(imported topic written by PaulPhillabaum)
I’m trying to create a report (or analysis) to display the contents of the RunOnce registry key(s) that is causing the “pending login” for each computer. The dreaded Admin login required is no big deal to track down on a couple computers, but when it’s 100+ it would be nice not to presume what is going on. I stole a string from an official fixlet, but I’m stumped why it works for one key and not another.
I discovered that mine works on 64 bit systems if I use “… of native registry”, but it’s still a mystery why this is. Also, my expression returns on 32 bit system which show as logon pending.
(mine)
q: values of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce” of registry
T: 0.066 ms
I: plural registry key value
(official)
q: values of keys “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment” of registry
A: %25SystemRoot%25\system32\cmd.exe%00
A: NO
A: Windows_NT
A: %25SystemRoot%25\system32;%25SystemRoot%25;%25SystemRoot%25\System32\Wbem;%25SYSTEMROOT%25\System32\WindowsPowerShell\v1.0;%25systemroot%25\idmu\common%00
A: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
A: AMD64
A: %25SystemRoot%25\TEMP%00
A: %25SystemRoot%25\TEMP%00
A: SYSTEM
A: %25SystemRoot%25%00
A: %25SystemRoot%25\system32\WindowsPowerShell\v1.0\Modules%00
A: 1
A: 6
A: Intel64 Family 6 Model 13 Stepping 3, GenuineIntel
A: 0d03
T: 0.279 ms
I: plural registry key value