Accessing an Alternate Registry View (64 bit vs 32 bit)

(imported topic written by jclark91)

I am having a problem reading registry keys on a 64 bit computer running the Windows 7 OS (or Vista or XP 64 bit versions).

The problem seems to be that with Bigfix running as a 32 bit application Windows is redirecting any registry query to the the 32 bit registry view (WOW32). This works for most items but certain “system” or OS level key\value pairs are not duplicated in the WOW32 bit view.

So for example, the key\value pair below is present only in the WOW64 bit registry view. So when I query for the “LastLoggedOnUser” value, the query fails.

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” “LastLoggedOnUser”

Programatically, it is possible to use a flag KEY_WOW64_64KEY (value 0x0100) to access an alternate view when opening the registry. How does one tell the BES Client to use this alternate registry view?

Here is a link to an MSDN page describing how to access an alternate registry view.

http://msdn.microsoft.com/en-us/library/aa384129(VS.85).aspx

Thanks in advance.

(imported comment written by BenKus)

Hi jclarke,

BigFix can access the x64 registry or file system, but you need to specify this info in your relevance (otherwise the agent will go to the redirect node). Here are some examples:

q: value “LastLoggedOnUser” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” of registry

q: value “LastLoggedOnUser” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” of x64 registry

q: value “LastLoggedOnUser” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” of native registry

Ben