False positive in HKEY_CURRENT_USER relevance

mikke · July 22, 2023, 5:05pm

Hi.
I ask please for you help.

I have this registry string that in fact does exist but the relevance I’m trying is giving false positive, says true when is be false, and viceversa.

Computer\HKEY_CURRENT_USER\Control Panel\Desktop\MYSTRING

not exists (values "SCRNSAVE.EXE" whose (it as string as lowercase contains "MYSTRING") of keys "HKEY_CURRENT_USER\$(sid of user of logged on user)\Control Panel\Desktop" of (x64 registries; x32 registries))

mikke · July 22, 2023, 5:54pm

Update. I don’t know how important is this

The Value Data can contain the following trimmer value ~1 as this is the way windows handle this stuff of setting a screen saver, so it appear with the ending ~1.SCR.

Please help!

JasonWalker · July 22, 2023, 6:05pm

HKEY_CURRENT_USER is a virtual hive. It’s mapped to the current user session - and for BESClient, it’s the LocalSystem account’s user hive.

$(sid of user of logged on user) has no meaning at all in Relevance. It’s not a variable substitution. This would literally look for a key name starting with a $ symbol and parentheses.

What you’ll want to start with is user keys of logged on users, see $(sid of user of logged on user

For more examples see similar discussions at Relevance for HKEY_USERS Key Value

JasonWalker · July 22, 2023, 6:06pm

Also I the Fixlet Debugger, be sure to evaluate in ‘local client mode’

mikke · July 25, 2023, 7:43pm

Thanks
Now I’m trying with the following relevance but still getting false positive:

not exists (values "SCRNSAVE.EXE" whose (it as string as lowercase contains "MYSTRING") of keys "Control Panel\Desktop" of user keys of logged on users)

Would you suggest a fix please?
I’m also using local client mode in the fixlet debuger.

MB43 · July 25, 2023, 7:57pm

You do know that by using “not exists” it will evaluate to true if the string does NOT exist and false if it DOES exist, right?

mikke · July 25, 2023, 9:32pm

Hi
Yes, actually that is why I’m looking for help. MYSTRING does exists and the not exists relevance results in true.
I think the issue is something that @JasonWalker pointed but still not find the solution.

JasonWalker · July 25, 2023, 10:15pm

When troubleshooting relevance, start by testing results of the simplest pieces

Exists logged on users

Pathnames of user keys of logged on users

Pathnames of keys "Control Panel\Desktop" of user keys of logged on users

values "SCRNSAVE.EXE" of keys "Control Panel\Desktop" of user keys of logged on users

I think you’ll end up finding that the comparison is case-sensitive; you’re checking

(it as string as lowercase contains "MYSTRING")

…so you’re forcing the value to lowercase; is the “MYSTRING” you’re checking also entered in all-lowercase, or should you force it to lowercase as well?

(it as string as lowercase contains "MYSTRING" as lowercase)

mikke · July 27, 2023, 9:05pm

Thank you Jason. You right, the case validation solve my problem.