Link to home
Start Free TrialLog in
Avatar of andymellor
andymellorFlag for United Kingdom of Great Britain and Northern Ireland

asked on

What is causing CScript to run and hog memory??

Dear Experts,

We have a number of virtual servers running Windows 2008R2 Standard which have recently starting running slowly. On closer inspection, Task Manager shows a CScript running and using loads of memory.

We've identified what the script is and we're happy that its legitimate and not a virus. However, we've checked Scheduled Tasks and nothing is scheduled to run and we don't know how this is starting.

Is there anyway that we can identify what is calling this script?

Regards
Avatar of Kimputer
Kimputer

What does this script actually do ? Is it part of another software program ?
Usually, if it's not scheduled, it's probably part of a service (since the service is firing this command, it could be that you cannot find any reference to this script, that's why I asked if you can tell me if it's part of something else).
For instance, if you find database references in it, it could be a job in your MS SQL server. If there are web references in it, it could be fired from an ASP script.
Avatar of andymellor

ASKER

Kimputer,

Thanks for your reply. The script that is running is below:

On Error Resume Next
Set WSHShell = WScript.CreateObject("WScript.Shell")
OSName = WSHShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName")
If InStr(OSName, "Windows 7") or InStr(OSName, "Windows 8") or InStr(OSName, "2008 R2") Then
cif = "" 
Set s = CreateObject("WScript.Shell")
Set e = s.Exec("manage-bde -status")
Set status = e.StdOut
Do While status.AtEndOfStream <> True
line = status.ReadLine
If InStr(line, "Volume ") Then
cif = cif & Mid(line, 8, 2)
ElseIf InStr(line, "Percentage Encrypted:") Then
cif = cif & Mid(line, 26) & "; " 
End If
Loop
If InStr(cif, "100") then
PasswordFailedAttempts = WSHShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts")
If PasswordFailedAttempts > 10 or PasswordFailedAttempts = "" Then
WScript.echo "Interactive logon: Machine account lockout threshold is set to " & PasswordFailedAttempts & " invalid logon attempts."
End If
End IF
End If


We think that this is a script that somebody has created to test out the Intrusion Detection System we use (Tripwire). Nobody seems to be taking ownership of the script but we do work in a fairly large and complicated company.

Is there an way that you know of that we can prevent this from running (or kill it off automatically) whilst we find the origin of the problem?

Thanks again.
ASKER CERTIFIED SOLUTION
Avatar of Kimputer
Kimputer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Perfect - Thanks :-)
Check if this is getting deployed through GPOs.
GPRESULT /R