AdwCleaner requires both elevated privileges and an interactive desktop
session simultaneously -- SYSTEM context is elevated but Session 0 (no
desktop), user_session has a desktop but a non-elevated WTS token.
Removing for now; will re-add with schtasks InteractiveToken dispatch
when that mechanism is implemented.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
NoNewWindow caused scanner processes to inherit PowerShell's stdout/stderr
pipe handles from the GuruRMM agent. If any scanner hung in Session 0
(e.g. AdwCleaner GUI init), it held the pipe open after PowerShell exited,
blocking the GuruRMM command for hours until the server-side reaper fired.
WindowStyle=Hidden gives each scanner its own window/console so pipe
handles are not inherited. Scanner processes that timeout are still killed
by Wait-ProcessWithTimeout; the overall scan completes normally.
Verified: full pipeline completes in ~7.5 min on RMM-TEST-MACHINE with
EICAR detection, GURUSCAN_RESULT_JSON emitted correctly.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Exit code fix: add $proc.Handle caching after Start-Process -PassThru to prevent
the handle from being released before ExitCode is readable (known PS5.1 bug).
GuruRMM reporting: launcher now finds results.json after each scan and emits
GURUSCAN_RESULT_JSON:<compressed> to stdout. Agent CommandResult captures it;
server stores it in commands.stdout for retrieval via GET /api/commands/:id.
Pre-scan hardening:
- Pre-flight EXE check: warns about missing scanner binaries before run starts
- Windows Defender exclusions added for scanner/log paths before scan, removed after
AdwCleaner: add /path {LOG_ROOT} arg so logs write directly to scan log root;
update log_src to {LOG_ROOT}\Logs to match.
HitmanPro: add /quiet to scan and clean args to suppress GUI in headless runs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a complete PowerShell-based malware scanning toolkit:
- Invoke-GuruScan.ps1: main orchestrator running RKill, AdwCleaner,
Emsisoft, HitmanPro, and ESET in sequence with pre/post cleanup,
whitelist support, ForceRemove blacklist, and -Headless switch
- Invoke-PostRebootCleanup.ps1: post-reboot temp-user session that
shows a fullscreen splash, verifies boot-time cleanup completed,
removes scanner files, and restores the original user login name
- Download-Scanners.ps1: downloads/refreshes scanner EXEs
- Get-ScanSummary.ps1: parses results.json with optional Ollama AI analysis
- Invoke-Remediation.ps1: re-runs scanners in clean mode
Key features: exit-code-based reboot detection, whoami-based user
capture (SYSTEM-safe via quser fallback), domain\user and local
MACHINE\user restore on login screen after cleanup reboot.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Points to main HEAD after merging fix/audit-2-remediation (BUG-002/003/006 fixes).
Feature branch feature/log-finding-dispatch preserved separately.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Updated guru-rmm submodule to commit dc765ee which includes:
- 5 new comprehensive specifications (SPEC-002 through SPEC-006)
- Updated FEATURE_ROADMAP.md with spec links
- Total: 2058 lines of detailed implementation specs
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
