Failed Analysis from Registry key

Content Authoring
1

Hello,

I am trying to run an analysis on some registry keys to return true if the key exists.

exists key whose (value "DisplayName" of it as string contains ",,sup-ap-pwvprint,ACCT7") of key "HKCU\Printers\Connections\,,sup-ap-pwvprint,ACCT7" of (x64 registries; x32 registries)

This is my relevance, but its still returning False even though the key exists on the endpoint.
I feel like this should be correct maybe im missing some more relevance ?

2

HKCUā€¦

The Bigfix agent runs as SYSTEM, so itā€™s HKCU is not the same as the userā€™s HKCU.

Iā€™m on a phone now, and canā€™t be sure Iā€™ll conjure up the correct syntax, but a search of the forum for some variant of ā€˜key of logged on userā€™ should get you something useful.

1 Like
3

Its because you are looking in the ā€œCurrent Userā€ and BigFix runs as the System User. As to how to find it, I will leave that up to others that know more on how to do so.

1 Like
4

The easiest way to refer to the user registry is user keys of logged on users.

q: keys "Printers\Connections" of user keys of logged on users
A: HKEY_USERS\S-1-5-21-1862586638-1684353032-3949902452-1001\Printers\Connections

Iā€™d note that this creation class always uses the native registry path, the 32-bit redirection doesnā€™t apply to the HKEY_USERS hive.

Iā€™d use it as a plural, as there can be multiple logged-on users at once. So the comparisons are a bit different -

The following should be True if there are no users with the printer connection defined. However itā€™s also True if there is no user logged on at allā€¦

q: exists keys whose (value "DisplayName" of it as string contains ",,sup-ap-pwvprint,ACCT7") of keys "Printers\Connections" of user keys of logged on users
A: False

The following should be True if there is any logged on user with the key presentā€¦

q: exists logged on users whose (exists keys whose (value "DisplayName" of it as string contains ",,sup-ap-pwvprint,ACCT7") of keys "Printers\Connections" of user keys of it)

The following should be True if there is any logged on user who is missing the keyā€¦

q: exists logged on users whose (not exists keys whose (value "DisplayName" of it as string contains ",,sup-ap-pwvprint,ACCT7") of keys "Printers\Connections" of user keys of it)

Also, in the Fixlet Debugger, be sure to select Evaluate -> Evaluate Using -> Local Client, as this has to be evaluated as the LocalSystem account to retrieve another userā€™s registry hive.

4 Likes
5

This was very informative. Thank you for the help! I will work on this for sure!

Its taking me a little bit to wrap my head around the fact that everything is run as a system user haha. This is all pretty new to me. I appreciate all the help!

1 Like