Why is the output not showing here?-CodePudding

So I have an odd powershell issue that I'm not sure about here, perhaps someone with more experience than me can advise?

Basically I'm searching servers for any Services & Scheduled Tasks that are not Microsoft, then checking config files for a certain name.... The code used is slightly older because some of the servers are 2008 & powershell hasn't been updated on them (long story involving ransomware)..

If I separate the code, I get the expected results, but if I combine the code, some of the output is missing....

#$ErrorActionPreference = "SilentlyContinue"
Write-Host "********* Server: $env:computername *********" 

Function RunSearch() {
$searchWords = "user1","user2"
Foreach ($sw in $searchWords)
{
    Write-Host "********* Searching: C Drive for: $sw *********"
    Get-Childitem -Path "C:\" -Recurse -Force -Include "*.ini","*.config","*.js","*.bat","*.xml" | 
    Select-String -Pattern "$sw" | 
    Select Path,LineNumber 
}
Write-Host "********* Finished Searching: $env:computername *********"
}

Function RunGetTasksSrv() {
Get-WmiObject Win32_Service | ? {$_.StartName -notlike "*localsystem*" -and $_.StartName -notlike "" -and $_.StartName -notlike "*sql_*" -and $_.StartName -notlike "NT Authority\*" -and $_.StartName -notlike "NT Service\*"} | Select Name, StartName | ft -Auto
$schtask = schtasks.exe /query /s localhost  /V /FO CSV | ConvertFrom-Csv | Where-Object {$_.TaskPath -notlike "*microsoft*" -and $_.Author -notlike "*microsoft*"} | Select TaskName,"Run As User"
$schtask | where { $_."Run As User" -ne "SYSTEM" -and $_."Run As User" -ne "NETWORK SERVICE" -and $_."Run As User" -ne "INTERACTIVE"  -and $_."Run As User" -ne "LOCAL SERVICE" -and $_."Run As User" -ne "Run As User" -and $_."Run As User" -notlike "*User*"}
}

RunGetTasksSrv
RunSearch

Now if I rem out #RunSearch - in the output, there will be included:

TaskName                Run As User
--------                -----------

But if I unrem it out, that bit is missing (along with users listed below)... If I take out the functions & run it as one script, again the TaskName is missing.... i.e.

Write-Host "********* Server: $env:computername *********" 

Get-WmiObject Win32_Service | ? {$_.StartName -notlike "*localsystem*" -and $_.StartName -notlike "" -and $_.StartName -notlike "*sql_*" -and $_.StartName -notlike "NT Authority\*" -and $_.StartName -notlike "NT Service\*"} | Select Name, StartName | ft -Auto
$schtask = schtasks.exe /query /s localhost  /V /FO CSV | ConvertFrom-Csv | Where-Object {$_.TaskPath -notlike "*microsoft*" -and $_.Author -notlike "*microsoft*"} | Select TaskName,"Run As User"
$schtask | where { $_."Run As User" -ne "SYSTEM" -and $_."Run As User" -ne "NETWORK SERVICE" -and $_."Run As User" -ne "INTERACTIVE"  -and $_."Run As User" -ne "LOCAL SERVICE" -and $_."Run As User" -ne "Run As User" -and $_."Run As User" -notlike "*User*"}

$searchWords = "user1","user2"
Foreach ($sw in $searchWords)
{
    Write-Host "********* Searching: C Drive for: $sw *********"
    Get-Childitem -Path "C:\" -Recurse -Force -Include "*.ini","*.config","*.js","*.bat","*.xml" | 
    Select-String -Pattern "$sw" | 
    Select Path,LineNumber 
}
Write-Host "********* Finished Searching: $env:computername *********"

It's really odd & I can't see why that bit is being left out....

Is it likely just because powershell is so old on one of the affected servers?

$psversiontable 
Name                           Value
----                           -----
CLRVersion                     2.0.50727.8762
BuildVersion                   6.1.7601.17514
PSVersion                      2.0
WSManStackVersion              2.0
PSCompatibleVersions           {1.0, 2.0}
SerializationVersion           1.1.0.1
PSRemotingProtocolVersion      2.1

Any advice welcomed! Thanks

CodePudding user response：

I happened to have an old 2008 VM and was able to test this. Try adding -and $_.HostName -notlike "HostName" like this to the line below. I got no hits because of the -notlike filters you have but that's likely because MS didn't have as many tasks running under the user context back then, especially on servers. Adding that last -notlike strips out the headers for the nested tasks in other folders.

$schtask = schtasks.exe /query /s localhost  /V /FO CSV | ConvertFrom-Csv | Where-Object {$_.TaskPath -notlike "*microsoft*" -and $_.Author -notlike "*microsoft*" -and $_.HostName -notlike "HostName"} | Select TaskName,"Run As User"