not exists (values "SCRNSAVE.EXE" whose (it as string as lowercase contains "MYSTRING") of keys "HKEY_CURRENT_USER\$(sid of user of logged on user)\Control Panel\Desktop" of (x64 registries; x32 registries))
The Value Data can contain the following trimmer value ~1 as this is the way windows handle this stuff of setting a screen saver, so it appear with the ending ~1.SCR.
HKEY_CURRENT_USER is a virtual hive. It’s mapped to the current user session - and for BESClient, it’s the LocalSystem account’s user hive.
$(sid of user of logged on user) has no meaning at all in Relevance. It’s not a variable substitution. This would literally look for a key name starting with a $ symbol and parentheses.
What you’ll want to start with is user keys of logged on users, see $(sid of user of logged on user
Thanks
Now I’m trying with the following relevance but still getting false positive:
not exists (values "SCRNSAVE.EXE" whose (it as string as lowercase contains "MYSTRING") of keys "Control Panel\Desktop" of user keys of logged on users)
Would you suggest a fix please?
I’m also using local client mode in the fixlet debuger.
Hi
Yes, actually that is why I’m looking for help. MYSTRING does exists and the not exists relevance results in true.
I think the issue is something that @JasonWalker pointed but still not find the solution.
When troubleshooting relevance, start by testing results of the simplest pieces
Exists logged on users
Pathnames of user keys of logged on users
Pathnames of keys "Control Panel\Desktop" of user keys of logged on users
values "SCRNSAVE.EXE" of keys "Control Panel\Desktop" of user keys of logged on users
I think you’ll end up finding that the comparison is case-sensitive; you’re checking
(it as string as lowercase contains "MYSTRING")
…so you’re forcing the value to lowercase; is the “MYSTRING” you’re checking also entered in all-lowercase, or should you force it to lowercase as well?
(it as string as lowercase contains "MYSTRING" as lowercase)