Issue in Probes running with Powershell

bhanupratap2203 · ‎05-23-2019

We had setup of discovery last year on jakarta version. It was working fine earlier. Now, when we moved on Madrid, The Windows server discovery is giving errors/warning related to powershell probes. For example, windows - installed software probes never completes and takes huge CPU consumption and return with no results. Below are some Warnings:

1. PowershellProcessRunner was interrupted to complete in 900 seconds

2. New-Item : The network path was not foundAt C:\sw\MID Server\MID-Server Dev Instance\agent\scripts\PowerShell\WinRMAPI\ExecuteRemote\ExecuteRemote.psm1:26 char:7+ New-Item -ItemType directory -Path $targetHomeDir -Force > $nul ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : WriteError: (\\<TARGET_IP>\admin$\temp\unregistered:String) [New-Item], IOException+ FullyQualifiedErrorId : CreateIntermediateDirectoriesIOError,Microsoft.PowerShell.Commands.NewItemCommandFailed to create directory \\<TARGET_IP>\admin$\temp\unregisteredHRESULT: [-2146233087]

Below things have been checked already:
1. MID Server is on latest MID Server version "madrid-12-18-2018__patch1-hotfix2-03-14-2019_03-20-2019_1304"

2. Reinstalled MID Server, still no go.

3. Checked for Port 5985 between MID Server and Host machine

4. Discovery running with Windows Credentials with admin access.

Note: There is no customization done on any of the Probes/sensors

Please assist what else can be checked.

bhanupratap2203 · ‎05-24-2019

On deeply investigating the WMI Powershell probe, Found that Test and Prod are having a parameter ‘Should filter hotfix” as true, where as it is set as false while executing the probe. On checking the script on this parameter which sets its value, found that there is difference in data in the table ‘discovery_spkg_filter’. Fixed the data difference which is highlighted below and the Probe worked fine. Now all Powershell probes are working and CPU utilization is fine for Dev instance.

View solution in original post

DaveHertel · ‎05-23-2019

Well KB0744972 isn't very helpful... basically says upgrade / apply patches... but when you are already at latest version this isn't of much use.

I've seen a similar issue but haven't had time to troubleshoot. What I think I'd try (but again, haven't yet) is to login into the MID and attempt to run the exact powershell command that Disco is launching, against the exact target IP, etc. this will take some work because you've got to dig under the covers and figure out precisely how the command + parameters are being launched. BUT the payoff will be to see what's happening at the powershell level so you can they debug.

Looking closely at the sample error, there are a couple of subtle things that are troublesome. The powershell is trying to create a directory on the admin$ share on the target but can't for some reason. The 'unregistered' reference might also be a smoking gun... ? but not sure what this refers to (but likely something in the registry...)

I don't know if this helps .... but if you happen to debug and get more info, please share here (as I said, I'm seeing same issue...!)

bhanupratap2203 · ‎05-24-2019

On deeply investigating the WMI Powershell probe, Found that Test and Prod are having a parameter ‘Should filter hotfix” as true, where as it is set as false while executing the probe. On checking the script on this parameter which sets its value, found that there is difference in data in the table ‘discovery_spkg_filter’. Fixed the data difference which is highlighted below and the Probe worked fine. Now all Powershell probes are working and CPU utilization is fine for Dev instance.