Indexing output of "net localgroup"

rtadams89 · ‎02-11-2013

I have created a script (deployed via a Splunk app to forwarders) that uses the "net localgroup" to output the list of local user groups on each forwarder.

This script runs and provides the expected output on ~10 hosts (all running Server 2008). On the other 100 Server 2008 hosts, the script dies and outputs an error "System error 1312 has occurred."

I have a feeling this may be due to running the "net localgroup" command under teh SYSTEM user context, but if this was the case, why does it work on 10 hosts?

rtadams89 · ‎02-11-2013

I was able to get the output I was looking for with a VBScript. My main concern however is why the bat script (and specifically the "net localgroup") command worked in some instances and not others. The error I was getting was what I would expect when run under the SYSTEM context, but I don't know why it DID work on 10 hosts. This concerns me because it makes me think Splunk is no runnign under SYSTEM as it should be.

jonuwz · ‎02-11-2013

I gather this type of information across lots of different Windows builds.
The only reliable way I've found is WMI. Powershell might also work, but its not on windows2000 out the box. Hopefully this'll work for you too.

put this in localgroups.vbs file and call it with cscript //nologo localgroups.vbs

On Error Resume Next 
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") 
Set colItems = objWMIService.ExecQuery("Select * from Win32_Group  Where LocalAccount = True") 
For Each objItem in colItems  
Wscript.Echo objItem.Name 
Next

Or just put all this in localgroups.bat and run it

@echo off
findstr "^:" "%~sf0">"%TEMP%\%~nx0.vbs" & cscript //nologo "%TEMP%\%~nx0.vbs" & del "%TEMP%\%~nx0.vbs"
:On Error Resume Next 
:Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") 
:Set colItems = objWMIService.ExecQuery("Select * from Win32_Group  Where LocalAccount = True") 
:For Each objItem in colItems  
:Wscript.Echo objItem.Name 
:Next

The latter is just a batch trick to embed a vbs script inside it.
It'll extract to %TEMP% run it, then delete it.

Thinking about it, for something this simple, running this command probably does the same (untested) :

wmic group where localaccount="true" get name

Testing

If you want to try this out on a server without packaging up your command,
you can get a SYSTEM command line like this on widows 2008+ :

Start a cmd.exe with 'run as administrator'
Create an interactive service that runs as localsystem and start it :
(there are spaces after the = )

sc create testsvc binpath= "cmd /K start" type= own type= interact
sc start testsvc

Now you'll get a popup saying a program is trying to display a message, click 'view message' and you'll get a blank screen with a command prompt.

Do your stuff, and when you get back to the desktop, run
sc delete testsvc

To cover your tracks.

On windows 2000 / 2003, just simply run (in a command prompt)

at 12:01 /interactive cmd.exe

where 12:01 is 1 minute in the future, 1 minute later you'll get a new cmd.exe running as SYSTEM

Gotta love windows.

Ayn · ‎02-11-2013

I suspect different security settings between your systems. By default the SYSTEM account should not have access to network resources. On the 10 hosts that this is working on, I suspect null sessions are allowed or something like that. Google for system error 1312, there are all kinds of answers that provide useful reading.

Indexing output of "net localgroup"

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life