Check users current PST filesize - STEP 2

Content Authoring
1

(imported topic written by HGA8191)

Following a related post, We have identified the reg keys that contain the information for a user’s PST file that is currently set as delivery. We are trying to come up with the proper relevance to identify this on BigFix.

Here is what we need:

  1. We need to find out the current defaultprofile for a user, this is by obtaining the “DefaultProfile” value of the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

  1. Once we know the default profile, we need to search within that profile for the key that contains the following:

REG_BINARY: “00033009” whose value equals: 02 10 00 00

this will tell us the key that has all the information for the current PST (set as delivery)

  1. Once we have that key, then we need to search within that key for the value of

REG_SZ: “001e6700” which will give us the current path and from there we need to obtain the current size of that PST file.

We need to group all of the above steps in one big relevance… thanks!

2

(imported comment written by HGA8191)

…Any help will be highly appreciated.

thanks.

3

(imported comment written by brolly3391)

Hello HGA81,

q: value “001e6700” of

keys whose (value “00033009” of it as string =“02100000” )

of

key (value “DefaultProfile” of it as string) of key “HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of registry

E: Singular expression refers to nonexistent object.

is what you asked for, but I have to mention that it gives a “nonexistant” error on my box even though I use Outlook.

And, you probably want to insert a bunch of existance checking to avoid errors.

Part one is bold, part 2 is italic and part 3 is plain.

Cheers,

Brolly

4

(imported comment written by Marjan23)

HGA81,

One more thing to note:

If you’re using your BES Client to retrieve this information from your endpoints, there is a slight modification to Brolly33’s script that you have to consider. Since BES Client runs as a local system account, querying HKEY_CURRENT_USER will not get you information on currently logged in user but rather on local system account that BES Client runs under. Note this thread on this subject: http://forum.bigfix.com/viewtopic.php?id=11

So in your case instead of writing:

value “001e6700” of keys whose (value “00033009” of it as string =“02100000” ) of key (value “DefaultProfile” of it as string) of key “HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of registry

try:

value “001e6700” of keys whose (value “00033009” of it as string =“02100000” ) of key (value “DefaultProfile” of it as string) of key “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of (key whose ((it = name of current user as lowercase OR it starts with name of current user as lowercase & “@” ) of (it as string as lowercase) of value “Logon User Name” of key “Software\Microsoft\Windows\CurrentVersion\Explorer” of it) of key “HKEY_USERS” of registry)

Also, make sure to check for the existence of logged in user when you run this query…

5

(imported comment written by HGA8191)

That worked perfectly! thanks for your great Help!. :o)

6

(imported comment written by Nitin_Gupta91)

Hello,

Can someone help me to fetch the value from Current user profile

"HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WindowsÂ

Messaging Subsystem\Profiles<ProfileName>\13dbb0c8aa05101a9bb000aa002fc45a"

Value name: 00036601

Any help on the same would be appreciated.

Thanks.

7

(imported comment written by BenKus)

Does this work:

values “00036601” of keys “13dbb0c8aa05101a9bb000aa002fc45a” of keys of keys “Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles” of keys of key “HKEY_USERS” of registry

Ben

8

(imported comment written by Nitin_Gupta91)

Thanks Ben !!!

It worked the way it is supposed to work. Thanks again :slight_smile: