwYFx8nFnMQAAAGKBcAAAoCe50AAAQfDBkXHygWcxAAAAYoFwAACgJ7nQAABB8MHw8XHykWcxAAAAYoFwAACgJ7nQAABB8MHxIXHyoWcxAAAAYoFwAACgJ7nQAABB8MHxQXHysWcxAAAAYoFwAACgJ7nQAABB8MHxcXHywWcxAAAAYoFwAACgJ7nQAABB8MHxkXHy0WcxAAAAYoFwAACgJ7nQAABB8MHxoXHy4WcxAAAAYoFwAACgJ7nQAABB8MHxsXHy8WcxAAAAYoFwAACgJ7nQAABB8MHysXHzAWcxAAAAYoFwAACgJ7nQAABB8MHywXHzEWcxAAAAYoFwAACgJ7nQAABB8NHzMXHzcWcxAAAAYoFwAACgJ7nQAABB8NHzQXHzgWcxAAAAYoFwAACgJ7nQAABB8NHzUXHzkWcxAAAAYoFwAACgJ7nQAABB8NHzYXHzoWcxAAAAYoFwAACgJ7nQAABB8NHzcXHzsWcxAAAAYoFwAACgJ7nQAABB8NHzgXHzwWcxAAAAYoFwAACgJ7nQAABB8OGBgWHyZzEAAABigXAAAKAnudAAAEHw4fFxgWHyZzEAAABigXAAAKAnudAAAEHw4fOhcfPhZzEAAABigXAAAKAnudAAAEHw8WGBYWcxAAAAYoFwAACgJ7nQAABB8PHxgYFhZzEAAABigXAAAKAnudAAAEHxAcFxsWcxAAAAYoFwAACgJ7nQAABB8QHRccFnMQAAAGKBcAAAoCe50AAAQfEB4XHRZzEAAABigXAAAKAnudAAAEHxAfCRceFnMQAAAGKBcAAAoCe50AAAQfEB8NFx8JFnMQAAAGKBcAAAoCe50AAAQfEB8RFx8KFnMQAAAGKBcAAAoCe50AAAQfEB8tFx8LFnMQAAAGKBcAAAoCe50AAAQfEB8vFx8MFnMQAAAGKBcAAAoCe50AAAQfEB8xFx8NFnMQAAAGKBcAAAoCe50AAAQfEB85Fx8OFnMQAAAGKBcAAAoCe50AAAQfERYYFhdzEAAABigXAAAKAnudAAAEHxEfGBgWF3MQAAAGKBcAAAoCe50AAAQfEhkXHygWcxAAAAYoFwAACgJ7nQAABB8SHw8XHykWcxAAAAYoFwAACgJ7nQAABB8SHxQXHysWcxAAAAYoFwAACgJ7nQAABB8SHxkXHy0WcxAAAAYoFwAACgJ7nQAABB8SHxoXHy4WcxAAAAYoFwAACgJ7nQAABB8SHxsXHy8WcxAAAAYoFwAACgJ7nQAABB8SHysXHzAWcxAAAAYoFwAACgJ7nQAABB8SHywXHzEWcxAAAAYoFwAACgJ7nQAABB8TFhgWHwlzEAAABigXAAAKAnudAAAEHxMfChcfQhZzEAAABigXAAAKAnudAAAEHxMfGBgWHwlzEAAABigXAAAKAnudAAAEHxMfLhgWHwlzEAAABigXAAAKAnudAAAEHxQWGBYfGnMQAAAGKBcAAAoCe50AAAQfFB8KGBYfGnMQAAAGKBcAAAoCe50AAAQfFB8YGBYfGnMQAAAGKBcAAAoCe50AAAQfFB8uGBYfGnMQAAAGKBcAAAoCe50AAAQfFB8wFx9DFnMQAAAGKBcAAAoCe50AAAQfFRYYFh8xcxAAAAYoFwAACgJ7nQAABB8VHwoYFh8xcxAAAAYoFwAACgJ7nQAABB8VHxgYFh8xcxAAAAYoFwAACgJ7nQAABB8VHy4YFh8xcxAAAAYoFwAACgJ7nQAABB8VHzAYFh8xcxAAAAYoFwAACgJ7nQAABB8WHxcXH0QWcxAAAAYoFwAACgJ7nQAABB8WHyUXH0UWcxAAAAYoFwAACgJ7nQAABB8XHxcXH0YWcxAAAAYoFwAACgJ7nQAABB8YGBcfJxZzEAAABigXAAAKAnudAAAEHxgZFx8oFnMQAAAGKBcAAAoCe50AAAQfGB8PFx8pFnMQAAAGKBcAAAoCe50AAAQfGB8SFx8qFnMQAAAGKBcAAAoCe50AAAQfGB8UFx8rFnMQAAAGKBcAAAoCe50AAAQfGB8XFx8sFnMQAAAGKBcAAAoCe50AAAQfGB8ZFx8tFnMQAAAGKBcAAAoCe50AAAQfGB8aFx8uFnMQAAAGKBcAAAoCe50AAAQfGB8bFx8vFnMQAAAGKBcAAAoCe50AAAQfGB8rFx8wFnMQAAAGKBcAAAoCe50AAAQfGB8sFx8xFnMQAAAGKBcAAAoCe50AAAQfGRYYFh8NcxAAAAYoFwAACgJ7nQAABB8ZHxgYFh8NcxAAAAYoFwAACgJ7nQAABB8ZHy4YFh8NcxAAAAYoFwAACgJ7nQAABB8aHwoXH0gWcxAAAAYoFwAACgJ7nQAABB8bFhgWHzhzEAAABigXAAAKAnudAAAEHxsfGBgWHzhzEAAABigXAAAKAnudAAAEHxsfLhgWHzhzEAAABigXAAAKAnudAAAEHxsfMBgWHzhzEAAABigXAAAKAnudAAAEHxwWGBYecxAAAAYoFwAACgJ7nQAABB8cHxgYFh5zEAAABigXAAAKAnudAAAEHxwfLhgWHnMQAAAGKBcAAAoCe50AAAQfHRYYFh8YcxAAAAYoFwAACgJ7nQAABB8dHxgYFh8YcxAAAAYoFwAACgJ7nQAABB8dHy4YFh8YcxAAAAYoFwAACgJ7nQAABB8dHzAXH0kWcxAAAAYoFwAACgJ7nQAABB8eFhgWHxZzEAAABigXAAAKAnudAAAEHx4aFx9KFnMQAAAGKBcAAAoCe50AAAQfHhsXH0sWcxAAAAYoFwAACgJ7nQAABB8eHxgYFh8WcxAAAAYoFwAACgJ7nQAABB8eHy4YFh8WcxAAAAYoFwAACgJ7nQAABB8eHzAYFh8WcxAAAAYoFwAACgJ7nQAABB8fFhgWHzpzEAAABigXAAAKAnudAAAEHx8aGBYfOnMQAAAGKBcAAAoCe50AAAQfHxsYFh86cxAAAAYoFwAACgJ7nQAABB8fHxgYFh86cxAAAAYoFwAACgJ7nQAABB8fHxwXH00WcxAAAAYoFwAACgJ7nQAABB8fHx0XH04WcxAAAAYoFwAACgJ7nQAABB8fHx4XH08WcxAAAAYoFwAACgJ7nQAABB8fHx8XH1AWcxAAAAYoFwAACgJ7nQAABB8fHyAXH1EWcxAAAAYoFwAACgJ7nQAABB8fHyEXH1IWcxAAAAYoFwAACgJ7nQAABB8fHyIXH1MWcxAAAAYoFwAACgJ7nQAABB8fHyMXH1QWcxAAAAYoFwAACgJ7nQAABB8fHyQXH1UWcxAAAAYoFwAACgJ7nQAABB8fHyYXH1YWcxAAAAYoFwAACgJ7nQAABB8fHycXH1cWcxAAAAYoFwAACgJ7nQAABB8fHygXH1gWcxAAAAYoFwAACgJ7nQAABB8fHykXH1kWcxAAAAYoFwAACgJ7nQAABB8fHyoXH1oWcxAAAAYoFwAACgJ7nQAABB8fHy4YFh86cxAAAAYoFwAACgJ7nQAABB8fHzAYFh86cxAAAAYoFwAACgJ7nQAABB8gFhgWHzxzEAAABigXAAAKAnudAAAEHyAaGBYfPHMQAAAGKBcAAAoCe50AAAQfIBsYFh88cxAAAAYoFwAACgJ7nQAABB8gHxMXH1sWcxAAAAYoFwAACgJ7nQAABB8gHxQXH1wWcxAAAAYoFwAACgJ7nQAABB8gHxgYFh88cxAAAAYoFwAACgJ7nQAABB8gHxwYFh88cxAAAAYoFwAACgJ7nQAABB8gHx0YFh88cxAAAAYoFwAACgJ7nQAABB8gHx4YFh88cxAAAAYoFwAACgJ7nQAABB8gHx8YFh88cxAAAAYoFwAACgJ7nQAABB8gHyAYFh88cxAAAAYoFwAACgJ7nQAABB8gHyEYFh88cxAAAAYoFwAACgJ7nQAABB8gHyIYFh88cxAAAAYoFwAACgJ7nQAABB8gHyMYFh88cxAAAAYoFwAACgJ7nQAABB8gHyQYFh88cxAAAAYoFwAACgJ7nQAABB8gHyYYFh88cxAAAAYoFwAACgJ7nQAABB8gHycYFh88cxAAAAYoFwAACgJ7nQAABB8gHygYFh88cxAAAAYoFwAACgJ7nQAABB8gHykYFh88cxAAAAYoFwAACgJ7nQAABB8gHyoYFh88cxAAAAYoFwAACgJ7nQAABB8gHy4YFh88cxAAAAYoFwAACgJ7nQAABB8gHzAYFh88cxAAAAYoFwAACgJ7nQAABB8hFhgWHz5zEAAABigXAAAKAnudAAAEHyEaGBYfPnMQAAAGKBcAAAoCe50AAAQfIRsYFh8+cxAAAAYoFwAACgJ7nQAABB8hHw4XH10WcxAAAAYoFwAACgJ7nQAABB8hHxMYFh8+cxAAAAYoFwAACgJ7nQAABB8hHxQYFh8+cxAAAAYoFwAACgJ7nQAABB8hHxUXH14WcxAAAAYoFwAACgJ7nQAABB8hHxYXH18WcxAAAAYoFwAACgJ7nQAABB8hHxgYFh8+cxAAAAYoFwAACgJ7nQAABB8hHxwYFh8+cxAAAAYoFwAACgJ7nQAABB8hHx0YFh8+cxAAAAYoFwAACgJ7nQAABB8hHx4YFh8+cxAAAAYoFwAACgJ7nQAABB8hHx8YFh8+cxAAAAYoFwAACgJ7nQAABB8hHyAYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyEYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyIYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyMYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyQYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyYYFh8+cxAAAAYoFwAACgJ7nQAABB8hHycYFh8+cxAAAAYoFwAACgJ7nQAABB8hHygYFh8+cxAAAAYoFwAACgJ7nQAABB8hHykYFh8+cxAAAAYoFwAACgJ7nQAABB8hHyoYFh8+cxAAAAYoFwAACgJ7nQAABB8hHy4YFh8+cxAAAAYoFwAACgJ7nQAABB8hHzAYFh8+cxAAAAYoFwAACgJ7nQAABB8iFhgWH09zEAAABigXAAAKAnudAAAEHyIaGBYfT3MQAAAGKBcAAAoCe50AAAQfIhsYFh9PcxAAAAYoFwAACgJ7nQAABB8iHw4YFh9PcxAAAAYoFwAACgJ7nQAABB8iHxMYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxQYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxUYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxYYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxgYFh9PcxAAAAYoFwAACgJ7nQAABB8iHxwYFh9PcxAAAAYoFwAACgJ7nQAABB8iHx0YFh9PcxAAAAYoFwAACgJ7nQAABB8iHx4YFh9PcxAAAAYoFwAACgJ7nQAABB8iHx8YFh9PcxAAAAYoFwAACgJ7nQAABB8iHyAYFh9PcxAAAAYoFwAACgJ7nQAABB8iHyEYFh9PcxAAAAY

ScriptBlock ID: aa95a632-9d8e-4884-a2f6-0b93fee7bd93
Path: C:\Windows\CCM\ScriptStore\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c1b6b8aece88cf30fff1fd35bee1461e34f4799eff1406890e079bb2c7bfb9e5.ps1

Blockquote

  1. Machine offline:

    Blockquote

    1. I checked on the Primary Server, there are a group of 70 event logs 4104 every hours logged in the event logs!!! not sure how to decrypt it.
      it seems there is no message on the Primary Server linked to the launch on the two machines ... but still the 70 events every hours...

      Log Name: Microsoft-Windows-PowerShell/Operational

      Source: Microsoft-Windows-PowerShell
      Date: 11/4/2021 7:05:42 AM
      Event ID: 4104
      Task Category: Execute a Remote Command
      Level: Warning
      Keywords: None
      User: SYSTEM
      Computer: VRPSCCMPR01.ad.medctr.ucla.edu
      Description:
      Creating Scriptblock text (1 of 1):

      #requires -version 3.0

      try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { }

      $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module

      $script:ClassName = 'root/StandardCimv2/MSFT_NetCompartment'
      $script:ClassVersion = '1.0.0'
      $script:ModuleVersion = '1.0'
      $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter]

      $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new()

      Microsoft.PowerShell.Core\Export-ModuleMember -Function @()


      function __cmdletization_BindCommonParameters
      {
      param(
      $__cmdletization_objectModelWrapper,
      $myPSBoundParameters
      )


      if ($myPSBoundParameters.ContainsKey('CimSession')) {
      $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession']
      }


      if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) {
      $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit']
      }


      if ($myPSBoundParameters.ContainsKey('AsJob')) {
      $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob']
      }


      }


      function Get-NetCompartment
      {
      [CmdletBinding(DefaultParameterSetName='Query (cdxml)', PositionalBinding=$false)]

      [OutputType([Microsoft.Management.Infrastructure.CimInstance])]
      [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/StandardCimv2/MSFT_NetCompartment')]

      param(

      [Parameter(ParameterSetName='Query (cdxml)')]
      [ValidateNotNull()]
      [uint32[]]
      ${CompartmentId},

      [Parameter(ParameterSetName='Query (cdxml)')]
      [Alias('Session')]
      [ValidateNotNullOrEmpty()]
      [CimSession[]]
      ${CimSession},

      [Parameter(ParameterSetName='Query (cdxml)')]
      [int]
      ${ThrottleLimit},

      [Parameter(ParameterSetName='Query (cdxml)')]
      [switch]
      ${AsJob})

      DynamicParam {
      try
      {
      if (-not $__cmdletization_exceptionHasBeenThrown)
      {
      $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new()
      $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData)

      if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters])
      {
      ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters()
      }
      }
      }
      catch
      {
      $__cmdletization_exceptionHasBeenThrown = $true
      throw
      }
      }

      Begin {
      $__cmdletization_exceptionHasBeenThrown = $false
      try
      {
      __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters
      $__cmdletization_objectModelWrapper.BeginProcessing()
      }
      catch
      {
      $__cmdletization_exceptionHasBeenThrown = $true
      throw
      }
      }


      Process {
      try
      {
      if (-not $__cmdletization_exceptionHasBeenThrown)
      {
      $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder()
      if ($PSBoundParameters.ContainsKey('CompartmentId') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) {
      $__cmdletization_values = @(${CompartmentId})
      $__cmdletization_queryBuilder.FilterByProperty('CompartmentId', $__cmdletization_values, $false, 'Default')
      }


      $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder)
      }
      }
      catch
      {
      $__cmdletization_exceptionHasBeenThrown = $true
      throw
      }
      }


      End {
      try
      {
      if (-not $__cmdletization_exceptionHasBeenThrown)
      {
      $__cmdletization_objectModelWrapper.EndProcessing()
      }
      }
      catch
      {
      throw
      }
      }

      # .EXTERNALHELP MSFT_NetCompartment.cdxml-Help.xml
      }
      Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetCompartment' -Alias ''



      ScriptBlock ID: b1133d52-5435-410c-8606-989d808d0328
      Path:
      Event Xml:
      <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
      <System>
      <Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" />
      <EventID>4104</EventID>
      <Version>1</Version>
      <Level>3</Level>
      <Task>2</Task>
      <Opcode>15</Opcode>
      <Keywords>0x0</Keywords>
      <TimeCreated SystemTime="2021-11-04T14:05:42.686699000Z" />
      <EventRecordID>402731</EventRecordID>
      <Correlation ActivityID="{90B82363-CB93-0000-61E2-989193CBD701}" />
      <Execution ProcessID="8260" ThreadID="23672" />
      <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
      <Computer>VRPSCCMPR01.ad.medctr.ucla.edu</Computer>
      <Security UserID="S-1-5-18" />
      </System>
      <EventData>
      <Data Name="MessageNumber">1</Data>
      <Data Name="MessageTotal">1</Data>
      <Data Name="ScriptBlockText">
      #requires -version 3.0

      try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { }

      $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module

      $script:ClassName = 'root/StandardCimv2/MSFT_NetCompartment'
      $script:ClassVersion = '1.0.0'
      $script:ModuleVersion = '1.0'
      $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter]

      $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new()

      Microsoft.PowerShell.Core\Export-ModuleMember -Function @()


      function __cmdletization_BindCommonParameters
      {
      param(
      $__cmdletization_objectModelWrapper,
      $myPSBoundParameters
      )


      if ($myPSBoundParameters.ContainsKey('CimSession')) {
      $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession']
      }


      if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) {
      $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit']
      }


      if ($myPSBoundParameters.ContainsKey('AsJob')) {
      $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob']
      }


      }


      function Get-NetCompartment
      {
      [CmdletBinding(DefaultParameterSetName='Query (cdxml)', PositionalBinding=$false)]

      [OutputType([Microsoft.Management.Infrastructure.CimInstance])]
      [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/StandardCimv2/MSFT_NetCompartment')]

      param(

      [Parameter(ParameterSetName='Query (cdxml)')]
      [ValidateNotNull()]
      [uint32[]]
      ${CompartmentId},

      [Parameter(ParameterSetName='Query (cdxml)')]
      [Alias('Session')]
      [ValidateNotNullOrEmpty()]
      [CimSession[]]
      ${CimSession},

      [Parameter(ParameterSetName='Query (cdxml)')]
      [int]
      ${ThrottleLimit},

      [Parameter(ParameterSetName='Query (cdxml)')]
      [switch]
      ${AsJob})

      DynamicParam {
      try
      {
      if (-not $__cmdletization_exceptionHasBeenThrown)
      {
      $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new()
      $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData)

      if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters])
      {
      ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters()
      }
      }
      }
      catch
      {
      $__cmdletization_exceptionHasBeenThrown = $true
      throw
      }
      }

      Begin {
      $__cmdletization_exceptionHasBeenThrown = $false
      try
      {
      __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters
      $__cmdletization_objectModelWrapper.BeginProcessing()
      }
      catch
      {
      $__cmdletization_exceptionHasBeenThrown = $true
      throw
      }
      }


      Process {
      try
      {
      if (-not $__cmdletization_exceptionHasBeenThrown)
      {
      $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder()
      if ($PSBoundParameters.ContainsKey('CompartmentId') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) {
      $__cmdletization_values = @(${CompartmentId})
      $__cmdletization_queryBuilder.FilterByProperty('CompartmentId', $__cmdletization_values, $false, 'Default')
      }


      $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder)
      }
      }
      catch
      {
      $__cmdletization_exceptionHasBeenThrown = $true
      throw
      }
      }


      End {
      try
      {
      if (-not $__cmdletization_exceptionHasBeenThrown)
      {
      $__cmdletization_objectModelWrapper.EndProcessing()
      }
      }
      catch
      {
      throw
      }
      }

      # .EXTERNALHELP MSFT_NetCompartment.cdxml-Help.xml
      }
      Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetCompartment' -Alias '
      '

      </Data>
      <Data Name="ScriptBlockId">b1133d52-5435-410c-8606-989d808d0328</Data>
      <Data Name="Path">
      </Data>
      </EventData>
      </Event

      Blockquote



Any comments?

Thanks,
Dom






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Have you received a call from MS Premier Support now?

0 Votes 0 ·
DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered

Hello,

How could we verify the task is no more running?

Thanks,
Dom

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.