Sometimes there might occur reasons why we need to crawl all our managed machines for certain file types:

  • Search for abandoned Outlook PST archive files
  • Find (un)wanted media files spamming the hard disks (MP3, AVI, MPG,...)
  • Clean up after a ransomware attack looking for *.locky (hopefully not!)

In KACE SMA you can let the KACE agent do the work for you on the machines and upload the results to the inventory. Now if you want, you can setup a report onto the scan results to identify machines with that content.
Anyhow, the batch script below might also be used in other scenarios without KACE SMA.
Note that this method does NOT investigate the file content, we just look out for known file extensions with the DIR command!

The solution requires at least two and a third optional step:

1. a KACE SMA script running a batch command
2. a custom inventory rule (CIR) to read the script results into your inventory
3. (optional) setup a report that gives you an overview of all “affected” machines

1. The Script

First we define a KACE SMA script that’s running a batch command on each machine. It will run the DIR command, but with one extra: we will investigate every attached drive of the machine, not just C:\ or another static drive letter.

Now go to the Scripting section of your KACE SMA and create a new script. Be sure to:

  • Provide a nifty name for the script :)
  • Script type is “Online KScript”
  • DON’T FORGET TO TICK “ENABLE” AT YOUR SCRIPT AFTER TESTING! (don’t know how often I forgot that...)
  • Select a bunch of machines, labels or even all devices for deployment
  • Select at least one Windows OS as target “Operating Systems”
  • Run as “Local System”
  • Choose an appropriate schedule (I took every Friday at 13:30)
    WARNING: THE SCAN MIGHT TAKE A WHILE PRODUCING SOME I/O LOAD ON OLDER MACHINES OR ON LARGE (FILE) SERVERS, consider that!
  • Enable “Allow run without a logged-in user”
  • Consider if you tick “Run on next connection if offline”. I would not recommend it in this case.

Inside the script you just need one single task with at least one step in the “On Success”-section:

  • Step type is “Run a batch file...”
  • “Script name” can be anything, something like “scanlocaldrives”
  • “Batch file” command is:

@echo off
for /f "delims=: tokens=1,*" %%a in ('fsutil fsinfo drives') do (for %%c in (%%b) do dir /s /a /b "%%~dc\*.pst")>C:\Windows\Temp\ScanLocalDrives.txt

Here you need do specify the file type/extension you want to look for!
In this example we’ll search old Outlook archive PST files.

  • Enable “Wait for completion”
  • Disable “Visible”
  • “Parameters:” none.

Some important notes:

  1. If you want a different file path to store the results modify the place with “C:\Windows\Temp\ScanLocalDrives.txt”. Be sure to put it in quotation marks if the path includes spaces.

  2. If you want to scan for more than one file type, you can copy and paste the batch file command line starting with “for…” under the previous one(s).
    If you want to ADD the scan results to one file / field, all “for...” lines after the first need to have a DOUBLE TRIANGULAR BRACKET LIKE THIS:
    for /f "delims=: tokens=1,*" %%a in ('fsutil fsinfo drives') do (for %%c in (%%b) do dir /s /a /b "%%~dc\*.avi")>>C:\Windows\Temp\ScanLocalDrives.txt
    OTHERWISE THE PREVIOUS RESULTS WILL GET OVERWRITTEN!

  3. If you want to scan for more than one file type and want to SEPARATE the scan results to another file / field, use a different file name after the triangular bracket like this:
    for /f "delims=: tokens=1,*" %%a in ('fsutil fsinfo drives') do (for %%c in (%%b) do dir /s /a /b "%%~dc\*.locky")>C:\Windows\Temp\ScanLocky.txt
    OTHERWISE THE PREVIOUS RESULTS WILL GET OVERWRITTEN!


That’s all for the script. Now save everything and test run it on a couple of machines. You should see an appropriate output in the output file(s) of the script on the local machine ("C:\Windows\Temp\ScanLocalDrives.txt " form the example above).


2. The Custom Inventory Rule (CIR)

To attach the generated info to the machines inventory you need to create a custom inventory rule that allows the KACE SMA to upload the content to its database.
Here is how:

Go to your “Inventory” and inside the “Software” section, hit the “Choose Action” button and then click “New”.

Z

Now fill the “Name” field. You can enter anything meaningful you like, e.g. “Local Media Files”.
In “Supported Operating Systems” you have to select at least the Windows OS you chose at the KScript before!

Most important: fill the text box “Custom Inventory Rule:” with this one (adjust file path if necessary):

ShellCommandTextReturn(cmd /c type C:\Windows\Temp\ScanLocalDrives.txt)
All other fields are not necessary to fill for making this custom inventory rule work. Just save it now and you’re done.

You will have to repeat this whole step and create a single CIR for every other output file you generated in the batch script(s) in step 1!

After setting up this custom inventory rule(s) you should see output like this in a machines inventory under “Software” in the “Custom Inventory Fields” section:

9k=

NOTE THAT THE KSCRIPT MUST HAVE RUN SUCCESSFULLY FIRST ON THE MACHINE(S) AND THE MACHINE(S) NEED TO DO AN INVENTORY BEFORE YOU’LL SEE DATA HERE! (Of course, you can force inventory if you want to)

3. Optional: the Report

You can define a report that will (in my case) show you machines that have local PST files stored.

To create that report go to the “Reporting” section of your SMA, hit “Choose action:” and click on “New (Wizard)”.
2Q==

Enter a useful name in the “Title” field and assign a fitting category.

I suggest to disable “Show Line Numbers” unless explicitly needed.

Leave “Device” selected as “Topic:” and click the “Next”-button.

In the “Fields to Display”-dialogue I just selected a few fields beside the special information we want so see, in my case that’s “System Name” and “Last Inventory” of the “Device Identity Information”-group.

Now scroll down to the “Custom Fields”-group and expand it. Select your custom inventory field you created in step 2 and continue by clicking the “Next”-button again.

Give the columns the order you desire, I started with “System Name” (that’s nice because KACE SMA will provide a link to that machines’ inventory!)
Continue with “Next” again.

Order the results as you want and proceed with “Next”.

Now in the “Filters” section, hit “Specify rules to filter the records”, remove the unnecessary “Agent connection time” field with the trash bin icon and add your custom inventory again by clicking the + icon.
Define the operator as “contains” and “.pst” (ADJUST THIS TO YOUR USE CASE!), now it should look like this:
9k=

2Q==

9k=


Finish and test drive your new report!

If everything went right and your machines ran the script and at least one inventory cycle (already mentioned in step 2) you should now get some results – or you already successfully migrated all PST archives to Exchange archive mailboxes! :)

One last hint: you can use the “Report Schedules” of KACE SMA to periodically investigate your network. For example, let KACE SMA email you the results of your new report as Excel sheet attached once a month.

Leave a comment if you have any questions or suggestions about this!