Deploy BESChildProcessKiller Scheduled Task v1.3
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Deploy BESChildProcessKiller Scheduled Task v1.112/12/2016 10:28:47 AM
2Deploy BESChildProcessKiller Scheduled Task v1.212/12/2016 1:08:27 PM
3Deploy BESChildProcessKiller Scheduled Task v1.312/16/2016 7:28:34 AM

Description

This Fixlet sets up a process to kill stuck processes launced by the BES Client.  When the BES Client launches a process via 'wait' or 'waithidden' commands, if the process never completes, the BES Client will not respond to any further actions and remains "stuck" until the process is terminated, BESClient is restarted, or the system is rebooted.

This Fixlet deploys BESChildProcessKiller, which watches for these "stuck" child processes and kills them after a timeout value has been exceeded.  This creates a Scheduled Task to check every 15 minutes.  The Scheduled Task sends a query file to the "qna.exe" utility to identify stuck processes and returns their PID.  The Scheduled Task then logs the process and kills it.

Components:

  • Client Settings (configure via Task "Configure BESChildProcessKiller Timeout Values")
    • BESClient_ChildProcess_Timeout - The current time interval after which stuck BES Child Processes should be terminated
    • BESClient_ChildProcess_PreferredTimeout - The normal time interval after which stuck BES Child Processes should be terminated
  • Scheduled Tasks
    • BESChildProcessKiller
  • Files (under __BESData\ChildProcessKiller
    • ChildProcessKiller.cmd - Batch file executed by Scheduled Task to identify and kill stuck child processes
    • ChildProcessTimeout.qna - Relevance query to identify and list PIDs of stuck processes
    • ChildProcessTimeout.log - Log file containing execution outputs

 v1.2 adds checking client setting "BESClient_ChildProcess_ExcludeList" to whitelist specific processes that should not be killed.  These processes, their parent process, and parent's parent process will not be killed.  Useful for excluding known long-running processes such as "rbagent.exe" used in BigFix OS Deployment

v1.3 adds a check to handle recycled PIDs.  The BESClient service may be using a PID that was previously assigned for another process, and BESChildKiller would try to kill that defunct process's children.  In some cases this was trying to terminate csrss.exe!  v.1.3 adds a check that the target process is newer than the besclient.exe process (and hence should really be a child of besclient, as no other process could have reused besclient's pid as long as besclient is still running).


Property Details

ID23050
StatusAlpha - Code that was just developed
TitleDeploy BESChildProcessKiller Scheduled Task v1.3
DomainBESC
SourceInternal
Source Release Date12/9/2016 12:00:00 AM
KeywordsClient, Stuck Action, Task Schedule, Kill, Process
Added by on 12/16/2016 7:28:34 AM
Last Modified by on 12/16/2016 7:28:34 AM
Counters 4885 Views / 15 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1117 fixlets and 524 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 21 fixlets and 3 analyses   * Results in a true/false
Show indented relevance
if exists property "in proxy agent context" then not in proxy agent context else true
Used in 3 fixlets   * Results in a true/false
Show indented relevance
exists running services whose (service name of it = "Schedule")
Used in 3 fixlets   * Results in a true/false
Show indented relevance
exists file "qna.exe" of storage folder of client
Used in 1 fixlet   * Results in a true/false
Show indented relevance
/* QNA query file is not present or not correct version */ (not exists file "ChildProcessTimeout.qna" whose ((preceding text of first " " of following text of first "Version:" of line 1 of it) as string as version >= version "1.3") of folders "ChildProcessKiller" of data folder of client) OR /* Task is not present or does not point to correct batch file */ (not exists scheduled tasks "BESChildProcessKiller" whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "%22" & pathname of data folder of client & "\ChildProcessKiller\ChildProcessKiller.cmd%22")))

Actions

Action 1 (default)

Action Link Click here to set up the BESChildProcessKiller Scheduled Task.
Script Type BigFix Action Script
// setup all of the scripts involved
action uses wow64 redirection false
parameter "FolderPath"="{pathname of data folder of client}\ChildProcessKiller"
delete __appendfile

// The following file will be a query passed to qna.exe. It should output the list of process IDs to terminate -
appendfile Q: /* Do not remove this comment Version:1.3 */ pids of it of processes whose ((ppid of it = pid of service "BESClient") and (name of it != "BESClientUI.exe") AND (creation time of it > creation time of process (pid of service "BESClient")) and (now - creation time of it > value of setting "BESClient_ChildProcess_Timeout" of client as time interval) and (if not exists setting "BESClient_ChildProcess_ExcludeList" of client then true else (pid of it is not contained by set of (pid of it; pids of processes (ppids of it); pids of processes (ppids of processes (ppids of it))) of processes whose (name of it as lowercase is contained by (set of (substrings separated by ";" of value of setting "BESClient_ChildProcess_ExcludeList" of client as trimmed string as lowercase))))))

folder create "{parameter "FolderPath"}"
folder create "{parameter "FolderPath"}\Log"
delete "{parameter "FolderPath"}\ChildProcessTimeout.qna"
move __appendfile "{parameter "FolderPath"}\ChildProcessTimeout.qna"

// The following file will be a .cmd script, executed by the Task Scheduler in SYSTEM context, which executes qna.exe and kills the resulting process list
delete __createfile
createfile until EOF_EOF
@SET WD="{parameter "FolderPath"}"
@For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
@SET LOGFILE=Log\ChildProcessKiller_%mydate%.log
PUSHD %WD%

if not exist "{pathname of storage folder of client}\qna.exe" (@echo %DATE% %TIME% ERROR: Could not locate qna.exe >> %LOGFILE% & exit /B 1)
if not exist "{parameter "FolderPath"}\ChildProcessTimeout.qna" (@echo %DATE% %TIME% ERROR: Could not locate ChildProcessTimeout.qna >> %LOGFILE% & exit /B 1)

GOTO MAIN

:HandlePID
@echo %DATE% %TIME$% Stopping Process %1 >> %LOGFILE%
@TASKLIST /FI "PID eq %1" >> %LOGFILE% 2>&1
@TASKKILL /PID %1 /T /F >> %LOGFILE% 2>&1
@exit /B %ERRORLEVEL%

:MAIN
echo %DATE% %TIME% Checking for stuck processes >> %LOGFILE%
@REM We need to call out to another subroutine, because the 'for' syntax doesn't seem to handle directly executing the result
for /F "skip=1 tokens=1,* delims=:" %%i in ('"{pathname of storage folder of client}\qna.exe" ChildProcessTimeout.qna') do @CALL :HandlePID %%j
EOF_EOF
delete "{parameter "FolderPath"}\ChildProcessKiller.cmd"
move __createfile "{parameter "FolderPath"}\ChildProcessKiller.cmd"

// Create the Scheduled Task to run every 15 minutes
waithidden schtasks.exe /create /RU System /SC MINUTE /MO 15 /TN BESChildProcessKiller /TR "'{parameter "FolderPath"}\ChildProcessKiller.cmd'" /F
waithidden schtasks.exe /run /TN BESChildProcessKiller
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jgallas -
This deploys fine however I noticed that it went away at some point on my machine. What I mean by that is the folder C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\ChildProcessKiller got deleted somehow (automated cleanup by the agent perhaps?). Anyway the scheduled task remained but without the folder there it wasn't able to run on my system.
kirbiros -
I tried to deploy this fixlet on 2 test machines but getting the status as ..NOT Relevant. Why?