local grep

Overview

Search a specified file for a specified string. This command provides file searching capabilities for analyzing SCCM log files and configuration files on the local system.

Syntax

SharpSCCM local grep <string-to-find> <path> [options]

Parameters

string-to-find

string

required

The string to search for in the file

path

string

required

The full path to the file (e.g., “C:\Windows\ccmsetup\Logs\ccmsetup.log”)

Examples

# Search SCCM setup log for startup messages
SharpSCCM local grep "ccmsetup started" "C:\Windows\ccmsetup\Logs\ccmsetup.log"

Output Format

The command outputs matching lines with context:

Found match in C:\Windows\ccmsetup\Logs\ccmsetup.log
  <![LOG[==========[ ccmsetup started in process 10168 ]==========]LOG]!><time="13:28:46.510+480" date="01-13-2023" component="ccmsetup" context="" type="1" thread="1456" file="ccmsetup.cpp:10632">

Common SCCM Log Locations

Client Installation Logs

C:\Windows\ccmsetup\Logs\ccmsetup.log - Client installation
C:\Windows\ccmsetup\Logs\ccmsetup-ccmeval.log - Client evaluation

Client Operation Logs

C:\Windows\CCM\Logs\CcmExec.log - Main client executive
C:\Windows\CCM\Logs\PolicyAgent.log - Policy processing
C:\Windows\CCM\Logs\LocationServices.log - Site assignment

Application and Deployment Logs

C:\Windows\CCM\Logs\AppEnforce.log - Application enforcement
C:\Windows\CCM\Logs\AppDiscovery.log - Application discovery
C:\Windows\CCM\Logs\SoftwareCatalogUpdateEndpoint.log - Software catalog

Search Strategies

Error Investigation

Search for common error indicators:

“ERROR”, “FAILED”, “Exception”
Specific error codes or messages
Component-specific failure patterns

Configuration Discovery

Look for configuration-related strings:

Server names and IP addresses
Site codes and management points
Authentication and certificate information

Timeline Analysis

Search for timestamps and sequence information:

Installation dates and times
Policy refresh cycles
Application deployment events

Use Cases

Troubleshooting

Analyze SCCM client logs to identify configuration issues, communication failures, or deployment problems.

Reconnaissance

Extract configuration information, server details, and site topology from log files.

Forensic Analysis

Investigate SCCM client activity and identify potential security events or unauthorized access.

local triage - Comprehensive log analysis
local site-info - Get current site configuration
local query - Query WMI for additional information

Getting Started

Information Gathering

Credential Extraction

Lateral Movement

Local Operations

Infrastructure Management

Advanced Operations

Overview

Syntax

Parameters

Examples

Output Format

Common SCCM Log Locations

Search Strategies

Use Cases

Getting Started

Information Gathering

Credential Extraction

Lateral Movement

Local Operations

Infrastructure Management

Advanced Operations

​Overview

​Syntax

​Parameters

​Examples

​Output Format

​Common SCCM Log Locations

​Search Strategies

​Use Cases

​Related Commands

Overview

Syntax

Parameters

Examples

Output Format

Common SCCM Log Locations

Search Strategies

Use Cases

Related Commands