Kaseya Community

Search SQL for Agent Procedure

This question is not answered

Hi,

 

One of our employees have left our company and their user account has been removed. We have found 2 years down the line that they scheduled a procedure to run that sends a message to a large amount of our customers every week.

We don't want the message to run any loner. We have searched Agent procedures, Searched the Kaseya servers and gone through all sections of the system to find the message with no luck. We have also recreated the user account with all of the same details and the message does not show linked to his profile.

The message asks users to leave their machines on overnight for patching to take place. This is a custom message with email and telephone contact details in and therefore this cannot be a built-in default message.

We have attempted to search SQL for the message/script with no luck. Does anyone know of any way to search all tables within SQL to find the message or script and how to remove it?

We have nearly 1000 machines and it would be hours of work to live connect to all machines and manually remove the message.

Any help is greatly appreciated.

All Replies
  • Are you sure the email is being sent via Kaseya.

    If it's just a message asking users to leave their machines on .. it could be sent via any number of means other than a kaseya script

    If it is Kaseya look in the [ksubscribers].[dbo].[scriptThenElse]

    The lines that represent sending emails are where tefunc = 30

    [teFuncParam1] = the send to address

    [teFuncParam2] = the Email Subject

    [teFuncParam3] = the Email Message

    From this you can see the [ScriptID] , then look in the [ksubscribers].[dbo].[scriptIdTab] table to find the Scriptname

    Then you can search your agent procedures for that specific script

    Hope this help

    Paul

  • Just another though....

    The Script could be calling an external email app that is sending the messages , in which case you need to look at Scripts that are executing a command or file instead of directly sending an email.

    In the past I've used a program called postie to automate sending emails , and I call this via an Execute Shell Command Step.

    So as above but:

    tefunc = 7 for all the Execute File steps

    or

    tefunc = 20 for all the Execute Shell Command steps

    Cheers

    Paul

  • I would take a stab in the dark and say that your employee stored these agent procedures in his "myProcedures". Normally the account used to delete the a Kaseya portal account would then take owner ship of all that deleted portal accounts procedures monitor sets and reports and the will appear under the Private cabinets for each of the modules.

    I have several of these "myProcedures" folder under Private cabinet of ex-staff that I can get rid of as you can't delete these other "myProcedures" folders for some reason.

    Also If you recreate the account you might be able to get access to the procedures this happened to me a few years back however Kaseya might have changed this.

  • Have you checked in Patch Management > Pre/Post Procedure as this is a common place to set these warnings.

    The simplest way however is to go to Agent > Agent Logs - Choose a machine that you know when the message appeared - choose agent procedure log and see what procedure ran at that time.  This is the only way that your Kaseya server can be doing this.   As HardKnox says whoever deleted his account will have taken ownership of the procedure.

  • As you've said you can see a procedure called Patch Management Message try this:

    Using a Master account go to System > Preferences - tick the box beside Show shared and private folder contents from all users - Master Admin Only

    Now go to Agent Procedures and use the search facility at the top to search for Patch Management Message - You should now see the procedure as you'll have access to everyone's procedures.

    If you can't see it through here then I'd advise that you log a ticket and get Kaseya to remove it from your SQL db.  Unless you're happy doing that yourself.

  • We have tried this and there are still no procedures in the users myprocedures folders. I would be happy to remote the procedure from the SQL db myself however I am uncertain how to find the procedure in the db. Are you able to explain how to find the procedure and what the best way of removing it is?

  • Hi Paul,

    Thanks for your help although I must mention that this is not an email that is being sent. The message is an on-screen message in the form of a pop-up on the users screen. We know that the message is being initiated by Kaseya due to the fact that when you Live Connect onto a machine that is receiving a message there is a procedure by the name of "Patch Management Message" scheduled.

  • Hi HardKnoX,

    I have checked in private procedures, I have given my user account full access to the users myprocedures folder which is empty, when the user is recreated none of their profile returns to the was it previously was. It appears that the profile is being remade from scratch as a new users and does not merge with the old users even though it has the same details and logon name.

  • Try searching [ksubscribers].[dbo].[scriptThenElse]  for tefunc = 12 as these are the Message steps

  • jsmylie

    Hi HardKnoX,

    I have checked in private procedures, I have given my user account full access to the users myprocedures folder which is empty, when the user is recreated none of their profile returns to the was it previously was. It appears that the profile is being remade from scratch as a new users and does not merge with the old users even though it has the same details and logon name.

    Can you see that removed users myProcedures folder under the account that removed him? If it is empty then my first guess that it is under the Private cabinet was more than likely wrong.

    The next step is to try and locate the procedure in KLC from Agent Data > Pending Procedures menu button and look under the Procedure History pane. This history pane does not have scroll bars so you need to try and look at it just after the event occurred or you will need to run a report. You can also look under the Pending Procedures Pane and use the "ALT + secret button" trick to look at any procedures that you don't recognize.

    Once you have located the procedure name login as a Master admin and filter search the Shared cabinet for the procedure. Master Admins is suppose to be able to see all the procedures under the Shared cabinet.

  • Or upgrade to 6.3 !!!   as it makes changes to what a Master user can see ....

    From the Release notes for 6.3 .....

    Take Ownership Removed

    In previous releases master users had an additional right, called Take Ownership, that allowed master users to "take ownership" of any shared folder or shared object. Take ownership gave the new owner full access to the folder or object, as though they were the original creator. The "take ownership" feature has been removed throughout the VSA. As of this release, ownership is now defined as any user/role that has Share permissions to a specific folder or object. Any user with a master role has full control of private and shared folders without having to take ownership first. The only exceptions are "system content" folders and objects like the "Sample Procedures" folder.