azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-05-26 22:05:31

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-26 22:05:31
This commit is contained in:
Howard Enos
2026-05-26 22:05:38 -07:00
parent 9ef8ad9652
commit a8ee927db0
1 changed files with 17 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
projects/msp-tools/guru-scan/README.md
View File

@@ -31,7 +31,6 @@ Scanners run in this order. Each stage hands off to the next regardless of findi
| 2 | **AdwCleaner** | adware | Removes adware, PUPs, and browser hijackers. | | 2 | **AdwCleaner** | adware | Removes adware, PUPs, and browser hijackers. |
| 3 | **Emsisoft Command Line Scanner** | antimalware | Two-step: NSIS installer extracts to `C:\EmsisoftCmd\`, then `/update` fetches latest definitions, then scans. | | 3 | **Emsisoft Command Line Scanner** | antimalware | Two-step: NSIS installer extracts to `C:\EmsisoftCmd\`, then `/update` fetches latest definitions, then scans. |
| 4 | **HitmanPro** | antimalware | Cloud-assisted second-opinion scanner. Trial registry is reset before each run via `Invoke-HitmanProTrialReset`. | | 4 | **HitmanPro** | antimalware | Cloud-assisted second-opinion scanner. Trial registry is reset before each run via `Invoke-HitmanProTrialReset`. |
| 5 | **ESET Online Scanner** | antimalware | Skipped automatically when running as SYSTEM (requires interactive desktop). |
MSERT (Microsoft Safety Scanner) is excluded from the default chain — it is too slow MSERT (Microsoft Safety Scanner) is excluded from the default chain — it is too slow
for routine remediation runs. Add it back to `scanners.json` if needed. for routine remediation runs. Add it back to `scanners.json` if needed.
@@ -46,29 +45,29 @@ for routine remediation runs. Add it back to `scanners.json` if needed.
| AdwCleaner | Clean | Cleaned, no reboot needed | Cleaned, reboot required | Found but not cleaned (scan-only) | — | | AdwCleaner | Clean | Cleaned, no reboot needed | Cleaned, reboot required | Found but not cleaned (scan-only) | — |
| Emsisoft | Clean | Threats found/cleaned | Cleaned, reboot required | — | — | | Emsisoft | Clean | Threats found/cleaned | Cleaned, reboot required | — | — |
| HitmanPro | Clean | Cleaned | Cleaned, reboot required | — | — | | HitmanPro | Clean | Cleaned | Cleaned, reboot required | — | — |
| ESET | Clean | Threats found | Incomplete removal, reboot may help | — | — |
| MSERT | Clean | Threats found/cleaned | — | — | Non-zero = threats | | MSERT | Clean | Threats found/cleaned | — | — | Non-zero = threats |
| TDSSKiller | Clean | Threats found | — | — | — | | TDSSKiller | Clean | Threats found | — | — | — |
| Stinger | Clean | — | — | — | 13 = threats | | Stinger | Clean | — | — | — | 13 = threats |
Reboot-required exit codes: AdwCleaner 2, HitmanPro 2, Emsisoft 2, ESET 2. Reboot-required exit codes: AdwCleaner 2, HitmanPro 2, Emsisoft 2.
--- ---
## Autologon / Cleanup Lifecycle ## Post-Scan Cleanup Lifecycle
When any scanner exits with a reboot-required code (exit 2), the following sequence runs: When any scanner exits with a reboot-required code (exit 2), the following sequence runs automatically — no forced reboot, no temp user account:
1. `Invoke-RebootCleanupSetup` writes `cleanup-state.json` with the original user, scan ID, and log path. 1. `Register-ScannerCleanupTask` writes `cleanup-state.json` (scan ID + log path) to `C:\GuruScan\`.
2. A hidden `GuruRMM-Temp` administrator account is created with a random password. 2. `Invoke-ScannerCleanup.ps1` is written to `C:\GuruScan\`.
3. One-time autologon (`AutoLogonCount=1`) is configured for `GuruRMM-Temp`. Windows clears the password after the first use. 3. A SYSTEM scheduled task (`GuruRMM-ScannerCleanup`) is registered with an **at-logon + 30-minute delay** trigger.
4. The account is hidden from the login screen via the `SpecialAccounts\UserList` registry key. 4. The scan completes and prints a message to reboot at your convenience.
5. A logon-triggered scheduled task (`GuruRMM-PostRebootCleanup`) is registered for `GuruRMM-Temp`. 5. After the next natural reboot and user login, the task fires 30 minutes later (silently, in the background as SYSTEM).
6. The machine reboots after a 15-second warning. 6. The cleanup script removes all scanner installation paths (`C:\EmsisoftCmd`, `C:\AdwCleaner`, `C:\ProgramData\HitmanPro*`, `C:\GuruScan\downloads\`), writes `logs-ready.json` for GuruRMM to pick up, and unregisters itself.
7. On next boot, Windows auto-logs in as `GuruRMM-Temp`. The WPF splash appears immediately (full-screen, black, cursor hidden).
8. `Invoke-PostRebootCleanup` runs: verifies pending operations cleared, removes scanner files, writes `logs-ready.json`, restores the original user's login name, clears autologon, removes the cleanup task. To run cleanup immediately without waiting (e.g. if the task was missed):
9. A SYSTEM scheduled task (`GuruRMM-TempUserDelete`) is registered to delete the `GuruRMM-Temp` account 2 minutes later (cannot delete your own account while logged in). ```powershell
10. The splash closes, `logoff` is called, and the machine returns to the normal login screen. .\Invoke-PostRebootCleanup.ps1
```
--- ---
@@ -76,9 +75,6 @@ When any scanner exits with a reboot-required code (exit 2), the following seque
- `-Headless` passes `NoNewWindow` to all scanner launches, suppressing UI windows. - `-Headless` passes `NoNewWindow` to all scanner launches, suppressing UI windows.
Use this when dispatching from an RMM agent that has no interactive desktop. Use this when dispatching from an RMM agent that has no interactive desktop.
- ESET is automatically skipped when the script detects it is running as the SYSTEM
account (`[System.Security.Principal.WindowsIdentity]::GetCurrent().IsSystem`).
Pass `-SkipEset` explicitly to skip it under other accounts.
--- ---
@@ -90,7 +86,6 @@ When any scanner exits with a reboot-required code (exit 2), the following seque
| AdwCleaner | Free for personal and commercial use | | AdwCleaner | Free for personal and commercial use |
| Emsisoft Command Line Scanner | Free for personal and MSP remediation use | | Emsisoft Command Line Scanner | Free for personal and MSP remediation use |
| HitmanPro | Commercial license required. Each scan uses trial mode; `Invoke-HitmanProTrialReset` resets the trial window. Verify current licensing terms at https://www.hitmanpro.com before deploying at scale. | | HitmanPro | Commercial license required. Each scan uses trial mode; `Invoke-HitmanProTrialReset` resets the trial window. Verify current licensing terms at https://www.hitmanpro.com before deploying at scale. |
| ESET Online Scanner | Free for personal and commercial use |
Always verify current licensing terms with each vendor before large-scale deployment. Always verify current licensing terms with each vendor before large-scale deployment.
@@ -105,9 +100,6 @@ Always verify current licensing terms with each vendor before large-scale deploy
# Detect only, then auto-remediate if threats found # Detect only, then auto-remediate if threats found
.\Invoke-GuruScan.ps1 -ScanOnly -AutoRemediate .\Invoke-GuruScan.ps1 -ScanOnly -AutoRemediate
# Skip ESET (e.g. unattended run)
.\Invoke-GuruScan.ps1 -SkipEset
# Suppress scanner windows (RMM dispatch) # Suppress scanner windows (RMM dispatch)
.\Invoke-GuruScan.ps1 -Headless .\Invoke-GuruScan.ps1 -Headless
@@ -147,8 +139,8 @@ Invoke-Remediation -LogRoot "C:\ScanLogs\DESKTOP-20260523-143000"
# Summary report # Summary report
Get-ScanSummary -AI Get-ScanSummary -AI
# Post-reboot cleanup (called by Invoke-PostRebootCleanup.ps1) # Manual scanner cleanup (normally runs via scheduled task)
Invoke-PostRebootCleanup -StateFile "C:\GuruScan\cleanup-state.json" Invoke-PostRebootCleanup
``` ```
--- ---
@@ -163,7 +155,7 @@ guru-scan\
Invoke-GuruScan.ps1 # Thin launcher -> Invoke-GuruScan Invoke-GuruScan.ps1 # Thin launcher -> Invoke-GuruScan
Invoke-Remediation.ps1 # Thin launcher -> Invoke-Remediation Invoke-Remediation.ps1 # Thin launcher -> Invoke-Remediation
Get-ScanSummary.ps1 # Thin launcher -> Get-ScanSummary Get-ScanSummary.ps1 # Thin launcher -> Get-ScanSummary
Invoke-PostRebootCleanup.ps1 # WPF splash + logoff; delegates cleanup to module Invoke-PostRebootCleanup.ps1 # Thin launcher -> Invoke-PostRebootCleanup (manual cleanup trigger)
Download-Scanners.ps1 # Downloads scanner EXEs from scanners.json URLs Download-Scanners.ps1 # Downloads scanner EXEs from scanners.json URLs
downloads\ # Scanner EXEs (gitignored) downloads\ # Scanner EXEs (gitignored)
``` ```