sync: auto-sync from HOWARD-HOME at 2026-06-29 14:23:40
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-29 14:23:40
This commit is contained in:
@@ -0,0 +1,744 @@
|
||||
{
|
||||
"host": "DESKTOP-GG4LKSL",
|
||||
"collected_at_utc": "2026-06-29T21:17:50Z",
|
||||
"os": {
|
||||
"caption": "Microsoft Windows 11 Pro",
|
||||
"version": "10.0.26200",
|
||||
"build": "26200",
|
||||
"install_date": "2025-06-30T15:13:20Z",
|
||||
"last_boot_utc": "2026-06-29T14:27:52Z",
|
||||
"architecture": "64-bit"
|
||||
},
|
||||
"facts": {
|
||||
"builtin_admin_enabled": false,
|
||||
"os_eol": {
|
||||
"eol_date": "2027-10-12",
|
||||
"release": "Win11 25H2"
|
||||
},
|
||||
"pending_updates": 4,
|
||||
"pending_reboot": false,
|
||||
"uptime_days": 0.3,
|
||||
"acg_managed_tools": "ScreenConnect / ConnectWise Control",
|
||||
"hardware": {
|
||||
"model": "HP Pavilion Gaming Desktop TG01-2xxx",
|
||||
"manufacturer": "HP",
|
||||
"bios_date": "2023-07-11",
|
||||
"cpu_logical": 16,
|
||||
"bios_version": "F.21",
|
||||
"cpu_cores": 8,
|
||||
"ram_gb": 31.8,
|
||||
"serial": "4CE136C774",
|
||||
"cpu": "11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz"
|
||||
},
|
||||
"third_party_av_active": false,
|
||||
"os_build": "26200",
|
||||
"secure_boot": false,
|
||||
"backup_agents": null,
|
||||
"autoruns_run_keys": [
|
||||
{
|
||||
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
|
||||
"name": "SecurityHealth",
|
||||
"value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe"
|
||||
},
|
||||
{
|
||||
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
|
||||
"name": "QuickFinder Scheduler",
|
||||
"value": "\"c:\\Program Files (x86)\\Corel\\WordPerfect Office 2021\\Programs\\QFSCHD210.EXE\""
|
||||
}
|
||||
],
|
||||
"physical_disks": [
|
||||
{
|
||||
"health": "Healthy",
|
||||
"model": "Seagate Backup+ BK",
|
||||
"media_type": "Unspecified"
|
||||
},
|
||||
{
|
||||
"health": "Healthy",
|
||||
"model": "WD Green SN350 1TB 2G0C",
|
||||
"media_type": "SSD"
|
||||
}
|
||||
],
|
||||
"local_users": [
|
||||
{
|
||||
"last_logon": "",
|
||||
"name": "Administrator",
|
||||
"password_never_expires": false,
|
||||
"enabled": false
|
||||
},
|
||||
{
|
||||
"last_logon": "",
|
||||
"name": "DefaultAccount",
|
||||
"password_never_expires": false,
|
||||
"enabled": false
|
||||
},
|
||||
{
|
||||
"last_logon": "2025-06-30",
|
||||
"name": "Guest",
|
||||
"password_never_expires": false,
|
||||
"enabled": false
|
||||
},
|
||||
{
|
||||
"last_logon": "2026-06-29",
|
||||
"name": "Localadmin",
|
||||
"password_never_expires": false,
|
||||
"enabled": true
|
||||
},
|
||||
{
|
||||
"last_logon": "2026-06-29",
|
||||
"name": "owner",
|
||||
"password_never_expires": false,
|
||||
"enabled": true
|
||||
},
|
||||
{
|
||||
"last_logon": "",
|
||||
"name": "WDAGUtilityAccount",
|
||||
"password_never_expires": false,
|
||||
"enabled": false
|
||||
}
|
||||
],
|
||||
"scheduled_tasks_count": 18,
|
||||
"volumes": [
|
||||
{
|
||||
"drive": "D:",
|
||||
"size_gb": 465.8,
|
||||
"free_pct": 14.6,
|
||||
"free_gb": 68.1
|
||||
},
|
||||
{
|
||||
"drive": "[unlabeled]",
|
||||
"size_gb": 0.7,
|
||||
"free_pct": 8.3,
|
||||
"free_gb": 0.1
|
||||
},
|
||||
{
|
||||
"drive": "[unlabeled]",
|
||||
"size_gb": 0.1,
|
||||
"free_pct": 38.7,
|
||||
"free_gb": 0
|
||||
},
|
||||
{
|
||||
"drive": "C:",
|
||||
"size_gb": 930.6,
|
||||
"free_pct": 74.2,
|
||||
"free_gb": 690.6
|
||||
}
|
||||
],
|
||||
"network_adapters": [
|
||||
{
|
||||
"dhcp": false,
|
||||
"description": "Intel(R) Wi-Fi 6 AX201 160MHz",
|
||||
"gateway": [
|
||||
"192.168.1.1"
|
||||
],
|
||||
"mac": "4C:44:5B:57:C8:D0",
|
||||
"ip": [
|
||||
"192.168.1.135",
|
||||
"fe80::b290:dac4:8c2:f9d6"
|
||||
],
|
||||
"dns": [
|
||||
null
|
||||
]
|
||||
}
|
||||
],
|
||||
"failed_autostart_services": [
|
||||
{
|
||||
"name": "GoogleUpdaterInternalService150.0.7863.0",
|
||||
"display": "Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)",
|
||||
"state": "Stopped"
|
||||
},
|
||||
{
|
||||
"name": "GoogleUpdaterService150.0.7863.0",
|
||||
"display": "Google Updater Service (GoogleUpdaterService150.0.7863.0)",
|
||||
"state": "Stopped"
|
||||
},
|
||||
{
|
||||
"name": "Intel(R) TPM Provisioning Service",
|
||||
"display": "Intel(R) TPM Provisioning Service",
|
||||
"state": "Stopped"
|
||||
}
|
||||
],
|
||||
"stability_14d": {
|
||||
"unexpected_shutdowns": 1,
|
||||
"disk_errors": 0,
|
||||
"bugchecks": 0
|
||||
},
|
||||
"exposure": {
|
||||
"smb1_enabled": false,
|
||||
"laps_present": true,
|
||||
"rdp_enabled": false,
|
||||
"uac_enabled": true,
|
||||
"rdp_nla": true
|
||||
},
|
||||
"accounts_password_never_expires": [],
|
||||
"installed_software": [
|
||||
{
|
||||
"publisher": "Adobe",
|
||||
"name": "Adobe Acrobat (64-bit)",
|
||||
"version": "26.001.21691"
|
||||
},
|
||||
{
|
||||
"publisher": "Adobe Systems Incorporated",
|
||||
"name": "Adobe Refresh Manager",
|
||||
"version": "1.8.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Copilot",
|
||||
"version": "149.0.4022.80"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel corporation",
|
||||
"name": "Corel Update Manager",
|
||||
"version": "2.14.630"
|
||||
},
|
||||
{
|
||||
"publisher": "Google LLC",
|
||||
"name": "Google Chrome",
|
||||
"version": "149.0.7827.197"
|
||||
},
|
||||
{
|
||||
"publisher": "",
|
||||
"name": "HP LaserJet Professional P1100-P1560-P1600 Series",
|
||||
"version": ""
|
||||
},
|
||||
{
|
||||
"publisher": "Vantage Linguistics",
|
||||
"name": "iSEEK AnswerWorks English Runtime",
|
||||
"version": "010.000.0101"
|
||||
},
|
||||
{
|
||||
"publisher": "Chaos Software Group, Inc.",
|
||||
"name": "Legal Billing",
|
||||
"version": ""
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft 365 Apps for business - en-us",
|
||||
"version": "16.0.20026.20182"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Edge",
|
||||
"version": "149.0.4022.98"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Edge WebView2 Runtime",
|
||||
"version": "149.0.4022.98"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft OneDrive",
|
||||
"version": "26.106.0603.0003"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Update Health Tools",
|
||||
"version": "5.72.0.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Visual Basic for Applications 7.1 (x86)",
|
||||
"version": "7.1.00.00"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Visual Basic for Applications 7.1 (x86) English",
|
||||
"version": "7.1.0.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211",
|
||||
"version": "14.44.35211.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211",
|
||||
"version": "14.44.35211.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211",
|
||||
"version": "14.44.35211"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211",
|
||||
"version": "14.44.35211"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211",
|
||||
"version": "14.44.35211"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211",
|
||||
"version": "14.44.35211"
|
||||
},
|
||||
{
|
||||
"publisher": "NVIDIA Corporation",
|
||||
"name": "NVIDIA Control Panel 391.35",
|
||||
"version": "391.35"
|
||||
},
|
||||
{
|
||||
"publisher": "NVIDIA Corporation",
|
||||
"name": "NVIDIA Display Container",
|
||||
"version": "1.2"
|
||||
},
|
||||
{
|
||||
"publisher": "NVIDIA Corporation",
|
||||
"name": "NVIDIA Display Container LS",
|
||||
"version": "1.2"
|
||||
},
|
||||
{
|
||||
"publisher": "NVIDIA Corporation",
|
||||
"name": "NVIDIA Display Session Container",
|
||||
"version": "1.2"
|
||||
},
|
||||
{
|
||||
"publisher": "NVIDIA Corporation",
|
||||
"name": "NVIDIA Display Watchdog Plugin",
|
||||
"version": "1.2"
|
||||
},
|
||||
{
|
||||
"publisher": "NVIDIA Corporation",
|
||||
"name": "NVIDIA Install Application",
|
||||
"version": "2.1002.275.2323"
|
||||
},
|
||||
{
|
||||
"publisher": "Microsoft Corporation",
|
||||
"name": "Office 16 Click-to-Run Extensibility Component",
|
||||
"version": "16.0.20026.20076"
|
||||
},
|
||||
{
|
||||
"publisher": "Intuit",
|
||||
"name": "Quicken 2013",
|
||||
"version": "22.1.12.7"
|
||||
},
|
||||
{
|
||||
"publisher": "ScreenConnect Software",
|
||||
"name": "ScreenConnect Client (1912bf3444b41a08)",
|
||||
"version": "26.3.11.9650"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021",
|
||||
"version": "21.0.0.81"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Common Files",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Common Files English",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - IPM",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - IPM Content",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Lightning Files",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Lightning Files English",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Presentations Files",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Presentations Files English",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Quattro Pro Files",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Quattro Pro Files English",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Redists",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Setup Files",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - WordPerfect Files",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - WordPerfect Files English",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - WPD format Props x64",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": " Corel Corporation",
|
||||
"name": "WordPerfect Office 2021 - Writing Tools",
|
||||
"version": "21.0"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office IFilter 32-bit",
|
||||
"version": "1.8"
|
||||
},
|
||||
{
|
||||
"publisher": "Corel Corporation",
|
||||
"name": "WordPerfect Office IFilter 64-bit",
|
||||
"version": "1.8"
|
||||
}
|
||||
],
|
||||
"tpm": {
|
||||
"enabled": true,
|
||||
"ready": true,
|
||||
"present": true
|
||||
},
|
||||
"local_groups": [
|
||||
"Access Control Assistance Operators",
|
||||
"Administrators",
|
||||
"Backup Operators",
|
||||
"Cryptographic Operators",
|
||||
"Device Owners",
|
||||
"Distributed COM Users",
|
||||
"Event Log Readers",
|
||||
"Guests",
|
||||
"Hyper-V Administrators",
|
||||
"IIS_IUSRS",
|
||||
"Network Configuration Operators",
|
||||
"OpenSSH Users",
|
||||
"Performance Log Users",
|
||||
"Performance Monitor Users",
|
||||
"Power Users",
|
||||
"Remote Desktop Users",
|
||||
"Remote Management Users",
|
||||
"Replicator",
|
||||
"System Managed Accounts Group",
|
||||
"User Mode Hardware Operators",
|
||||
"Users"
|
||||
],
|
||||
"battery": {
|
||||
"present": false
|
||||
},
|
||||
"activation": {
|
||||
"edition": "Microsoft Windows 11 Pro",
|
||||
"description": "Windows(R) Operating System, OEM_DM channel",
|
||||
"licensed": true,
|
||||
"license_status_code": 1
|
||||
},
|
||||
"time_source": "time1.aliyun.com",
|
||||
"chassis_types": [
|
||||
3
|
||||
],
|
||||
"last_hotfix": {
|
||||
"hotfix_id": "KB5094126",
|
||||
"installed_on": "2026-06-10T07:00:00Z"
|
||||
},
|
||||
"scheduled_tasks": [
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "Adobe Acrobat Update Task",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "CorelUpdateHelperTask-6FE3C4EAF0EA6F48A355A006CED9B153",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "CorelUpdateHelperTaskCore",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "MicrosoftEdgeUpdateTaskMachineCore",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "MicrosoftEdgeUpdateTaskMachineUA",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "OneDrive Per-Machine Standalone Update Task",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "OneDrive Reporting Task-S-1-5-21-176541868-3255397159-941698718-1001",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "OneDrive Reporting Task-S-1-5-21-176541868-3255397159-941698718-1002",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "OneDrive Startup Task-S-1-5-21-176541868-3255397159-941698718-1001",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "OneDrive Startup Task-S-1-5-21-176541868-3255397159-941698718-1002",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "RtkAudUService64_BG",
|
||||
"state": "Running"
|
||||
},
|
||||
{
|
||||
"path": "\\",
|
||||
"name": "ZoomUpdateTaskUser-S-1-5-21-176541868-3255397159-941698718-1002",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\GoogleSystem\\GoogleUpdater\\",
|
||||
"name": "GoogleUpdaterTaskSystem150.0.7863.0{187F8684-438D-4B52-A213-1183A437F60E}",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\GoogleUserPEH\\",
|
||||
"name": "RunPlatformExperienceHelperOnUnlock",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\GoogleUserPEH\\",
|
||||
"name": "RunPlatformExperienceHelper_Daily",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\GoogleUserPEH\\",
|
||||
"name": "RunPlatformExperienceHelper_Metrics",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\SoftLanding\\S-1-5-21-176541868-3255397159-941698718-1002\\",
|
||||
"name": "SoftLandingCreativeManagementTask",
|
||||
"state": "Ready"
|
||||
},
|
||||
{
|
||||
"path": "\\SoftLanding\\S-1-5-21-176541868-3255397159-941698718-1002\\",
|
||||
"name": "SoftLandingDeferralTask-{7f5041b8-2c64-40bd-a455-a605b3186491}",
|
||||
"state": "Ready"
|
||||
}
|
||||
],
|
||||
"antivirus_products": [
|
||||
"Windows Defender"
|
||||
],
|
||||
"domain_joined": false,
|
||||
"defender": {
|
||||
"antispyware_signature_age": 0,
|
||||
"tamper_protected": true,
|
||||
"real_time_protection": true,
|
||||
"nis_enabled": true,
|
||||
"available": true,
|
||||
"antivirus_enabled": true,
|
||||
"am_service_enabled": true
|
||||
},
|
||||
"bitlocker": {
|
||||
"os_volume": "C:",
|
||||
"key_protectors": [],
|
||||
"recovery_key_present": false,
|
||||
"available": true,
|
||||
"encryption_percent": 0,
|
||||
"protection_status": "Off"
|
||||
},
|
||||
"is_laptop": false,
|
||||
"installed_software_count": 50,
|
||||
"local_administrators": [
|
||||
"DESKTOP-GG4LKSL\\Administrator",
|
||||
"DESKTOP-GG4LKSL\\Localadmin",
|
||||
"DESKTOP-GG4LKSL\\owner"
|
||||
],
|
||||
"firewall_profiles": {
|
||||
"Private": true,
|
||||
"Domain": true,
|
||||
"Public": true
|
||||
},
|
||||
"domain": "WORKGROUP",
|
||||
"foreign_agents": null
|
||||
},
|
||||
"findings": [
|
||||
{
|
||||
"id": "sec.defender.ok",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "Defender active and current",
|
||||
"detail": "Real-time protection on, service running, signatures current.",
|
||||
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
|
||||
},
|
||||
{
|
||||
"id": "sec.av_products.defender_only",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "Defender is the only registered AV",
|
||||
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
|
||||
"evidence": "Windows Defender"
|
||||
},
|
||||
{
|
||||
"id": "sec.foreign_agents.none",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "No competitor/leftover management agents detected",
|
||||
"detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.",
|
||||
"evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service"
|
||||
},
|
||||
{
|
||||
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
|
||||
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
|
||||
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
|
||||
},
|
||||
{
|
||||
"id": "sec.firewall.ok",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "All firewall profiles enabled",
|
||||
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
|
||||
"evidence": "Private=True; Domain=True; Public=True"
|
||||
},
|
||||
{
|
||||
"id": "sec.bitlocker.unencrypted",
|
||||
"category": "security",
|
||||
"severity": "warning",
|
||||
"title": "OS volume is NOT encrypted with BitLocker",
|
||||
"detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.",
|
||||
"evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors="
|
||||
},
|
||||
{
|
||||
"id": "sec.local_admins.list",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "Local administrators (3)",
|
||||
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
|
||||
"evidence": "DESKTOP-GG4LKSL\\Administrator\nDESKTOP-GG4LKSL\\Localadmin\nDESKTOP-GG4LKSL\\owner"
|
||||
},
|
||||
{
|
||||
"id": "sec.patch.os_supported",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "OS build supported: Win11 25H2",
|
||||
"detail": "Build 26200 (Win11 25H2) is in support until 2027-10-12.",
|
||||
"evidence": "Microsoft Windows 11 Pro build 26200"
|
||||
},
|
||||
{
|
||||
"id": "sec.patch.pending",
|
||||
"category": "security",
|
||||
"severity": "warning",
|
||||
"title": "4 pending Windows updates",
|
||||
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
|
||||
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4"
|
||||
},
|
||||
{
|
||||
"id": "sec.patch.last_hotfix",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "Last hotfix: KB5094126",
|
||||
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
|
||||
"evidence": "KB5094126 installed 2026-06-10T07:00:00Z"
|
||||
},
|
||||
{
|
||||
"id": "sec.exposure.smb1_off",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "SMBv1 disabled",
|
||||
"detail": "SMBv1 server protocol is disabled.",
|
||||
"evidence": "EnableSMB1Protocol=False"
|
||||
},
|
||||
{
|
||||
"id": "sec.exposure.laps_present",
|
||||
"category": "security",
|
||||
"severity": "info",
|
||||
"title": "LAPS detected",
|
||||
"detail": "A LAPS mechanism is present.",
|
||||
"evidence": "Windows LAPS reg key"
|
||||
},
|
||||
{
|
||||
"id": "health.disk_space.D",
|
||||
"category": "health",
|
||||
"severity": "warning",
|
||||
"title": "Disk low: D: at 14.6% free",
|
||||
"detail": "Less than 15 percent free. Plan cleanup or expansion.",
|
||||
"evidence": "D: free 68.1 GB of 465.8 GB (14.6%)"
|
||||
},
|
||||
{
|
||||
"id": "health.stability.some",
|
||||
"category": "health",
|
||||
"severity": "warning",
|
||||
"title": "Stability events present in the last 14 days",
|
||||
"detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.",
|
||||
"evidence": "Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
|
||||
},
|
||||
{
|
||||
"id": "health.failed_services.stopped",
|
||||
"category": "health",
|
||||
"severity": "warning",
|
||||
"title": "3 auto-start service(s) not running",
|
||||
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
|
||||
"evidence": "GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped\nGoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped\nIntel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped"
|
||||
},
|
||||
{
|
||||
"id": "health.domain.workgroup",
|
||||
"category": "health",
|
||||
"severity": "info",
|
||||
"title": "Not domain-joined (workgroup)",
|
||||
"detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.",
|
||||
"evidence": "PartOfDomain=False; Domain=WORKGROUP"
|
||||
},
|
||||
{
|
||||
"id": "health.time.source",
|
||||
"category": "health",
|
||||
"severity": "info",
|
||||
"title": "Time service source",
|
||||
"detail": "Current Windows Time service source.",
|
||||
"evidence": "Source=time1.aliyun.com"
|
||||
},
|
||||
{
|
||||
"id": "health.backup.none",
|
||||
"category": "health",
|
||||
"severity": "info",
|
||||
"title": "No backup agent detected",
|
||||
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
|
||||
"evidence": "No matching backup service in Win32_Service"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,226 @@
|
||||
# Onboarding Diagnostic Baseline - DESKTOP-GG4LKSL
|
||||
|
||||
- **Grade:** AMBER
|
||||
- **Host:** DESKTOP-GG4LKSL
|
||||
- **Client:** Michael Johnson (`michaeljohnson`)
|
||||
- **Collected (UTC):** 2026-06-29T21:17:50Z
|
||||
- **Agent ID:** 09c08484-2b51-404b-a294-6e39f498867c
|
||||
- **Command ID:** 67f70181-51cd-470e-a9e2-edd2d53df135
|
||||
- **Findings:** 0 critical / 5 warning / 13 info / 0 unknown
|
||||
|
||||
- **OS:** Microsoft Windows 11 Pro (build 26200)
|
||||
|
||||
---
|
||||
|
||||
## WARNING (5)
|
||||
|
||||
### OS volume is NOT encrypted with BitLocker
|
||||
- **Category:** security
|
||||
- **ID:** `sec.bitlocker.unencrypted`
|
||||
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
|
||||
|
||||
```
|
||||
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
|
||||
```
|
||||
|
||||
### 4 pending Windows updates
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.pending`
|
||||
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
|
||||
|
||||
```
|
||||
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4
|
||||
```
|
||||
|
||||
### Disk low: D: at 14.6% free
|
||||
- **Category:** health
|
||||
- **ID:** `health.disk_space.D`
|
||||
- Less than 15 percent free. Plan cleanup or expansion.
|
||||
|
||||
```
|
||||
D: free 68.1 GB of 465.8 GB (14.6%)
|
||||
```
|
||||
|
||||
### Stability events present in the last 14 days
|
||||
- **Category:** health
|
||||
- **ID:** `health.stability.some`
|
||||
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
|
||||
|
||||
```
|
||||
Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
|
||||
```
|
||||
|
||||
### 3 auto-start service(s) not running
|
||||
- **Category:** health
|
||||
- **ID:** `health.failed_services.stopped`
|
||||
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
|
||||
|
||||
```
|
||||
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
|
||||
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
|
||||
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
|
||||
```
|
||||
|
||||
|
||||
## INFO (13)
|
||||
|
||||
### Defender active and current
|
||||
- **Category:** security
|
||||
- **ID:** `sec.defender.ok`
|
||||
- Real-time protection on, service running, signatures current.
|
||||
|
||||
```
|
||||
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
|
||||
```
|
||||
|
||||
### Defender is the only registered AV
|
||||
- **Category:** security
|
||||
- **ID:** `sec.av_products.defender_only`
|
||||
- Only Microsoft/Windows Defender is registered in Security Center.
|
||||
|
||||
```
|
||||
Windows Defender
|
||||
```
|
||||
|
||||
### No competitor/leftover management agents detected
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.none`
|
||||
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
|
||||
|
||||
```
|
||||
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
|
||||
```
|
||||
|
||||
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
|
||||
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
|
||||
|
||||
```
|
||||
program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650
|
||||
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
|
||||
```
|
||||
|
||||
### All firewall profiles enabled
|
||||
- **Category:** security
|
||||
- **ID:** `sec.firewall.ok`
|
||||
- Domain, Private, and Public firewall profiles are all enabled.
|
||||
|
||||
```
|
||||
Private=True; Domain=True; Public=True
|
||||
```
|
||||
|
||||
### Local administrators (3)
|
||||
- **Category:** security
|
||||
- **ID:** `sec.local_admins.list`
|
||||
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
|
||||
|
||||
```
|
||||
DESKTOP-GG4LKSL\Administrator
|
||||
DESKTOP-GG4LKSL\Localadmin
|
||||
DESKTOP-GG4LKSL\owner
|
||||
```
|
||||
|
||||
### OS build supported: Win11 25H2
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.os_supported`
|
||||
- Build 26200 (Win11 25H2) is in support until 2027-10-12.
|
||||
|
||||
```
|
||||
Microsoft Windows 11 Pro build 26200
|
||||
```
|
||||
|
||||
### Last hotfix: KB5094126
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.last_hotfix`
|
||||
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
|
||||
|
||||
```
|
||||
KB5094126 installed 2026-06-10T07:00:00Z
|
||||
```
|
||||
|
||||
### SMBv1 disabled
|
||||
- **Category:** security
|
||||
- **ID:** `sec.exposure.smb1_off`
|
||||
- SMBv1 server protocol is disabled.
|
||||
|
||||
```
|
||||
EnableSMB1Protocol=False
|
||||
```
|
||||
|
||||
### LAPS detected
|
||||
- **Category:** security
|
||||
- **ID:** `sec.exposure.laps_present`
|
||||
- A LAPS mechanism is present.
|
||||
|
||||
```
|
||||
Windows LAPS reg key
|
||||
```
|
||||
|
||||
### Not domain-joined (workgroup)
|
||||
- **Category:** health
|
||||
- **ID:** `health.domain.workgroup`
|
||||
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
|
||||
|
||||
```
|
||||
PartOfDomain=False; Domain=WORKGROUP
|
||||
```
|
||||
|
||||
### Time service source
|
||||
- **Category:** health
|
||||
- **ID:** `health.time.source`
|
||||
- Current Windows Time service source.
|
||||
|
||||
```
|
||||
Source=time1.aliyun.com
|
||||
```
|
||||
|
||||
### No backup agent detected
|
||||
- **Category:** health
|
||||
- **ID:** `health.backup.none`
|
||||
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
|
||||
|
||||
```
|
||||
No matching backup service in Win32_Service
|
||||
```
|
||||
|
||||
|
||||
---
|
||||
|
||||
## Inventory Baseline Summary
|
||||
|
||||
- **Manufacturer / Model:** HP / HP Pavilion Gaming Desktop TG01-2xxx
|
||||
- **Serial:** 4CE136C774
|
||||
- **CPU:** 11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz (8 cores / 16 logical)
|
||||
- **RAM (GB):** 31.8
|
||||
- **BIOS:** F.21 (2023-07-11)
|
||||
- **Chassis is laptop:** false
|
||||
- **TPM present / Secure Boot:** true / ?
|
||||
- **Domain joined:** false (WORKGROUP)
|
||||
- **OS activation licensed:** true
|
||||
- **Uptime (days):** 0.3
|
||||
- **Pending reboot:** false
|
||||
- **Installed software count:** 50
|
||||
- **Scheduled tasks (non-MS, enabled):** 18
|
||||
- **Local administrators:** DESKTOP-GG4LKSL\Administrator, DESKTOP-GG4LKSL\Localadmin, DESKTOP-GG4LKSL\owner
|
||||
|
||||
### Fixed volumes
|
||||
|
||||
- D: - 68.1 GB free of 465.8 GB (14.6%)
|
||||
- [unlabeled] - 0.1 GB free of 0.7 GB (8.3%)
|
||||
- [unlabeled] - 0 GB free of 0.1 GB (38.7%)
|
||||
- C: - 690.6 GB free of 930.6 GB (74.2%)
|
||||
|
||||
### Network adapters
|
||||
|
||||
- Intel(R) Wi-Fi 6 AX201 160MHz - IP: 192.168.1.135, fe80::b290:dac4:8c2:f9d6 - DNS: - DHCP: false
|
||||
|
||||
---
|
||||
|
||||
## Diff vs Prior Baseline
|
||||
|
||||
- No prior baseline found for this host. This is the first baseline.
|
||||
|
||||
---
|
||||
|
||||
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `DESKTOP-GG4LKSL-20260629T211835.json` (immutable)._
|
||||
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,254 @@
|
||||
# Onboarding Diagnostic Baseline - MJ-PARALEGAL
|
||||
|
||||
- **Grade:** RED
|
||||
- **Host:** MJ-PARALEGAL
|
||||
- **Client:** Michael Johnson (`michaeljohnson`)
|
||||
- **Collected (UTC):** 2026-06-29T21:17:55Z
|
||||
- **Agent ID:** 4537ac34-e548-484c-b4e9-fd91e7f97a23
|
||||
- **Command ID:** a3095ece-7fd3-4751-acc6-867a1b41507b
|
||||
- **Findings:** 2 critical / 4 warning / 14 info / 0 unknown
|
||||
|
||||
- **OS:** Microsoft Windows 11 Pro (build 26200)
|
||||
|
||||
---
|
||||
|
||||
## CRITICAL (2)
|
||||
|
||||
### Firewall disabled on profile(s): Private, Public
|
||||
- **Category:** security
|
||||
- **ID:** `sec.firewall.disabled`
|
||||
- One or more firewall profiles are OFF. The endpoint is exposed to lateral movement and inbound attacks on those networks. Re-enable all profiles.
|
||||
|
||||
```
|
||||
Profile states: Private=False; Domain=True; Public=False
|
||||
```
|
||||
|
||||
### Disk critically low: E: at 0% free
|
||||
- **Category:** health
|
||||
- **ID:** `health.disk_space.E`
|
||||
- Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently.
|
||||
|
||||
```
|
||||
E: free 0 GB of 255.6 GB (0%)
|
||||
```
|
||||
|
||||
|
||||
## WARNING (4)
|
||||
|
||||
### OS volume is NOT encrypted with BitLocker
|
||||
- **Category:** security
|
||||
- **ID:** `sec.bitlocker.unencrypted`
|
||||
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
|
||||
|
||||
```
|
||||
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
|
||||
```
|
||||
|
||||
### 2 pending Windows updates
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.pending`
|
||||
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
|
||||
|
||||
```
|
||||
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2
|
||||
```
|
||||
|
||||
### Stability events present in the last 14 days
|
||||
- **Category:** health
|
||||
- **ID:** `health.stability.some`
|
||||
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
|
||||
|
||||
```
|
||||
Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
|
||||
```
|
||||
|
||||
### 6 auto-start service(s) not running
|
||||
- **Category:** health
|
||||
- **ID:** `health.failed_services.stopped`
|
||||
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
|
||||
|
||||
```
|
||||
AsusUpdateCheck (AsusUpdateCheck) = Stopped
|
||||
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
|
||||
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
|
||||
IBMPMSVC (Lenovo PM Service) = Stopped
|
||||
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
|
||||
LPlatSvc (Lenovo Platform Service) = Stopped
|
||||
```
|
||||
|
||||
|
||||
## INFO (14)
|
||||
|
||||
### Defender active and current
|
||||
- **Category:** security
|
||||
- **ID:** `sec.defender.ok`
|
||||
- Real-time protection on, service running, signatures current.
|
||||
|
||||
```
|
||||
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=1 days; IsTamperProtected=True
|
||||
```
|
||||
|
||||
### Defender is the only registered AV
|
||||
- **Category:** security
|
||||
- **ID:** `sec.av_products.defender_only`
|
||||
- Only Microsoft/Windows Defender is registered in Security Center.
|
||||
|
||||
```
|
||||
Windows Defender
|
||||
```
|
||||
|
||||
### No competitor/leftover management agents detected
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.none`
|
||||
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
|
||||
|
||||
```
|
||||
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
|
||||
```
|
||||
|
||||
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
|
||||
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
|
||||
|
||||
```
|
||||
program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650
|
||||
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
|
||||
```
|
||||
|
||||
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
|
||||
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
|
||||
|
||||
```
|
||||
program: Splashtop Streamer 3.8.4.0
|
||||
service: SplashtopRemoteService (Splashtop? Remote Service) Running
|
||||
```
|
||||
|
||||
### Expected ACG management tooling present: Syncro / Kabuto
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
|
||||
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
|
||||
|
||||
```
|
||||
program: Syncro 1.0.201.18410
|
||||
service: Syncro (Syncro) Running
|
||||
```
|
||||
|
||||
### Local administrators (3)
|
||||
- **Category:** security
|
||||
- **ID:** `sec.local_admins.list`
|
||||
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
|
||||
|
||||
```
|
||||
MJ-PARALEGAL\Administrator
|
||||
MJ-PARALEGAL\localadmin
|
||||
MJ-PARALEGAL\Paralegal
|
||||
```
|
||||
|
||||
### OS build supported: Win11 25H2
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.os_supported`
|
||||
- Build 26200 (Win11 25H2) is in support until 2027-10-12.
|
||||
|
||||
```
|
||||
Microsoft Windows 11 Pro build 26200
|
||||
```
|
||||
|
||||
### Last hotfix: KB5094126
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.last_hotfix`
|
||||
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
|
||||
|
||||
```
|
||||
KB5094126 installed 2026-06-10T07:00:00Z
|
||||
```
|
||||
|
||||
### SMBv1 disabled
|
||||
- **Category:** security
|
||||
- **ID:** `sec.exposure.smb1_off`
|
||||
- SMBv1 server protocol is disabled.
|
||||
|
||||
```
|
||||
EnableSMB1Protocol=False
|
||||
```
|
||||
|
||||
### LAPS detected
|
||||
- **Category:** security
|
||||
- **ID:** `sec.exposure.laps_present`
|
||||
- A LAPS mechanism is present.
|
||||
|
||||
```
|
||||
Windows LAPS reg key
|
||||
```
|
||||
|
||||
### Not domain-joined (workgroup)
|
||||
- **Category:** health
|
||||
- **ID:** `health.domain.workgroup`
|
||||
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
|
||||
|
||||
```
|
||||
PartOfDomain=False; Domain=WORKGROUP
|
||||
```
|
||||
|
||||
### Time service source
|
||||
- **Category:** health
|
||||
- **ID:** `health.time.source`
|
||||
- Current Windows Time service source.
|
||||
|
||||
```
|
||||
Source=time.windows.com,0x9
|
||||
```
|
||||
|
||||
### No backup agent detected
|
||||
- **Category:** health
|
||||
- **ID:** `health.backup.none`
|
||||
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
|
||||
|
||||
```
|
||||
No matching backup service in Win32_Service
|
||||
```
|
||||
|
||||
|
||||
---
|
||||
|
||||
## Inventory Baseline Summary
|
||||
|
||||
- **Manufacturer / Model:** ASUS / System Product Name
|
||||
- **Serial:** System Serial Number
|
||||
- **CPU:** Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz (6 cores / 12 logical)
|
||||
- **RAM (GB):** 15.8
|
||||
- **BIOS:** 1620 (2021-07-09)
|
||||
- **Chassis is laptop:** false
|
||||
- **TPM present / Secure Boot:** true / true
|
||||
- **Domain joined:** false (WORKGROUP)
|
||||
- **OS activation licensed:** true
|
||||
- **Uptime (days):** 0.3
|
||||
- **Pending reboot:** false
|
||||
- **Installed software count:** 98
|
||||
- **Scheduled tasks (non-MS, enabled):** 24
|
||||
- **Local administrators:** MJ-PARALEGAL\Administrator, MJ-PARALEGAL\localadmin, MJ-PARALEGAL\Paralegal
|
||||
|
||||
### Fixed volumes
|
||||
|
||||
- E: - 0 GB free of 255.6 GB (0%)
|
||||
- [unlabeled] - 0.2 GB free of 1 GB (18.7%)
|
||||
- D: - 0 GB free of 0 GB (75.5%)
|
||||
- C: - 70 GB free of 464.2 GB (15.1%)
|
||||
- [unlabeled] - 0.1 GB free of 0.1 GB (64%)
|
||||
- [unlabeled] - 0.1 GB free of 0.5 GB (16.6%)
|
||||
|
||||
### Network adapters
|
||||
|
||||
- Realtek PCIe GBE Family Controller - IP: 192.168.1.136, fe80::b20c:8d0b:48bf:1aea - DNS: 172.16.132.1 - DHCP: true
|
||||
|
||||
---
|
||||
|
||||
## Diff vs Prior Baseline
|
||||
|
||||
- No prior baseline found for this host. This is the first baseline.
|
||||
|
||||
---
|
||||
|
||||
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `MJ-PARALEGAL-20260629T211845.json` (immutable)._
|
||||
@@ -0,0 +1,148 @@
|
||||
# Rednour Law — LEGALASST explorer hang on .zip + WordPerfect 5 save error + Win11 plan
|
||||
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
## Session Summary
|
||||
|
||||
Diagnosed an explorer.exe stability problem on **LEGALASST**, the legal assistant's
|
||||
workstation at Rednour Law (Carla Skinner's box; active local account `emma`, profile
|
||||
`C:\Users\Ale`, OneDrive `carla@rednourlaw.com`). Reported via Carrie Rednour: explorer
|
||||
repeatedly hung/crashed when "opening files or messing with files." Work was driven over
|
||||
GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`); the office subnet was initially
|
||||
unreachable from HOWARD-HOME because Tailscale was stuck in `NoState`, which cleared on its
|
||||
own shortly after.
|
||||
|
||||
Established via the Application event log that explorer was **hanging (AppHang Event 1002),
|
||||
not crashing** — there were no Event 1000 / faulting-module records. Hangs were firing
|
||||
several times per hour on 2026-06-29 and continued after a 10:52 reboot. The `.NET Runtime`
|
||||
Event 1022 "profiling API attach" errors (201 of them) were ruled out as benign noise — no
|
||||
`COR_PROFILER` env var is set, so nothing is being injected into explorer via that path.
|
||||
|
||||
Narrowed the cause by elimination. Blocked the Adobe shell extensions (Acrobat context-menu
|
||||
+ CoreSync overlays) via the Microsoft "Blocked" CLSID list and restarted explorer — no
|
||||
change, so Adobe was ruled out and reverted. Mapped drives X/Y/Z (→ `\\rednourcarrievirt`,
|
||||
the cloned Carrie host) were healthy (`Status OK`, no SMBClient errors). The only
|
||||
non-Microsoft DLLs actually loaded in explorer were the AMD Vega driver
|
||||
(`amdihk64/atidxx64/aticfx64/atiuxp64`), but there were **zero display-driver TDR events**,
|
||||
so the GPU driver was not crash-recovering. OneDrive sync was healthy and its overlay was not
|
||||
even loaded. Howard then supplied the decisive clue: the hang happens **only when opening
|
||||
`.zip` files**, Word/PDF open fine, and the failing zip is on the **local desktop** (not
|
||||
OneDrive, not a network share). That isolated the fault to the **built-in Windows Compressed
|
||||
Folders handler** (explorer's zip-as-folder namespace). `zipfldr.dll` is intact and validly
|
||||
signed, so the hang is environmental, not a corrupt handler DLL.
|
||||
|
||||
Howard installed **7-Zip 26.02** as a workaround — it opens the same zips fine because it is
|
||||
a standalone app that never invokes explorer's zip namespace. He will set 7-Zip as the
|
||||
default for `.zip` (and `.7z`/`.rar`, currently unassociated) via the 7-Zip GUI. A second,
|
||||
separate issue on the same machine was reported: saving from **WordPerfect 5** returns "not
|
||||
enough free space" regardless of save location, despite Howard verifying ample free space.
|
||||
The plan is to **upgrade LEGALASST to Windows 11**, which is expected to resolve the
|
||||
zip-handler hang by rebuilding the shell/system files (and applies the pending SFC repair);
|
||||
the team will test a local zip with the built-in handler after the upgrade. All diagnostic
|
||||
changes were reverted and the box was left clean.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- Diagnosed live over GuruRMM rather than waiting for on-site access; used `user_session`
|
||||
context for HKCU/OneDrive/shell-folder reads and SYSTEM context for HKLM/event-log reads.
|
||||
- Used the Microsoft **Shell Extensions\Blocked** CLSID list (reversible) to test-disable
|
||||
Adobe/7-Zip shell extensions instead of deleting registrations — clean revert path.
|
||||
- Treated the `.NET 1022` errors as noise after confirming no `COR_PROFILER` was set, instead
|
||||
of chasing the profiler-injection theory.
|
||||
- Did **not** hand-write a per-user UserChoice association hash for `.zip` (hash-protected;
|
||||
a wrong hash leaves a broken "how do you want to open this?" prompt). Howard opted to set
|
||||
the default in the 7-Zip GUI; no DefaultAssociations policy was pushed.
|
||||
- Concluded the Win11 in-place upgrade is the right fix for the zip-handler hang (rebuilds
|
||||
shell/system files) rather than further low-level surgery on a Win10 22H2 EOL box.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **Office subnet unreachable from HOWARD-HOME** — Tailscale daemon RUNNING but backend stuck
|
||||
in `NoState`; a service restart did not clear it, but it came up on its own shortly after.
|
||||
- **Orphaned RMM diagnostic process** — the first diagnostic command timed out server-side at
|
||||
120s (a `HKLM\...\Classes\*\shellex` wildcard scan), but the agent's child `powershell.exe`
|
||||
(PID 1048) kept running on the endpoint for 10+ minutes, churning CPU. This was the
|
||||
"PowerShell that's been running" Howard noticed. Killed it (SYSTEM context). Logged as
|
||||
friction.
|
||||
- **`$pid` reserved-variable collision** — used `$pid` as a variable in a remote script; `$PID`
|
||||
is the automatic current-process-id variable, so the `.zip` ProgID read returned garbage
|
||||
(16044). Re-ran with a non-reserved name. Logged as friction.
|
||||
- **Mis-assumption corrected** — initially assumed LEGALASST was the cloned machine; Carrie's
|
||||
machine was the one cloned (to host `rednourcarrievirt`), LEGALASST is the legal assistant's
|
||||
(unchanged) box. Logged as a correction.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
Net change to the endpoint: **none** (all diagnostic changes reverted; box left clean). During
|
||||
the session, on LEGALASST:
|
||||
- Added then removed Adobe (4 CLSIDs) and 7-Zip shell-extension CLSIDs in
|
||||
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (Blocked list now
|
||||
empty).
|
||||
- Restarted explorer.exe several times (user_session).
|
||||
- Killed orphaned diagnostic process PID 1048.
|
||||
- Howard installed 7-Zip 26.02 (standalone; he will set `.zip`/`.7z`/`.rar` defaults).
|
||||
- Howard ran `sfc /scannow` — found and repaired corruption (0 unrepairable); repair pending
|
||||
a reboot to load.
|
||||
|
||||
Repo: this session log; Rednour wiki record update pending (`/wiki-compile client:rednour`).
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
None discovered, created, or rotated this session.
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **LEGALASST** — legal assistant workstation, Rednour Law "Main Office" site. Win 10 Pro 22H2
|
||||
(build 19045, **EOL**), AMD Ryzen 3 3200G (Vega 8 iGPU), **5.9 GB RAM**, LAN 192.168.10.213.
|
||||
GuruRMM agent `18825ea7-df58-47bb-b492-822cb16fb5ec`. Active local account `emma`, profile
|
||||
`C:\Users\Ale`. OneDrive account `carla@rednourlaw.com`; Documents redirected to
|
||||
`C:\Users\Ale\OneDrive - Rednour Law\Documents`. Leftover **SyncroLive.Agent.Runner** still
|
||||
running.
|
||||
- AMD GPU driver: 31.0.12027.9001 (2023-03-29). 7zFM.exe 26.02 at `C:\Program Files\7-Zip\`.
|
||||
- `zipfldr.dll` = 10.0.19041.1, signature Valid (handler is intact).
|
||||
- Mapped drives (user `emma`): X: `\\rednourcarrievirt\Time Matters Shared Files`, Y:
|
||||
`\\rednourcarrievirt\Timeslips`, Z: `\\rednourcarrievirt\Documents` — all `Status OK`.
|
||||
- GuruRMM server `http://172.16.3.30:3001`; coord `http://172.16.3.30:8001`.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- Diagnostic dispatch pattern: `POST /api/agents/<id>/command` (powershell, `context`
|
||||
system or user_session), poll `GET /api/commands/<id>`.
|
||||
- Key reads: `Get-WinEvent` Application 1000/1002 + ProviderName 'Application Hang'/'.NET
|
||||
Runtime'; explorer loaded modules filtered to non-Microsoft `CompanyName`;
|
||||
`Get-SmbMapping`; `Get-MpComputerStatus`/`Get-MpPreference`; CBS.log `[SR]` parse.
|
||||
- AppHang count = 10 in last 3h on 2026-06-29; latest 11:31:02 (post 10:52 reboot).
|
||||
- `.zip` association: `HKCR\.zip` (default) = `CompressedFolder`, **no UserChoice**. 7-Zip
|
||||
registered only a `7-Zip.iso` ProgId (no `7-Zip.zip`). `.7z`/`.rar` currently unassociated.
|
||||
- SFC (CBS.log): "Verify and Repair Transaction completed... successfully repaired"; 0
|
||||
"cannot repair" entries.
|
||||
- Defender: RTP on, no active scan, signatures fresh, `DisableArchiveScanning=False`,
|
||||
`MAPSReporting=2`, `SubmitSamplesConsent=1` (archive + cloud scanning on).
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
1. **Howard:** set 7-Zip as default app for `.zip` (and `.7z`/`.rar`) via 7-Zip GUI
|
||||
(Tools → Options → System).
|
||||
2. **Upgrade LEGALASST to Windows 11** (expected to resolve the zip-handler hang; applies
|
||||
the pending SFC repair). Pre-reqs: enable fTPM + Secure Boot in BIOS (Ryzen 3 3200G is
|
||||
Win11-supported), bump RAM from 5.9 GB, remove the leftover Syncro agent. **Test a local
|
||||
`.zip` with the built-in handler post-upgrade.**
|
||||
3. **WordPerfect 5 "not enough free space" on save** — investigate. Leading hypothesis:
|
||||
legacy/DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space
|
||||
value overflows → false "disk full"). This is app-level and will **not** be fixed by the
|
||||
OS upgrade; mitigate via DOSBox or directing saves to a SUBST'd small-capacity location.
|
||||
Confirm exact WP version/edition (DOS 5.1 vs Windows).
|
||||
4. **If the zip hang persists after the Win11 upgrade:** next lead is Defender archive-scan +
|
||||
cloud (MAPS) lookup stalling the shell when the built-in handler streams zip entries.
|
||||
5. Standing P1s (pre-existing): reboot to apply SFC repair; remove prior MSP agents.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- GuruRMM agent id: `18825ea7-df58-47bb-b492-822cb16fb5ec` (LEGALASST).
|
||||
- Rednour tenant: `rednourlaw.com` (`4a4ca18a-f516-478b-99da-2e0722c5dc18`); Syncro customer
|
||||
`1224246`.
|
||||
- Wiki: `wiki/clients/rednour.md`. Refresh: `/wiki-compile client:rednour --full`.
|
||||
- Reversible shell-ext disable mechanism: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (add CLSID value to block; delete to restore).
|
||||
@@ -0,0 +1,119 @@
|
||||
## User
|
||||
- **User:** Howard Enos (howard)
|
||||
- **Machine:** Howard-Home
|
||||
- **Role:** tech
|
||||
|
||||
## Session Summary
|
||||
|
||||
Resumed work on getting the GuruRMM agent installed on Nick Pafford's Mac at Rednour Law
|
||||
Offices (Rednour's office). The client/site was already onboarded (2026-05-29), so the goal
|
||||
this session was to hand Nick the correct macOS download/install link and confirm enrollment.
|
||||
|
||||
Pulled the Rednour Main site enrollment details from the vault (site_code GREEN-FALCON-7214)
|
||||
and provided the public install page URL. On verification, the install **page**
|
||||
(`/install/GREEN-FALCON-7214`) only exposes clickable buttons for Windows and Linux — there is
|
||||
no Mac button. Confirmed instead that a macOS install path exists as a `curl | sudo bash`
|
||||
one-liner at `/install/GREEN-FALCON-7214/macos`. Verified the script body (LaunchDaemon setup,
|
||||
quarantine strip, site config for GREEN-FALCON-7214) and that the agent binary it downloads is a
|
||||
Mach-O 64-bit arm64 executable (~3.96 MB), matching Nick's Apple Silicon Mac. Handed Nick the
|
||||
Terminal one-liner plus his SMB share credential (from vault).
|
||||
|
||||
Nick (or whoever was at the Mac) ran the installer and it reported success. However, repeated
|
||||
fleet checks (3x over the session) showed the agent NOT checking in — no macOS agent appears
|
||||
under Rednour Law Offices. The three Rednour agents enrolled are all Windows
|
||||
(FrontDeskReception, LegalAsst, rednourcarrievirt). The only Macs in the entire fleet are
|
||||
Scileppi's Mac-mini-2 and Mike's MacBook Air — neither is Nick's. So the install succeeded
|
||||
locally but the agent is not connecting/enrolling to the server.
|
||||
|
||||
Howard is no longer onsite and does not have the user's Mac password, so local diagnostics
|
||||
(foreground run, launchctl check) can't be done right now. Work was deferred. Flagged Mike via
|
||||
Discord DM that the Apple/macOS installer has an issue, that we're working it but lack the
|
||||
user's password, and asked whether he has access to another M1/Apple Silicon Mac to test the
|
||||
installer for repro.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- Handed Nick the macOS `curl | sudo bash` one-liner rather than the install page, since the
|
||||
page has no Mac download button — only Windows/Linux. The `/macos` script path is the
|
||||
supported macOS install route.
|
||||
- Verified the downloaded binary architecture (arm64 Mach-O) before handing off, to rule out an
|
||||
x86/arch mismatch on Nick's Apple Silicon Mac.
|
||||
- Deferred diagnosis rather than guess: with no onsite access and no user password, the key
|
||||
diagnostic (foreground `sudo /usr/local/bin/gururmm-agent` to see the connect error) can't be
|
||||
run, so escalated to Mike and parked it.
|
||||
- Used a person-targeted Discord DM to Mike (not a #bot-alerts post) since the ask was actionable
|
||||
and directed at him specifically (needs an M1 to test).
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **macOS agent installs but does not enroll.** Installer reports success on Nick's Apple
|
||||
Silicon Mac, but no macOS agent shows under Rednour in the fleet after multiple checks.
|
||||
Unresolved — deferred. Likely causes to check next: LaunchDaemon not actually started /
|
||||
crashed on launch, Gatekeeper killing the unsigned binary despite quarantine strip, or
|
||||
outbound connectivity to rmm.azcomputerguru.com blocked. Blocked on onsite access + user
|
||||
password.
|
||||
- **Install page has no Mac button** (Windows/Linux only). Worked around with the `/macos`
|
||||
curl|bash one-liner, which is the real macOS install path.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- None to the repo. No code changes. Vault entries were read-only this session (already
|
||||
created in prior sessions).
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- Nick Pafford SMB share access (read this session, already vaulted):
|
||||
- Vault: `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`
|
||||
- Username: `REDNOURCARRIEVI\nick`
|
||||
- Password: `Kg5Qe2Kc3`
|
||||
- Mac mount: `smb://192.168.10.194/Documents` (Finder Cmd+K)
|
||||
- Share: `\\REDNOURCARRIEVI\Documents` -> `C:\Users\Carrie\Documents`, access Modify (rw)
|
||||
- Local Windows account on Carrie Rednour's workstation (workgroup, no AD), PasswordNeverExpires,
|
||||
created 2026-06-25 per Syncro #32343.
|
||||
- GuruRMM Rednour Main site enrollment (already vaulted):
|
||||
- Vault: `clients/rednour/gururmm-site-main.sops.yaml`
|
||||
- site_id: `c7f5787c-8e71-45b3-841f-fa52436f7d26`
|
||||
- site_code: `GREEN-FALCON-7214`
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- GuruRMM server API: `http://172.16.3.30:3001` (auth via vault gururmm-server.sops.yaml).
|
||||
- GuruRMM public install host: `https://rmm.azcomputerguru.com` (Cloudflare-fronted).
|
||||
- Rednour workstation REDNOURCARRIEVI: `192.168.10.194` (LAN) / `10.147.17.253` (ZeroTier).
|
||||
- Rednour Law Offices fleet (all Windows, online, v0.6.66): FrontDeskReception, LegalAsst,
|
||||
rednourcarrievirt.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- macOS install one-liner handed to Nick:
|
||||
`curl -fsSL https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos | sudo bash`
|
||||
- Mac agent binary verification:
|
||||
`curl .../install/GREEN-FALCON-7214/download/macos` -> HTTP 200, Mach-O 64-bit arm64
|
||||
executable, ~3,960,397 bytes, filename `gururmm-agent-main`.
|
||||
- Fleet check (no Rednour Mac present):
|
||||
`curl -s "$RMM/api/agents" -H "Authorization: Bearer $TOKEN" | jq '... select rednour or macos'`
|
||||
- Suggested local diagnostics for next session (need onsite/password):
|
||||
- `sudo launchctl list | grep gururmm`
|
||||
- `ls -l /usr/local/bin/gururmm-agent /usr/local/etc/gururmm/`
|
||||
- `sudo /usr/local/bin/gururmm-agent` (foreground run to surface connect error)
|
||||
- `curl -fsS -o /dev/null -w "%{http_code}" https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos`
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **OPEN:** Nick's Mac GuruRMM agent not enrolling despite successful install. Deferred.
|
||||
- Blocked on: not onsite + no user Mac password.
|
||||
- Next steps: run foreground diagnostic on the Mac to capture the connect/enroll error; check
|
||||
LaunchDaemon state and Gatekeeper; verify outbound to rmm.azcomputerguru.com.
|
||||
- Mike asked (via DM) whether he has access to another M1/Apple Silicon Mac to test/repro the
|
||||
macOS installer.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Install page: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214`
|
||||
- macOS install script: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos`
|
||||
- macOS agent binary: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/download/macos`
|
||||
- MSI (Windows): `https://rmm.azcomputerguru.com/api/sites/c7f5787c-8e71-45b3-841f-fa52436f7d26/installer`
|
||||
- Discord DM to Mike: message_id 1521264675965374656
|
||||
- Syncro ticket (SMB access): #32343
|
||||
- Related prior logs: `2026-06-25-howard-nick-smb-share-and-mac-rmm.md`,
|
||||
`2026-06-26-howard-nick-mac-rmm-rootcause.md`
|
||||
Reference in New Issue
Block a user