Mi Ke Posted January 10, 2019 Share Posted January 10, 2019 Hi, We use Passwordstate v8.5 (Build 8556) and after runinng a Windows Dependency Accounts Discovery job we get a lot of error messages like: An account called 'S-1-5-18' was found for the Dependency Type of 'Scheduled Task' and Dependency Name called 'Microsoft\Windows\RemovalTools\MRT_ERROR_HB', but it could not be determined if the account was a Domain or Local account. Please refer to KB Article in User Manual called 'Unknown Windows Dependency Accounts Discovered'. Discovered OS: Windows Server 2016 SID "S-1-5-18": Local Windows Account "System" Task "MRT_ERROR_HB": Seems to be a part of Windows Malicious Software Removal Tool and will be automatically created by the tool. To change the scheduled task account from "SYSTEM" to "NT AUTHORITY\SYSTEM" or "<Hostname>\SYSTEM" like descripted in the KB Article make no difference. I think it's because there is no additional popup which asks for a password and it's a local system account. In our case we have daily a lot of error messages after the discovery job and it's annoying to find the relevant ones. Do you have a solution for this? Is ist possibly to add this account to a "blacklist"? Thanks for your support. Regards, Mike Link to comment Share on other sites More sharing options...
support Posted January 10, 2019 Share Posted January 10, 2019 Hi Mike, Thanks for the information, and we'll do some testing to see if we can replicate this, and then ignore the account in our Discovery PowerShell script. I will let you know what we find, and provide you with an updated script you can use prior to it being available in the next release. Regards Click Studios Link to comment Share on other sites More sharing options...
Mi Ke Posted February 6, 2019 Author Share Posted February 6, 2019 Hi, Do you know when we get a solution for this? Thanks and regards, Mike Link to comment Share on other sites More sharing options...
support Posted February 7, 2019 Share Posted February 7, 2019 Hi Mi Ke, We are very sorry, we did actually forget to follow this up. I've taken a look at this today and here's some information to consider: In our discovery job, we are excluding the discovery of "System" as per screenshot below, but we cannot understand why on your systems this isn't working: We found out that the Profile of the System Account has the unique profile registry key as S-1-5-18 So we've now added this to our exclusions in the Account Dependency Script, tested this and it seems to be working: For this to work for you, can you please do the following on your Passswordstate web server? 1. On your Passwordstate web server, download this file: Get-Dependencies.ps1 2. Place it in C:\inetpub\Passwordstate\setup\scripts, and overwrite the existing file 3. In Passwordstate, go to Administration -> Powershell Scripts -> Account Discovery Scripts and restore the default Windows Account Dependency script from the Actions Menu: Now try your Discovery Dependency again, does this fix the issue? If it does, we'll include this new script in the next build of Passwordstate we release. Regards, Support Link to comment Share on other sites More sharing options...
Mi Ke Posted February 7, 2019 Author Share Posted February 7, 2019 Hi, It doesn't work and I think in this case it's because the script gets the user "S-1-5-18" from the task xml-file. So the filter on the output of "schtasks.exe" make no difference. Let me explain: I have made the following script based on your original script: Quote $schtask = schtasks.exe /query /V /FO CSV | ConvertFrom-Csv if ($schtask) { foreach ($sch in $schtask) { if ($sch.TaskName -eq '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB') { write-output $sch } } } In the output of the script the key "Run As User" has sometimes a value "Disabled", "n/a" or something else instead a username or SID. I think the problem is the special character "," in the task Argument: /EHB /HeartbeatFailure "ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d" /HeartbeatError "0x80072f0d" The command "ConvertFrom-Csv" splits the string on the wrong place. Script Output Quote HostName : **** TaskName : \Microsoft\Windows\RemovalTools\MRT_ERROR_HB Next Run Time : 07.02.2019 19:13:36 Status : Ready Logon Mode : Interactive/Background Last Run Time : 30.11.1999 00:00:00 Last Result : 267011 Author : MicrosoftTask To Run : C:\Windows\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack Start In : Previous=ErrorStack Comment : Previous=SubmitHeartbeatReportData Scheduled Task State : Hr=0x80072f0d Idle Time : Hr=0x80072f0d" /HeartbeatError "0x80072f0d"" Power Management : C:\Windows\system32 Run As User : N/A Delete Task If Not Rescheduled : Enabled Stop Task If Runs X Hours and X Mins : Disabled Schedule : Schedule Type : SYSTEM Start Time : Disabled Start Date : 00:30:00 End Date : Scheduling data is not available in this format. Days : One Time Only, Hourly Months : N/A Repeat: Every : N/A Repeat: Until: Time : N/A Repeat: Until: Duration : N/A Repeat: Stop If Still Running : N/A Task ""MRT_ERROR_HB.xml" Quote <?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Author>Microsoft</Author> <URI>\Microsoft\Windows\RemovalTools\MRT_ERROR_HB</URI> </RegistrationInfo> <Triggers> <TimeTrigger id="MRT_ERROR_HB"> <Repetition> <Interval>PT5H</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2019-02-07T13:13:31Z</StartBoundary> <EndBoundary>2019-04-08T13:13:31Z</EndBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT30M</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="LocalSystem"> <Exec> <Command>C:\Windows\system32\MRT.exe</Command> <Arguments>/EHB /HeartbeatFailure "ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d" /HeartbeatError "0x80072f0d"</Arguments> <WorkingDirectory>C:\Windows\system32</WorkingDirectory> </Exec> </Actions> </Task> Because the value of the key "Run As User" is not a known keyword to ignore your original script Looks then into the "MRT_ERROR_HB.xml" file and reads the key "<UserId>S-1-5-18</UserId>". I hope that makes sense. Regards, Mike Link to comment Share on other sites More sharing options...
support Posted February 7, 2019 Share Posted February 7, 2019 Hi Mike, We're not sure why your scheduled tasks are reporting n/a like this - we've never seen this before. Can you try the attached script again - we've added this in as an exclusion as well. Get-Dependencies.ps1 Regards Click Studios Link to comment Share on other sites More sharing options...
Mi Ke Posted February 8, 2019 Author Share Posted February 8, 2019 Hi, Unfortunately, adjusting the uppercase and lowercase characters in the SID in the new script makes no difference. Like I have tried to descripe I think the problems are the commas "," in the column "Task To Run" of the command output (or "arguments" in the task xml). The following command "ConvertFrom-Csv" splits this string on every single comma regardless the comma is part of a value or not. Have a look to the original output of the command: Quote schtasks.exe /query /V /FO CSV /TN "\Microsoft\Windows\RemovalTools\MRT_ERROR_HB" "HostName","TaskName","Next Run Time","Status","Logon Mode","Last Run Time","Last Result","Author","Task To Run","Start In","Comment","Scheduled Task State","Idle Time","Power Management","Run As User","Delete Task If Not Rescheduled","Stop Task If Runs X Hours and X Mins","Schedule","Schedule Type","Start Time","Start Date","End Date","Days","Months","Repeat: Every","Repeat: Until: Time","Repeat: Until: Duration","Repeat: Stop If Still Running" "myhostname","\Microsoft\Windows\RemovalTools\MRT_ERROR_HB","08.02.2019 10:13:46","Ready","Interactive/Background","30.11.1999 00:00:00","267011","Microsoft","C:\Windows\system32\MRT.exe /EHB /HeartbeatFailure "ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d,Hr=0x80072f0d,Hr=0x80072f0d,Hr=0x80072f0d,Hr=0x80072f0d" /Hea","C:\Windows\system32","N/A","Enabled","Disabled","","SYSTEM","Disabled","00:30:00","Scheduling data is not available in this format.","One Time Only, Hourly ","N/A","N/A","N/A","N/A","N/A","5 Hour(s), 0 Minute(s)","None","Disabled","Disabled" The Command "ConvertFrom-Csv" splits the value of “Task To Run” into multiple parts. This is wrong and all the following values shift to x columns. I hope that explains more exactly what I tried to explain yesterday. Reagards, Mike Compare the output of the script and how it should be.pdf Link to comment Share on other sites More sharing options...
support Posted February 8, 2019 Share Posted February 8, 2019 Hi Mike, Sorry it's not fixed. It is quite difficult for us to test this sort of fix, when we cannot reproduce the issue ourselves. This returns 'System' for us every time, and we're not sure how to replicate what you are seeing - would you have any ideas what we need to do to this scheduled task to replicate it? Thanks Click Studios Link to comment Share on other sites More sharing options...
Mi Ke Posted February 8, 2019 Author Share Posted February 8, 2019 Hi, Thanks for your support. We will find a solution. :-) The reason seems to be the parameter of the task "MRT_ERROR_HB". I can reproduce the error on a Windows Server 2016 build 1607 by creating a new Basic Task. I hope this works for you as well. Regards, Mike Create a basic task Use any program and add the parameter from the task "MRT_ERROR_HB": /EHB /HeartbeatFailure "ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d" /HeartbeatError "0x80072f0d" Add the System account Now in Passwordstate you can run the dicovery script. My output was: Link to comment Share on other sites More sharing options...
support Posted February 11, 2019 Share Posted February 11, 2019 Thank Mi Ke, We will try to reproduce this this week, and will report back here if we can. Appreciate the information you provided. Regards, Support Link to comment Share on other sites More sharing options...
support Posted February 25, 2019 Share Posted February 25, 2019 Sorry we took so long to get back to this. We have just tested this on 3 servers, 2 X Server 2016 version 1607, and the last server is Server 2019. In all cases it returns as blank username, which is expected behaviour.... Just confirming, when you search for "System" it finds the username as "NT AUTHORITY\SYSTEM", but shen you save the task it then shows up at "System like my screenshot below? And the only thing we didn't understand about your instructions was where you said Use any program and add the parameter from the task "MRT_ERROR_HB": We did add this line of code below as an additional argument, is this what we were supposed to do? /EHB /HeartbeatFailure "ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d" /HeartbeatError "0x80072f0d" Not sure why we can't reproduce it at this stage:( Regards, Support Link to comment Share on other sites More sharing options...
Mi Ke Posted March 13, 2019 Author Share Posted March 13, 2019 Hi, I'm sorry for my delayed answer. I was not in the office for a few weeks. To your questions: Quote Just confirming, when you search for "System" it finds the username as "NT AUTHORITY\SYSTEM", but shen you save the task it then shows up at "System like my screenshot below? Yes, when I save the task it shows up "System" like in your screenshot. Quote And the only thing we didn't understand about your instructions was where you said Use any program and add the parameter from the task "MRT_ERROR_HB" In my opinion only the parameter was nessesary to reproduce the error. The used program "notepad.exe" was only a placeholder for the task. But today I tried my own instructions on a different Windows 2016 host and I coudn't reproduce the behavior anymore. Possible new solution to reproduce the problem on your System: I have found an other Task on a different Windows Server 2016 (Version 1607) with the same behavior. After I have exported this task as XML and imported it on a different Windows Server 2016, Passwordstate will report the task on the new host with the same message "An account called 'S-1-5-18' was found for the Dependency Type...". Can you please import the XML "Wake on LAN.xml" on one of your Windows Server 2016 and see if the behavior occurs? I hope, this works. Regards, Mike Wake On LAN.xml Link to comment Share on other sites More sharing options...
support Posted March 14, 2019 Share Posted March 14, 2019 Thanks very much Mike, and we've been able to replicate this now with the XML import, and have a fix for this in the next release - should be due next week. Thanks again for all your help, and patience, whilst we worked through this issue - we really do appreciate it. We'll let you know as soon as the new build is available. Regards Click Studios Link to comment Share on other sites More sharing options...
support Posted March 21, 2019 Share Posted March 21, 2019 Hi Mike, Today we have released Build 8650 of Passwordstate, which includes a fix for this issue. In the end it was an easy fix, just took us a while to replicate it. Thanks for your patience with this one and thanks for pointing us in the right direction:) Regards, Support Link to comment Share on other sites More sharing options...
Mi Ke Posted March 21, 2019 Author Share Posted March 21, 2019 Hi, You'r welcome. :-) I have installed the new version and the error for the task "Wake On LAN" is gone. I hope this will fix the messages for the original task "MRT_ERROR_HB" of the MS Windows Malicious Software Removal Tool, too. I will keep watching. Thanks again and regards, Mike Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now