*_before_snapshot_wait.bat functionality seems to be broken in recent Reflects


*_before_snapshot_wait.bat functionality seems to be broken in recent...
Author
Message
smr888
smr888
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)
Group: Forum Members
Posts: 6, Visits: 19
Since shortly after the turn of the year I found some issues with my scheduled backups, and they seem to be traceable to Reflect no longer executing the

[jobname]_before_snapshot_wait.bat

command file as it is supposed to.  My controlling program waits in vain for that file to execute, and as it does not, the controlling program never ends, causing it to never be re-run by Task Scheduler.  (And of course the things I am trying to control are also not being, er, controlled, since this is not working.  I use this to flush my database so that I get a consistent backup.)

Could someone please look into this and see if this functionality has been broken?  Or, if it has been changed in some way that I don't know about, please advise.

Of course I don't know if the ​​"after" functionality is also broken.

​​​​​​​​
jphughan
jphughan
Most Valuable Professional
Most Valuable Professional (4.7K reputation)Most Valuable Professional (4.7K reputation)Most Valuable Professional (4.7K reputation)Most Valuable Professional (4.7K reputation)Most Valuable Professional (4.7K reputation)Most Valuable Professional (4.7K reputation)Most Valuable Professional (4.7K reputation)Most Valuable Professional (4.7K reputation)Most Valuable Professional (4.7K reputation)
Group: Forum Members
Posts: 3.3K, Visits: 24K
That functionality was changed to disabled by default as part of a security update in November (7.1.2695), since it can be used maliciously.  For example, if definition files are stored in unsecured locations, an attacker could create/modify the scripts in that same folder to do anything they wanted, up to and including spawning an elevated and interactive PowerShell/Command Prompt session, potentially on the desktop of a standard user account.  And in certain combinations of Reflect and Windows versions, if there's a scheduled task associated with the definition file that calls this script, the attacker can even cause the job to run on-demand, and therefore execute their script on demand.

However, that functionality can be re-enabled with a registry setting:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Macrium\Reflect\settings
Name:EnablePrePostScripts
Type: DWORD 32 bit
Value: Off = 0, On = 1

You may also wish to read this KB article about definition file storage best practices.

Edited 13 January 2018 4:10 AM by jphughan
smr888
smr888
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)
Group: Forum Members
Posts: 6, Visits: 19
jphughan - 13 January 2018 3:59 AM
It was deliberately disabled by default as part of a security update released several months ago, since that can be used maliciously if definition files are stored in unsecured locations, which would in turn allow those scripts to be added/modified. It can however be re-enabled with a registry setting that I’ll look up when I’m back in front of a real PC if nobody else beats me to it.

Yes, with your hint available I found the knowledgebase article on that:

https://knowledgebase.macrium.com/display/KNOW/Stopping+a+SQL+Server+service+automatically+when+backing+up

Thank you for helping me with this.​
​​​​​
smr888
smr888
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)
Group: Forum Members
Posts: 6, Visits: 19
jphughan - 13 January 2018 3:59 AM
That functionality was changed to disabled by default as part of a security update in November (7.1.2695), since it can be used maliciously.  For example, if definition files are stored in unsecured locations, an attacker could create/modify the scripts in that same folder to do anything they wanted, up to and including spawning an elevated and interactive PowerShell/Command Prompt session, potentially on the desktop of a standard user account.  And in certain combinations of Reflect and Windows versions, if there's a scheduled task associated with the definition file that calls this script, the attacker can even cause the job to run on-demand, and therefore execute their script on demand.

However, that functionality can be re-enabled with a registry setting:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Macrium\Reflect\settings
Name:EnablePrePostScripts
Type: DWORD 32 bit
Value: Off = 0, On = 1

You may also wish to read this KB article about definition file storage best practices.

Thank you for updating your post.  With the registry key in place my backups are running properly now. I tried changing the permissions on the directory indicated by the article on the topic and that led to some problems, so for now I am simply running as I was, and I will revisit that at some point.  Thanks again for your help.  I appreciate it

GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search