Carbon Black Cloud: Live Response Execfg Commands Return Error "Command must be executed from an existing directory that you have 'write' access to"
search cancel

Carbon Black Cloud: Live Response Execfg Commands Return Error "Command must be executed from an existing directory that you have 'write' access to"

book

Article ID: 285943

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • execfg command run within a Live Response session returns the following error:
    c:\users\{UserName}\desktop\> execfg powershell.exe /c "set-executionpolicy unrestricted -force"
    Preparing file...
    Command must be executed from an existing directory that you have 'write' access to.

Environment

  • Carbon Black Cloud Web Console: All Versions
  • Carbon Black Cloud Windows Sensor: 3.0.x.x and Higher
  • Microsoft Windows: All Supported Versions

Cause

This issue is caused when execfg is leveraged within Live Response to execute applications that do not have stdout or stderr messages

Resolution

1. Leverage exec in situations where there is no stdout or stderr messages

2. Another possible workaround / syntax is to use the -o option (for output file)

execfg -o c:\temp\counters.txt repcli counters

Additional Information

  • The below error can safely be ignored as the command executes without issue.
Command must be executed from an existing directory that you have 'write' access to.
  • ​​​​The above error message output will be addressed in a future backend release.