WSL Detection

Summary

This remote monitor detects the Windows agent where the WSL command works.

Details

Suggested "Limit to": All
Suggested Alert Style: Once
Suggested Alert Template: △ Custom - Execute Script - Uninstall WSL

Check Action	Server Address	Check Type	Comparator	Interval	Result
System	127.0.0.1	Run File	Equals	14400	Not Available

Dependencies

Alert Template △ Custom - Execute Script - Uninstall WSL
Solution - Uninstall WSL

Target

Windows Machine

Implementation

Step 1

Import the Alert Template △ Custom - Execute Script - Uninstall WSL

Step 2

Obtain the group ID(s) of the group(s) that the remote monitor should be applied to.

Step 3

Copy the following query and replace YOUR COMMA SEPARATED LIST OF GROUPID(S) with the group ID(s) for your target groups.

INSERT INTO groupagents 
SELECT '' as `AgentID`,
`groupid` as `GroupID`,
'0' as `SearchID`,
'ProVal - Production - WSL Detection' as `Name`,
'6' as `CheckAction`,
'1' as `AlertAction`,
'[No Alerting]~~~%STATUS% on %CLIENTNAME%\\%COMPUTERNAME% at %LOCATIONNAME% for %FIELDNAME% result %RESULT%.!!![No Alerting]~~~%STATUS% on %CLIENTNAME%\\%COMPUTERNAME% at %LOCATIONNAME% for %FIELDNAME% result %RESULT%.' as `AlertMessage`,
'0' as `ContactID`,
'14400' as `interval`,
'127.0.0.1' as `Where`,
'7' as `What`,
'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -Command "$found=$false;if(Get-Command wsl -ErrorAction SilentlyContinue){wsl --version 2>$null;if($LASTEXITCODE -eq 0){$found=$true}};$regPaths=@(\'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NavPane\\ShowLinux\',\'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\');foreach($p in $regPaths){if(Test-Path $p){$found=$true}};$msiKey=\'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\MSI\';if(Test-Path $msiKey){$found=$true;$pc=(Get-ItemProperty -Path $msiKey).ProductCode;if($pc){$clean=$pc -replace \'^\\{+|\\}+$\',\'\';$uninstall=\\"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{$clean}\\";if(Test-Path $uninstall){$found=$true}}};$folders=@(\\"$env:USERPROFILE\\AppData\\Local\\Packages\\CanonicalGroupLimited.*\\",\\"C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\",\\"C:\\Program Files\\WSL\\");foreach($f in $folders){if(Get-ChildItem -Path $f -ErrorAction SilentlyContinue){$found=$true}};$paths=@(\\"$env:ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\",\\"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\");foreach($p in $paths){if(Get-ChildItem -Path $p -Filter \'*Linux*\' -ErrorAction SilentlyContinue){$found=$true}};if($found){Write-Output \'WSL Component Found\'}else{Write-Output \'No Residue Found\'}"' as `DataOut`,
'5' as `Comparor`,
'No Residue Found' as `DataIn`,
'0' as `IDField`,
'1' as `AlertStyle`,
'0' as `ScriptID`,
'' as `datacollector`,
'21' as `Category`,
'0' as `TicketCategory`,
'1' as `ScriptTarget`,
CONCAT(
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
'-',
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
'-',
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
'-',
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
'-',
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1)
) as `GUID`,
'root' as `UpdatedBy`,
(NOW()) as `UpdateDate`
FROM mastergroups m
WHERE m.groupid IN (YOUR COMMA SEPARATED LIST OF GROUPID(S)) 
AND m.groupid NOT IN  (SELECT DISTINCT groupid FROM groupagents WHERE `Name` = 'ProVal - Production - WSL Detection') ;

Step 4

Here is an example showing how to use specific group IDs:

INSERT INTO groupagents 
SELECT '' as `AgentID`,
`groupid` as `GroupID`,
'0' as `SearchID`,
'ProVal - Production - WSL Detection' as `Name`,
'6' as `CheckAction`,
'1' as `AlertAction`,
'[No Alerting]~~~%STATUS% on %CLIENTNAME%\\%COMPUTERNAME% at %LOCATIONNAME% for %FIELDNAME% result %RESULT%.!!![No Alerting]~~~%STATUS% on %CLIENTNAME%\\%COMPUTERNAME% at %LOCATIONNAME% for %FIELDNAME% result %RESULT%.' as `AlertMessage`,
'0' as `ContactID`,
'14400' as `interval`,
'127.0.0.1' as `Where`,
'7' as `What`,
'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -Command "$found=$false;if(Get-Command wsl -ErrorAction SilentlyContinue){wsl --version 2>$null;if($LASTEXITCODE -eq 0){$found=$true}};$regPaths=@(\'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NavPane\\ShowLinux\',\'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\');foreach($p in $regPaths){if(Test-Path $p){$found=$true}};$msiKey=\'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Lxss\\MSI\';if(Test-Path $msiKey){$found=$true;$pc=(Get-ItemProperty -Path $msiKey).ProductCode;if($pc){$clean=$pc -replace \'^\\{+|\\}+$\',\'\';$uninstall=\\"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{$clean}\\";if(Test-Path $uninstall){$found=$true}}};$folders=@(\\"$env:USERPROFILE\\AppData\\Local\\Packages\\CanonicalGroupLimited.*\\",\\"C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\",\\"C:\\Program Files\\WSL\\");foreach($f in $folders){if(Get-ChildItem -Path $f -ErrorAction SilentlyContinue){$found=$true}};$paths=@(\\"$env:ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\",\\"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\");foreach($p in $paths){if(Get-ChildItem -Path $p -Filter \'*Linux*\' -ErrorAction SilentlyContinue){$found=$true}};if($found){Write-Output \'WSL Component Found\'}else{Write-Output \'No Residue Found\'}"' as `DataOut`,
'5' as `Comparor`,
'No Residue Found' as `DataIn`,
'0' as `IDField`,
'1' as `AlertStyle`,
'0' as `ScriptID`,
'' as `datacollector`,
'21' as `Category`,
'0' as `TicketCategory`,
'1' as `ScriptTarget`,
CONCAT(
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
'-',
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
'-',
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
'-',
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
'-',
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1),
SUBSTRING('abcdef0123456789', FLOOR(RAND()*16+1), 1)
) as `GUID`,
'root' as `UpdatedBy`,
(NOW()) as `UpdateDate`
FROM mastergroups m
WHERE m.groupid IN (128,129,200)
AND m.groupid NOT IN  (SELECT DISTINCT groupid FROM groupagents WHERE `Name` = 'ProVal - Production - WSL Detection') ;

Step 5

Execute your query from a RAWSQL monitor set.

Step 6

Reload the System Cache (Ctrl + R).

Step 7

Find your remote monitor in the group's remote monitors tab, and apply the △ Custom - Execute Script - Uninstall WSL alert template to the remote monitor.

Summary​

Details​

Dependencies​

Target​

Implementation​

Step 1​

Step 2​

Step 3​

Step 4​

Step 5​

Step 6​

Step 7​