(imported topic written by Kenz91)
Is there any reason why this wouldn’t work to pull that property?
value “ProxyServer” of key “Software\Microsoft\Windows\CurrentVersion\Internet Settings” of (key “HKEY_CURRENT_USER” of registry)
(imported comment written by SystemAdmin)
It will work fine if you do it via Relevance Debugger, but it will not work when you run it in a fixlet or analysis because the BESClient runs as the system account. I actually posted some similar relevance in another thread today, but this isn’t quite as convoluted as that code. Try this:
value “ProxyServer” of key (“HKU” & (component string of sid of security account (name of current user)) & “\Software\Microsoft\Windows\CurrentVersion\Internet Settings”) of registry
(imported comment written by Kenz91)
Thanks will try that. Can you explain your syntax a little? I’d like to understand what is going on.
(imported comment written by jessewk)
Hi Kenz,
There is a pretty good discussion on this sticky thread:
http://forum.bigfix.com/viewtopic.php?id=1909
Jesse
(imported comment written by SystemAdmin)
Kenz-
No problem, it is a little confusing. HKEY_CURRENT_USER is just a pointer to the one of the registry hives located under HKEY_USERS. The hives are logically stored named for the SID their respective account. When the BESClient is asked to inspect HKCU, it looks at its own hive under HKU (S-1-5-18) instead of the user you are really interested in, the one that is logged on interactively. To get around this, we query for the SID of the current user:
(component string of sid of security account (name of current user))
To be quite honest, I am not sure why you have to put “component string” in there, but from my experience it does not give you the SID unless put that there. So I just sandwiched that bit of relevance into a standard HKU registry query so we would be looking in the desired hive the registry.
Does that make any more sense now?
jessewk-
I think this method works a lot better and you should consider stickying on my threads where I talk about it. It avoids having to query all of the user hives or having to download a program to the machine just to run it as the local user.
(imported comment written by tscott91)
I use this:
value “ProxyServer” of key “Software\Microsoft\Windows\CurrentVersion\Internet Settings” of current user keys (logged on users) of registry
You don’t have to download a program to query HKCU… Just to modify it.
The evaluation time is nearly identical
(imported comment written by Shembop91)
Singular expression refers to nonexistent object. Can’t seem to get this to actually find my current user keys
(imported comment written by JackCoates91)
I’m not sure that component string is always correct… note that it misses the last piece of mine.
q: component string of sid of security account (name of current user)
A: S-1-5-21-1839177858-3221607956-1901078802
T: 2.495 ms
q: exists key ("HKU\" & (component string of sid of security account (name of current user)) & "-500\Software\") of registry
A: True
T: 6.319 ms(imported comment written by Shembop91)
Yeah, tried that last one on my PC, and it worked - tried it on another PC, and it didn’t. Not sure where in the world it got the answer it gave when I evaluated just (component string of sid of security account (name of current user)
It was way off, but on my machine it was spot on.
(imported comment written by JackCoates91)
Hi,
is there a pattern to the incorrect value? is it always the last section cut off, is it always on a certain OS, anything like that?
Thanks,
Jack
(imported comment written by JackCoates91)
Hey, some of the clever people here helped figure this out, try this relevance instead:
q: component string of sid of security account (computer name & "\" & name of current user)
q: value "ProxyServer" of key ("HKU\" & (component string of sid of security account (computer name & "\" & name of current user)) & "\Software\Microsoft\Windows\CurrentVersion\Internet Settings") of registry
The issue is that machine name can confuse resolution of the SID. We’re still looking at whether there’s a way to make the more obvious construction work.