[Check_mk (english)] Running Windows Agent using domain account

Mark.Dollemore · June 17, 2019, 3:38pm

Hi all,

I have come across a problem recently whereby a Windows Check_MK Agent(version does not seem to matter tried 1.2.8p16 and 1.4.0p37) run using a domain account rather than as Local System fails to report all processes.

This was working without issue until something changed in our windows environment(patching probably!). The domain account is granted local administrator rights to the local Server, but will only show processes that were created under the
same domain as the account used to run the agent.(see below).

Is anyone else running an agent under a domain account?

Do you see the same as I do?

If not can you confirm what permissions/rights you have enabled for the domain account?

Cheers and thanks in advance

Mark

As Local System

<<ps:sep(9)>>

(\NT AUTHORITY\SYSTEM,2147524528,3996,0,424,1192,468750,2187500,81,1,614935) wininit.exe

(\NT AUTHORITY\SYSTEM,2147534872,6088,0,460,2792,781250,1250000,117,2,614935) winlogon.exe

(\NT AUTHORITY\SYSTEM,2147537004,18048,0,524,10692,3368437500,3114218750,1343,8,614935) lsass.exe

(\NT AUTHORITY\SYSTEM,2147529264,13188,0,588,6052,12855781250,88638437500,573,9,614933) svchost.exe

(\NT AUTHORITY\NETWORK SERVICE,2147514760,9376,0,632,4968,969531250,585000000,486,11,614933) svchost.exe

(\NT AUTHORITY\LOCAL SERVICE,2147585304,25516,0,700,24332,7123593750,3587968750,721,15,614933) svchost.exe

(\NT AUTHORITY\SYSTEM,2147621944,24984,0,720,13340,1562500,2968750,327,8,614933) LogonUI.exe

(\Window Manager\DWM-1,2147573588,25620,0,744,16424,4062500,1718750,185,7,614933) dwm.exe

(\NT AUTHORITY\SYSTEM,2147580224,22220,0,772,14796,180156250,341875000,304,5,614933) svchost.exe

(\NT AUTHORITY\SYSTEM,2147829632,126292,0,816,379304,34410468750,13113437500,2652,37,614933) svchost.exe

(\NT AUTHORITY\LOCAL SERVICE,2147581396,12588,0,856,5956,54062500,71093750,661,16,614933) svchost.exe

(\NT AUTHORITY\NETWORK SERVICE,2148697780,20304,0,928,9668,503750000,437656250,583,17,614932) svchost.exe

(\NT AUTHORITY\LOCAL SERVICE,2147543956,12400,0,568,10072,42812500,45625000,388,19,614932) svchost.exe

(\NT AUTHORITY\SYSTEM,2147556880,3760,0,604,6164,2031250,8281250,208,5,614932) rundll32.exe

(\NT AUTHORITY\SYSTEM,2147557388,10392,0,1104,4076,12343750,10468750,388,10,614932) spoolsv.exe

(\NT AUTHORITY\SYSTEM,2147582204,9784,0,1208,3828,5000000,4218750,211,9,614931) svchost.exe

(\NT AUTHORITY\SYSTEM,68912,9940,0,1344,3004,4062500,6406250,137,7,614931) nscp.exe

(\NT AUTHORITY\SYSTEM,22748,3168,0,1508,1128,4531250,6093750,46,4,614931) sflowtrend-server.exe

(\NT AUTHORITY\SYSTEM,35668,7072,0,1524,3800,201250000,928437500,164,6,614930) snmp.exe

(\NT AUTHORITY\SYSTEM,3668980,172456,0,1532,349120,717500000,74843750,430,31,614930) sflowtrend-server.exe

(\NT AUTHORITY\SYSTEM,96988,15492,0,1568,5584,170000000,302031250,215,9,614930) snowagent.exe

(\NT AUTHORITY\SYSTEM,2148230016,20480,0,1692,10824,146406250,155000000,467,15,614929) svchost.exe

(\NT AUTHORITY\SYSTEM,64880,9608,0,1784,3152,7187500,3281250,124,3,614929) VGAuthService.exe

(\NT AUTHORITY\SYSTEM,2147579180,20492,0,1840,9232,1315000000,1233281250,310,10,614929) vmtoolsd.exe

(\NT AUTHORITY\NETWORK SERVICE,2147623896,37384,0,1036,32240,19516093750,87070312500,1289,13,614927) WmiPrvSE.exe

(\NT AUTHORITY\NETWORK SERVICE,2147804792,131704,0,2052,178128,1452656250,1717500000,939,34,614924) svchost.exe

(\NT AUTHORITY\NETWORK SERVICE,2147505924,5200,0,2188,1468,2812500,4531250,113,4,614924) svchost.exe

(\NT AUTHORITY\SYSTEM,2147535196,12116,0,2292,3836,2187500,2656250,199,11,614924) dllhost.exe

(\NT AUTHORITY\NETWORK SERVICE,2147526316,8276,0,2564,2804,4687500,5312500,165,10,614923) msdtc.exe

(\NT AUTHORITY\SYSTEM,2147596352,32128,0,324,27896,3882500000,22465937500,345,11,614908) WmiPrvSE.exe

(\NT AUTHORITY\SYSTEM,611572,56152,0,716,49728,98906250,43750000,404,7,614850) Tentacle.exe

(\NT AUTHORITY\SYSTEM,243468,92012,0,1044,230780,8962656250,3880625000,1057,15,614804) CcmExec.exe

(\NT AUTHORITY\SYSTEM,2147574120,31164,0,2088,44520,491875000,349843750,156,6,614804) WmiPrvSE.exe

(\NT AUTHORITY\SYSTEM,189196,65740,0,1280,57128,13559062500,17083281250,293,21,614804) telegraf.exe

(\NT AUTHORITY\LOCAL SERVICE,2147515984,7500,0,3800,2392,781250,2968750,148,5,614796) WmiPrvSE.exe

(\NT AUTHORITY\SYSTEM,85488,14552,0,5380,20548,1524062500,9649375000,223,4,525389) WmiPrvSE.exe

(\NT AUTHORITY\SYSTEM,77332,12704,0,6224,7048,958750000,23273125000,189,7,432319) check_mk_agent.exe

(\NT AUTHORITY\SYSTEM,2147537172,7296,0,5344,2920,625000,1406250,152,3,7263) winlogon.exe

(\Window Manager\DWM-12,2147629112,54204,0,1992,11580,2500000,2343750,212,8,7262) dwm.exe

(\MANINVESTMENTS\admin-tferreiradebar,2147770996,10100,0,2908,3632,1093750,781250,205,5,7259) taskhostex.exe

(\MANINVESTMENTS\admin-tferreiradebar,2147566640,7980,0,3316,2052,781250,781250,220,8,7259) rdpclip.exe

(\MANINVESTMENTS\admin-tferreiradebar,2147973736,100788,0,4644,59568,21718750,35468750,1473,34,7258) explorer.exe

(\NT AUTHORITY\SYSTEM,2147534648,12060,0,6032,4832,2031250,1875000,185,7,7257) WmiPrvSE.exe

(\MANINVESTMENTS\admin-tferreiradebar,766032,58060,0,1352,96272,19687500,8593750,455,8,7254) ServerManager.exe

(\MANINVESTMENTS\admin-tferreiradebar,229560,25400,0,680,21332,2343750,1250000,328,7,7247) SCNotification.exe

(\MANINVESTMENTS\admin-tferreiradebar,149352,9864,0,1332,3536,1718750,1093750,199,2,7240) jusched.exe

(\MANINVESTMENTS\admin-tferreiradebar,2147582768,12172,0,6376,1820,1250000,2187500,100,1,7239) notepad.exe

(\NT AUTHORITY\SYSTEM,2147629396,20384,0,4880,6492,1562500,1250000,345,10,5399) LogonUI.exe

(\NT AUTHORITY\SYSTEM,2147536340,7080,0,4936,2912,781250,937500,140,2,3709) winlogon.exe

(\Window Manager\DWM-13,2147640832,70540,0,6772,17332,2343750,4062500,197,8,3708) dwm.exe

(\MANINVESTMENTS\admin-driggs,2147773484,9580,0,3624,3528,781250,625000,203,8,3704) taskhostex.exe

(\MANINVESTMENTS\admin-driggs,2147572420,9736,0,2812,2300,937500,3281250,251,7,3704) rdpclip.exe

(\MANINVESTMENTS\admin-driggs,2148007276,101548,0,6584,47520,47500000,467656250,1371,38,3704) explorer.exe

(\MANINVESTMENTS\admin-driggs,761548,53696,0,3704,89580,21250000,4062500,418,10,3703) ServerManager.exe

(\MANINVESTMENTS\admin-driggs,229528,24268,0,6004,20280,2031250,937500,308,7,3692) SCNotification.exe

(\MANINVESTMENTS\admin-driggs,149352,9924,0,6216,3532,1875000,468750,199,2,3692) jusched.exe

(\MANINVESTMENTS\admin-driggs,2181282984,40564,0,5292,15956,5937500,3437500,330,9,3681) mmc.exe

(\MANINVESTMENTS\admin-driggs,2148117808,91956,0,5888,84932,10000000,6406250,450,5,3649) powershell.exe

(\MANINVESTMENTS\admin-driggs,2147540580,9884,0,5036,2132,781250,2187500,60,2,3649) conhost.exe

(\MANINVESTMENTS\admin-driggs,71644,6220,0,268,2284,1562500,625000,135,4,2612) PsExec.exe

(\NT AUTHORITY\SYSTEM,47360,4944,0,4236,1560,1562500,156250,124,5,2612) PSEXESVC.EXE

(\NT AUTHORITY\SYSTEM,2147496092,2684,0,4068,2708,0,312500,36,1,2611) cmd.exe

(\NT AUTHORITY\SYSTEM,2147537152,6720,0,196,1276,1250000,2187500,64,2,2611) conhost.exe

(\NT AUTHORITY\SYSTEM,2148109352,72876,0,6884,69176,9687500,5937500,531,4,2596) powershell.exe

(\NT AUTHORITY\SYSTEM,2147521156,8272,0,2380,1944,625000,468750,143,5,109) WmiApSrv.exe

(\NT AUTHORITY\LOCAL SERVICE,2147523356,10684,0,3956,5276,1250000,3437500,230,8,36) WmiPrvSE.exe

(\NT AUTHORITY\SYSTEM,2147554296,8912,0,1440,4740,781250,312500,159,6,34) WmiPrvSE.exe

(\NT AUTHORITY\SYSTEM,2147539932,15088,0,4788,4560,937500,2031250,163,8,34) WmiPrvSE.exe

(SYSTEM,0,0,0,0,0,0,0,0,2,0) System Idle Process

As domain account:-

<<ps:sep(9)>>

(\MANINVESTMENTS\admin-tferreiradebar,2147770996,10100,0,2908,3632,1093750,781250,205,5,7466) taskhostex.exe

(\MANINVESTMENTS\admin-tferreiradebar,2147565600,8080,0,3316,2052,781250,781250,218,6,7466) rdpclip.exe

(\MANINVESTMENTS\admin-tferreiradebar,2147973736,101132,0,4644,59568,22812500,35625000,1474,34,7465) explorer.exe

(\MANINVESTMENTS\admin-tferreiradebar,766032,58944,0,1352,96272,19687500,8593750,455,8,7461) ServerManager.exe

(\MANINVESTMENTS\admin-tferreiradebar,230852,26108,0,680,21900,2343750,1406250,348,8,7454) SCNotification.exe

(\MANINVESTMENTS\admin-tferreiradebar,149352,9864,0,1332,3536,1718750,1093750,199,2,7447) jusched.exe

(\MANINVESTMENTS\admin-tferreiradebar,2147582768,12172,0,6376,1820,1250000,2187500,100,1,7446) notepad.exe

(\MANINVESTMENTS\admin-driggs,2147771924,9532,0,3624,3528,781250,625000,197,5,3911) taskhostex.exe

(\MANINVESTMENTS\admin-driggs,2147572940,9752,0,2812,2300,1093750,3281250,255,8,3911) rdpclip.exe

(\MANINVESTMENTS\admin-driggs,2147990464,100964,0,6584,47520,48750000,469062500,1355,36,3911) explorer.exe

(\MANINVESTMENTS\admin-driggs,761548,53660,0,3704,89580,21250000,4062500,417,10,3910) ServerManager.exe

(\MANINVESTMENTS\admin-driggs,230820,24732,0,6004,20764,2343750,937500,326,8,3899) SCNotification.exe

(\MANINVESTMENTS\admin-driggs,149352,9924,0,6216,3532,1875000,468750,199,2,3899) jusched.exe

(\MANINVESTMENTS\admin-driggs,2181282984,41312,0,5292,15956,6406250,4218750,330,9,3888) mmc.exe

(\MANINVESTMENTS\admin-driggs,2148117808,91956,0,5888,84932,10000000,6406250,450,5,3856) powershell.exe

(\MANINVESTMENTS\admin-driggs,2147540580,9884,0,5036,2132,781250,2187500,60,2,3856) conhost.exe

(\MANINVESTMENTS\admin-driggs,71644,6220,0,268,2284,1562500,625000,135,4,2819) PsExec.exe

(\MANINVESTMENTS\admin-mdollemore,2147774844,12824,0,3012,6672,2656250,1250000,253,7,147) taskhostex.exe

(\MANINVESTMENTS\admin-mdollemore,2147567160,7436,0,4360,1860,625000,781250,222,9,147) rdpclip.exe

(\MANINVESTMENTS\admin-mdollemore,2147966848,90140,0,3876,55720,14687500,20156250,1278,39,147) explorer.exe

(\MANINVESTMENTS\admin-mdollemore,768588,86292,0,5456,96308,18906250,4375000,442,11,141) ServerManager.exe

(\MANINVESTMENTS\admin-mdollemore,2181325032,31916,0,6692,15564,4843750,5312500,359,13,136) mmc.exe

(\MANINVESTMENTS\admin-mdollemore,229828,23628,0,4472,19744,2343750,781250,298,8,135) SCNotification.exe

(\MANINVESTMENTS\admin-mdollemore,76872,5260,0,2840,1304,2187500,156250,77,1,129) jusched.exe

(\MANINVESTMENTS\svc-nagios,59284,6796,0,6220,2452,468750,625000,111,3,10) check_mk_agent.exe

Simone_Bizzotto · June 17, 2019, 4:32pm

Seems a lot like an UAC problem !?

Simone Bizzotto

···

From: checkmk-en checkmk-en-bounces@lists.mathias-kettner.de
On Behalf Of Dollemore, Mark (London)
Sent: lunedì 17 giugno 2019 17:39
To: checkmk-en@lists.mathias-kettner.de
Subject: [Check_mk (english)] Running Windows Agent using domain account

CAUTION: This
email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi all,

I have come across a problem recently whereby a Windows Check_MK Agent(version does not seem to matter tried 1.2.8p16 and 1.4.0p37) run using a domain account rather than as Local System fails to report all processes.

This was working without issue until something changed in our windows environment(patching probably!). The domain account is granted local administrator rights to the local Server, but will only show processes that were
created under the same domain as the account used to run the agent.(see below).