In Today’s post, I will cover deploying SySMon using a simple PowerShell script, which will then deploy using Ivanti’s EPM (you can also use SCCM as the steps are similar).
Table of Contents
Our Goal
The goal of this script was to accommodate both 86x and x64 with one deployment package. We will determine the OS architecture, detect if there is an existing install, remove it, and reinstall the SysMon version included in the distribution package. You will need to provide a sysmonconfig file as well – SwiftOnSecurity has provided a template that can be used as-is or forked.
The Script
# Variables
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$sysMon64 = 'SysMon64'
$sysMon32 = 'SysMon'
$configFile = 'sysmonconfig.xml'
$OSArch = Get-WmiObject win32_operatingsystem | Select-Object osarchitecture
# Detect Existing Installs
if (Get-Service -Name $sysMon64 -ErrorAction SilentlyContinue) {
# Found SysMon64
Write-Host 'SysMon 64bit found'
# Stop Service / Uninstall / Cleanup Files
Get-Service -Name $sysMon64 | Stop-Service -Force
Start-Sleep -Seconds 3
Start-Process -FilePath "$env:SystemRoot\$sysMon64.exe" -ArgumentList "-u" -Wait
Start-Sleep -Seconds 3
Remove-Item -Path "$env:SystemRoot\$sysMon64.exe"
Remove-Item -Path "$env:SystemRoot\$sysMon32.exe"
Remove-Item -Path "$env:SystemRoot\$configFile"
Start-Sleep -Seconds 3
}
elseif (Get-Service -Name $sysMon32 -ErrorAction SilentlyContinue) {
# Found SysMon32
Write-Host 'SysMon 32bit found'
# Stop Service / Uninstall / Cleanup Files
Get-Service -Name $sysMon32 | Stop-Service -Force
Start-Sleep -Seconds 3
Start-Process -FilePath "$env:SystemRoot\$sysMon32.exe" -ArgumentList "-u" -Wait
Start-Sleep -Seconds 3
Remove-Item -Path "$env:SystemRoot\$sysMon64.exe"
Remove-Item -Path "$env:SystemRoot\$sysMon32.exe"
Remove-Item -Path "$env:SystemRoot\$configFile"
Start-Sleep -Seconds 3
}
# Copy Files and Install (excludes non sys-mon files)
Get-ChildItem -Path "$ScriptDir" -Exclude *.txt, *.ps1, *.cmd | Select-Object -ExpandProperty FullName |
Copy-Item -Destination "$env:SystemRoot\" -Force
if ($OSArch.osarchitecture -eq '64-bit') {
Start-Process -FilePath "$env:SystemRoot\$sysMon64.exe" -ArgumentList "-accepteula -i $env:SystemRoot\$configFile"
}
else {
Start-Process -FilePath "$env:SystemRoot\$sysMon32.exe" -ArgumentList "-accepteula -i $env:SystemRoot\$configFile"
}
Deployment via Ivanti’s EPM
Launch EPM
Go to Tools, Distribution, Distribution Packages
Select New, PowerShell
Fill out package details, browse to your package location, and select the PowerShell script.
Select Additional Files on the left side and add all files except the PS1.
Default settings for all other sections are sufficient – save the package.
Select Create Scheduled Task
You should now be in the scheduled tasks section – right click your new task, and select properties.
Set your targets
Ensure Task settings and Agent settings match your preferences, select schedule task, and start now – clients should then begin downloading/install.
Client files downloaded with LANDesk to SDCache folder:
Files moved after the script is launched by EPM:
and Finally, our SysMon is installed and running:
