Discrepancy between BigFix console output and relevance debugger

(imported topic written by SystemAdmin)

I have developed a Property for an analysis to return the value of “Audit Logon Events” for s Windows 2003 server. In the console, the Property returns “Success/Failure,” and I have verified that is what is set on the client. I then ran the same relevance on the client via the Relevance Debugger, but it returned “Error - Requires manual checking” (which is what I have specified as my “else” statement at the end). Any thoughts as to why they would be evaluating the relevance differently?

Here is the relevance of the property:

if ((version of client >= “7.0.9.164”) AND (exists select object “* from RSOP_AuditPolicy where Category = ‘AuditLogonEvents’” of rsop computer wmi)) then (if (exists select object “* from RSOP_AuditPolicy where Category = ‘AuditLogonEvents’” whose (boolean value of property “Success” of it = true) of rsop computer wmis) then (if (exists select object “* from RSOP_AuditPolicy where Category = ‘AuditLogonEvents’” whose (boolean value of property “Failure” of it = true) of rsop computer wmis) then (“Success/Failure”) else (“Success”)) else (if (exists select object “* from RSOP_AuditPolicy where Category = ‘AuditLogonEvents’” whose (boolean value of property “Failure” of it = true) of rsop computer wmis) then (“Failure”) else (“No Auditing”))) else (if (exists values of keys “HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv” of registry as string) then (if ((character 17 of (value of key “HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv” of registry as string)) =“3”) then (“Success/Failure”) else (if ((character 17 of (value of key “HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv” of registry as string)) =“2”) then (“Failure”) else (if ((character 17 of (value of key “HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv” of registry as string)) =“1”) then (“Success”) else (if ((character 17 of (value of key “HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv” of registry as string)) =“0”) then (“No Auditing”) else (“ERROR - Requires manual checking”))))) else (“ERROR - Requires manual checking”))

(imported comment written by BenKus)

Hi Japes,

I think this HKLM\Security key’s default permissions for all users (including admins) is to not be visible… Consider changing the permissions of the key manually with Regedit OR running the FixletDebugger as the SYSTEM account (http://support.bigfix.com/cgi-bin/kbdirect.pl?id=484)

Ben

(imported comment written by SystemAdmin)

Ben

You are absolutely right! I was unable to see the contents of that registry key, but ran a:

at

time+1

/interactive regedit.exe

<1 minute later regedit popped up and I was able to see all the entries. Assuming this applies to any .exe (including the debugger), I don’t think I’ll ever have this issue again. Thanks so much for your quick response :slight_smile:

Cheers

Japes