Capturing Registry values

Hi All,

Is there any way we can capture registry values and display it in the IEM Work area?

There sure is!

There is a nice guide on the BigFix Developer Tutorial:

Let us know if you still have issues after reviewing the tutorial!

Thanks, it helped half the way. Challenge I am facing now is in viewing the multiple values of registry. Tried web reports as well, but it is not listing the entire registry value.

For example. it is listing something like this

J$, CSCFlags=0;
K$, CSCFlags=0;
I$, CSCFlags=0;
F$, CSCFlags=0

where as the exact value is in the below format

_data, CSCFlags=0MaxUses=4294295Path=C:\Infor\stems v4.4_dataPermissions=9ShareName=_dataType=0

please comment


Can you provide a screenshot of the data as it exists in the registry and provide the relevance you are using to try to query it?

Hi, I am using the below relevance to get the output as per the screenshot

(names of it, it) of values of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\IPS” of registry


That relevance and screenshot don’t match your original question – it looks like that relevance would work for what you’ve got in the screenshot?


that relevance is not working. It is coming up with the result as “Multiple values” and when I try to get it from web reports I see broken values.

Is there any way that we can see/capture all the registry values present in the screen shot in IEM Console? It is an urgent one please.

Thanks in advance.

When I execute your relevance I get what looks to be the correct responses …

Q: (names of it, it) of values of key "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\IPS" of registry A: PluginDescription, Symantec Vulnerability Protection A: PluginIcon, A: IpsPlugFirstInit, 0 A: ClientUID, 1781773942 A: IDSDataUpdate, 1469210044 T: 31.595 ms

Remember that Web Reports only imports results on a scheduled basis.

Hi Tim,

Thanks for checking, problem here is neither webreports nor Analyses results are displaying the complete list of values. Can you please help me get the complete list with complete registry values?

Thanks in advance

Looking at you previous posts, I’m not sure what’s going on. You indicated that you expect to see

data, CSCFlags=0MaxUses=4294295Path=C:\Infor\stems v4.4_dataPermissions=9ShareName=dataType=0

but are not getting it, but then you show a screenshot that doesn’t include any of that information. It’s like the conversation started out discussing Oranges, now we are talking about Watermelons.

Are you using the Fixlet Debugger/QnA tool at all? If so, what are you getting as results from a query with your relevance?

Hi Tim,

The first post in which I posted the below registry information can not be shared (Screen shot with complete information) in the forum. So opted a more generic registry and pasted a screen shot of it in the later replies. But the main problem remains same, Values are not getting populated as they are seen in the registry.

data, CSCFlags=0MaxUses=4294295Path=C:\Infor\stems v4.4_dataPermissions=9ShareName=dataType=

If more clarity is needed I can write a relevance to read the registry as mentioned in the screen shot for KEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\IPS which was mentioned only for example.

You can blur out sensitive data but if we can’t see what the value looks like in the registry it’s very hard to help.

What is the type of the value in the registry? Is it a REG_MULTI_SZ?

Actually, if you look, the example I posted from QnA was the Symantec relevance results.

Try running that in QnA on your computer and let us know what you get back.

That’s probably just the way you’re viewing it in the console. If you’re in something like the Results tab of an Analysis, so you see each property as a column, you won’t see more than one row for each Computer; if the computer returns muliple results, you’ll just get the <Multiple Results> tag as the cell value; if you mouseover it, you’ll briefly get a popup message showing the first few results.

If you open an individual Computer though, and on the first tab of the computer info, you’ll see all results for every Analysis/Property on that computer. Does this tab show the info you’re expecting?

Hi Jason,

Mouseover it didnt not give me the entire value, but with below 2 options gave me what I have been looking for.

  1. when extracted through the web reports I could see multiple values.
  2. Computer details

Tim, QnA shows the below

I think my question has been answered. I could see registry values (Multiple string values) in web reports and Computer information as well.

If you like you can use a different approach, like use VBS to do the job.
1-One Fixlet send vbs to client and run it. This vbs query registry and dump result in a text file.
2-Analisys read the vbs text output file and show the results in BigFix console. Also you can filter results during the process like show you “Valid” or “False” status if the collected value is like < xyz in key abc. …