Carbon Black Cloud: Live Response Execfg Commands Return Error "Command must be executed from an existing directory that you have 'write' access to"
book
Article ID: 285943
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
execfg command run within a Live Response session returns the following error:
c:\users\{UserName}\desktop\> execfg powershell.exe /c "set-executionpolicy unrestricted -force"
Preparing file...
Command must be executed from an existing directory that you have 'write' access to.
Environment
Carbon Black Cloud Web Console: All Versions
Carbon Black Cloud Windows Sensor: 3.0.x.x and Higher
Microsoft Windows: All Supported Versions
Cause
This issue is caused when execfg is leveraged within Live Response to execute applications that do not have stdout or stderr messages
Resolution
1. Leverage exec in situations where there is no stdout or stderr messages
2. Another possible workaround / syntax is to use the -o option (for output file)
execfg -o c:\temp\counters.txt repcli counters
Additional Information
The below error can safely be ignored as the command executes without issue.
Command must be executed from an existing directory that you have 'write' access to.
The above error message output will be addressed in a future backend release.