What is causing CScript to run and hog memory??

Dear Experts,

We have a number of virtual servers running Windows 2008R2 Standard which have recently starting running slowly. On closer inspection, Task Manager shows a CScript running and using loads of memory.

We've identified what the script is and we're happy that its legitimate and not a virus. However, we've checked Scheduled Tasks and nothing is scheduled to run and we don't know how this is starting.

Is there anyway that we can identify what is calling this script?

Regards
andymellorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
What does this script actually do ? Is it part of another software program ?
Usually, if it's not scheduled, it's probably part of a service (since the service is firing this command, it could be that you cannot find any reference to this script, that's why I asked if you can tell me if it's part of something else).
For instance, if you find database references in it, it could be a job in your MS SQL server. If there are web references in it, it could be fired from an ASP script.
0
andymellorAuthor Commented:
Kimputer,

Thanks for your reply. The script that is running is below:

On Error Resume Next
Set WSHShell = WScript.CreateObject("WScript.Shell")
OSName = WSHShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName")
If InStr(OSName, "Windows 7") or InStr(OSName, "Windows 8") or InStr(OSName, "2008 R2") Then
cif = "" 
Set s = CreateObject("WScript.Shell")
Set e = s.Exec("manage-bde -status")
Set status = e.StdOut
Do While status.AtEndOfStream <> True
line = status.ReadLine
If InStr(line, "Volume ") Then
cif = cif & Mid(line, 8, 2)
ElseIf InStr(line, "Percentage Encrypted:") Then
cif = cif & Mid(line, 26) & "; " 
End If
Loop
If InStr(cif, "100") then
PasswordFailedAttempts = WSHShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts")
If PasswordFailedAttempts > 10 or PasswordFailedAttempts = "" Then
WScript.echo "Interactive logon: Machine account lockout threshold is set to " & PasswordFailedAttempts & " invalid logon attempts."
End If
End IF
End If


We think that this is a script that somebody has created to test out the Intrusion Detection System we use (Tripwire). Nobody seems to be taking ownership of the script but we do work in a fairly large and complicated company.

Is there an way that you know of that we can prevent this from running (or kill it off automatically) whilst we find the origin of the problem?

Thanks again.
0
KimputerCommented:
Seems like a custom made script. First of all, you can disable it by putting

wscript.quit

on top of the script. Nothing of the code will run.

Next you can try to track it by searching for the script name in your registry. But as I said, if this is a slave command from another program or service, you won't find anything.
Maybe it's probably part of a larger management software tool. If you still can't trace it, then the solution I provided will prevent the large memory consumption.
Also, if you know the schedule of this script, maybe you can run ProcMon (process monitor from MS Technet) just before it starts, look for the script name, and see who fired it. But this tool will provide thousands if not millions of lines, so it's quite laborous to go through all the lines (use the search after you're sure the event has been captured).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
andymellorAuthor Commented:
Perfect - Thanks :-)
0
Pramod UbheCommented:
Check if this is getting deployed through GPOs.
GPRESULT /R
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.