[GH-ISSUE #331] Script monitors ocassionally failing #2157

New issue

Closed

opened 2026-03-14 02:47:52 +03:00 by kerem · 10 comments

kerem commented 2026-03-14 02:47:52 +03:00

Owner

Copy link

Originally created by @sdm216 on GitHub (Mar 17, 2021).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/331

Since 0.4.24 (Which actually fixed this same issue happening all the time), agents are still occasionally getting the alert below with script checks failing. Repairing the Tactical Agent through Agent Recovery seems to temporarily fix it. With about 200 agents, it's happening about 3-5 devices a day, at random times throughout the day. It keeps failing until the agent is "recovered".

CompanyName, SiteName DeviceName - Script Check: Script Name Failed - Return code: 85
Stdout:
Stderr: open C:\WINDOWS\TEMP\trmm\198018948.ps1: The system cannot find the path specified.

Originally created by @sdm216 on GitHub (Mar 17, 2021). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/331 Since 0.4.24 (Which actually fixed this same issue happening all the time), agents are still occasionally getting the alert below with script checks failing. Repairing the Tactical Agent through Agent Recovery seems to temporarily fix it. With about 200 agents, it's happening about 3-5 devices a day, at random times throughout the day. It keeps failing until the agent is "recovered". CompanyName, SiteName DeviceName - Script Check: Script Name Failed - Return code: 85 Stdout: Stderr: open C:\WINDOWS\TEMP\trmm\198018948.ps1: The system cannot find the path specified.

kerem closed this issue 2026-03-14 02:47:58 +03:00

kerem commented 2026-03-14 02:48:04 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 17, 2021):

Have you created the exclusions in your AV?

<!-- gh-comment-id:801478003 --> @dinger1986 commented on GitHub (Mar 17, 2021): Have you created the exclusions in your AV?

kerem commented 2026-03-14 02:48:09 +03:00

Author

Owner

Copy link

@sdm216 commented on GitHub (Mar 17, 2021):

Yep. I use Defender, and checked the defender event logs, and it isn't blocking anything. And it all works again after recovering the agent, at least for a while.

<!-- gh-comment-id:801478765 --> @sdm216 commented on GitHub (Mar 17, 2021): Yep. I use Defender, and checked the defender event logs, and it isn't blocking anything. And it all works again after recovering the agent, at least for a while.

kerem commented 2026-03-14 02:48:14 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 17, 2021):

Ok. That's interesting I have afew machines that do that as well but always seems to be when they are under load and then it runs fine next time

<!-- gh-comment-id:801479660 --> @dinger1986 commented on GitHub (Mar 17, 2021): Ok. That's interesting I have afew machines that do that as well but always seems to be when they are under load and then it runs fine next time

kerem commented 2026-03-14 02:48:19 +03:00

Author

Owner

Copy link

@sdm216 commented on GitHub (Mar 17, 2021):

It seems like the script is being deleted from the temp folder, and the agent isn't automatically re-downloading it until it's recovered. The most recent one was actually not too long after a reboot.
Edit: which makes sense, if Windows empties the temp folder after a reboot. But it just keeps failing until the agent is recovered, so maybe the agent needs to know to re-download the script if it isn't there already.

<!-- gh-comment-id:801479797 --> @sdm216 commented on GitHub (Mar 17, 2021): It seems like the script is being deleted from the temp folder, and the agent isn't automatically re-downloading it until it's recovered. The most recent one was actually not too long after a reboot. Edit: which makes sense, if Windows empties the temp folder after a reboot. But it just keeps failing until the agent is recovered, so maybe the agent needs to know to re-download the script if it isn't there already.

kerem commented 2026-03-14 02:48:24 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 17, 2021):

The way the scripts work in my understanding is they are downloaded and ran each and every time.

When you said you checked defender logs did you check in event viewer?

<!-- gh-comment-id:801480397 --> @dinger1986 commented on GitHub (Mar 17, 2021): The way the scripts work in my understanding is they are downloaded and ran each and every time. When you said you checked defender logs did you check in event viewer?

kerem commented 2026-03-14 02:48:29 +03:00

Author

Owner

Copy link

@sdm216 commented on GitHub (Mar 17, 2021):

Yeah, under Applications & Service Logs> Microsoft > Windows > Windows Defender > Operational. I monitor this log for the events indicating it found something, but I did check manually as well.

<!-- gh-comment-id:801480907 --> @sdm216 commented on GitHub (Mar 17, 2021): Yeah, under Applications & Service Logs> Microsoft > Windows > Windows Defender > Operational. I monitor this log for the events indicating it found something, but I did check manually as well.

kerem commented 2026-03-14 02:48:34 +03:00

Author

Owner

Copy link

@sdm216 commented on GitHub (Mar 17, 2021):

Should also note I have all Attack Surface Reduction Rules enabled, but again, it isn't logging that it blocked anything, which it would if it was.

<!-- gh-comment-id:801481470 --> @sdm216 commented on GitHub (Mar 17, 2021): Should also note I have all Attack Surface Reduction Rules enabled, but again, it isn't logging that it blocked anything, which it would if it was.

kerem commented 2026-03-14 02:48:40 +03:00

Author

Owner

Copy link

@dinger1986 commented on GitHub (Mar 17, 2021):

Ok that's fine, just making sure, like I said I have noticed it. I'll keep an eye on it. @wh1te909 have you seen this happening on your machines?

<!-- gh-comment-id:801481675 --> @dinger1986 commented on GitHub (Mar 17, 2021): Ok that's fine, just making sure, like I said I have noticed it. I'll keep an eye on it. @wh1te909 have you seen this happening on your machines?

kerem commented 2026-03-14 02:48:45 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Mar 17, 2021):

ive had this happen only once on 1 agent since I released the fix for the original but. Seems something is deleting the trmm folder in C:\Windows\TEMP.

The agent creates this directory everytime the tacticalagent windows service starts up, which is why doing a recovery fixes it cuz part of the recovery is to restart that service.

I've fixed this already here github.com/wh1te909/rmmagent@67a8ab822c which will just create the directory if it doesn't exist right before running a script. It will be in the next agent release

<!-- gh-comment-id:801495715 --> @wh1te909 commented on GitHub (Mar 17, 2021): ive had this happen only once on 1 agent since I released the fix for the original but. Seems something is deleting the `trmm` folder in C:\Windows\TEMP. The agent creates this directory everytime the `tacticalagent` windows service starts up, which is why doing a recovery fixes it cuz part of the recovery is to restart that service. I've fixed this already here https://github.com/wh1te909/rmmagent/commit/67a8ab822c762a819fd65bc8734ba3fd291c547a which will just create the directory if it doesn't exist right before running a script. It will be in the next agent release

kerem commented 2026-03-14 02:48:50 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Mar 19, 2021):

Fixed in 0.4.27 / agent 1.4.13

<!-- gh-comment-id:802566625 --> @wh1te909 commented on GitHub (Mar 19, 2021): Fixed in 0.4.27 / agent 1.4.13

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#2157

No description provided.