andymellor
asked on
What is causing CScript to run and hog memory??
Dear Experts,
We have a number of virtual servers running Windows 2008R2 Standard which have recently starting running slowly. On closer inspection, Task Manager shows a CScript running and using loads of memory.
We've identified what the script is and we're happy that its legitimate and not a virus. However, we've checked Scheduled Tasks and nothing is scheduled to run and we don't know how this is starting.
Is there anyway that we can identify what is calling this script?
Regards
We have a number of virtual servers running Windows 2008R2 Standard which have recently starting running slowly. On closer inspection, Task Manager shows a CScript running and using loads of memory.
We've identified what the script is and we're happy that its legitimate and not a virus. However, we've checked Scheduled Tasks and nothing is scheduled to run and we don't know how this is starting.
Is there anyway that we can identify what is calling this script?
Regards
ASKER
Kimputer,
Thanks for your reply. The script that is running is below:
On Error Resume Next
Set WSHShell = WScript.CreateObject("WScr ipt.Shell" )
OSName = WSHShell.RegRead("HKEY_LOC AL_MACHINE \SOFTWARE\ Microsoft\ Windows NT\CurrentVersion\ProductN ame")
If InStr(OSName, "Windows 7") or InStr(OSName, "Windows 8") or InStr(OSName, "2008 R2") Then
cif = ""
Set s = CreateObject("WScript.Shel l")
Set e = s.Exec("manage-bde -status")
Set status = e.StdOut
Do While status.AtEndOfStream <> True
line = status.ReadLine
If InStr(line, "Volume ") Then
cif = cif & Mid(line, 8, 2)
ElseIf InStr(line, "Percentage Encrypted:") Then
cif = cif & Mid(line, 26) & "; "
End If
Loop
If InStr(cif, "100") then
PasswordFailedAttempts = WSHShell.RegRead("HKEY_LOC AL_MACHINE \Software\ Microsoft\ Windows\Cu rrentVersi on\Policie s\System\M axDevicePa sswordFail edAttempts ")
If PasswordFailedAttempts > 10 or PasswordFailedAttempts = "" Then
WScript.echo "Interactive logon: Machine account lockout threshold is set to " & PasswordFailedAttempts & " invalid logon attempts."
End If
End IF
End If
We think that this is a script that somebody has created to test out the Intrusion Detection System we use (Tripwire). Nobody seems to be taking ownership of the script but we do work in a fairly large and complicated company.
Is there an way that you know of that we can prevent this from running (or kill it off automatically) whilst we find the origin of the problem?
Thanks again.
Thanks for your reply. The script that is running is below:
On Error Resume Next
Set WSHShell = WScript.CreateObject("WScr
OSName = WSHShell.RegRead("HKEY_LOC
If InStr(OSName, "Windows 7") or InStr(OSName, "Windows 8") or InStr(OSName, "2008 R2") Then
cif = ""
Set s = CreateObject("WScript.Shel
Set e = s.Exec("manage-bde -status")
Set status = e.StdOut
Do While status.AtEndOfStream <> True
line = status.ReadLine
If InStr(line, "Volume ") Then
cif = cif & Mid(line, 8, 2)
ElseIf InStr(line, "Percentage Encrypted:") Then
cif = cif & Mid(line, 26) & "; "
End If
Loop
If InStr(cif, "100") then
PasswordFailedAttempts = WSHShell.RegRead("HKEY_LOC
If PasswordFailedAttempts > 10 or PasswordFailedAttempts = "" Then
WScript.echo "Interactive logon: Machine account lockout threshold is set to " & PasswordFailedAttempts & " invalid logon attempts."
End If
End IF
End If
We think that this is a script that somebody has created to test out the Intrusion Detection System we use (Tripwire). Nobody seems to be taking ownership of the script but we do work in a fairly large and complicated company.
Is there an way that you know of that we can prevent this from running (or kill it off automatically) whilst we find the origin of the problem?
Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect - Thanks :-)
Check if this is getting deployed through GPOs.
GPRESULT /R
GPRESULT /R
Usually, if it's not scheduled, it's probably part of a service (since the service is firing this command, it could be that you cannot find any reference to this script, that's why I asked if you can tell me if it's part of something else).
For instance, if you find database references in it, it could be a job in your MS SQL server. If there are web references in it, it could be fired from an ASP script.