It’s an AAD account. Does this not work with AAD?
I’m not at all sure; I wasn’t aware of a limitation around this but I don’t have an AAD handy with which to test.
Hoping someone else with AAD configured can try this out and report here?
Sorry, got everything but AAD 
1 Like
Can you try these? Again in ‘local client evaluation mode’. This should show whether we can resolve AAD accounts to SIDs and whether we can create the user object from a SID instead of from a logged on user.
q: names of logged on users
q: sids of logged on users
q: user keys of logged on users
q: names of users of sids of logged on users
q: home directory folders of users of sids of logged on users
1 Like
See below. Obfuscated of course
q: names of logged on users
A: UserName
T: 0.021 ms
q: sids of logged on users
A: AzureAD\UserName
T: 0.018 ms
q: user keys of logged on users
A: HKEY_USERS\S-1-12-1-111111111111111
T: 0.018 ms
q: names of users of sids of logged on users
T: 0.000 ms
q: home directory folders of users of sids of logged on users
T: 0.000 ms
@JasonWalker since the SID seems to be working how would I use that to get the path of the logged in user?
I think we’ve looped back around to your original working relevance - finding that sid in the ProfileList registry path.
The ‘user of logged on user’ inspector documents it as specifically a link between Active Directory and a logged-on user, so I think that’s where AAD has a gap in the inspector per
https://developer.bigfix.com/relevance/reference/logged-on-user.html#user-of-logged-on-user-user
Ok I am trying to go down that path but getting tripped up over finding a file in the path. This works:
exists folders "Teams" whose ( exists folders "current" of it ) of folders "AppData\Local\Microsoft" of folders ( value "ProfileImagePath" of keys whose ( name of it = ( component string of sid of logged on user whose ( active of it = True ) as string ) ) of key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry as string )
But this does not:
exists folders "Teams" whose ( exists folders "current" **whose ( exists files whose ( name of it = "Teams.exe" ) of it )** of it ) of folders "AppData\Local\Microsoft" of folders ( value "ProfileImagePath" of keys whose ( name of it = ( component string of sid of logged on user whose ( active of it = True ) as string ) ) of key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry as string )
I’m banging my head trying to figure out why looking for the file in the folder path does not work but it can find the folder.
Edit: I ran this, and it resolves to the path of the profile instead of the subfolder path:
q: pathname of folders "Teams" whose ( exists folders "current" of it ) of folders "AppData\Local\Microsoft" of folders ( value "ProfileImagePath" of keys whose ( name of it = ( component string of sid of logged on user whose ( active of it = True ) as string ) ) of key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry as string )
A: C:\Users\UserName
T: 0.064 ms
I think that is the key issue. It is not treating the path as a folder but rather a string.
Is this a file permissions issue? Perhaps LocalSystem is explicitly blocked, or access is excessively restricted?
No because this works:
if (exists folders "Teams" whose (exists folders "current" whose (exists files whose (name of it = "Teams.exe") of it) of it) of folders "AppData\Local\Microsoft" of folders (name of logged on user whose (active of it = True)) of folders "c:\users") then ( if ( exists process "teams.exe" ) then ( "Running" ) else ( "Not Running" ) ) else ("Not Installed")
The only issue with the above is it does not work if the username and profile path name differ which is why I opted to go with the ProfileImagePath instead.
It comes down to the NUL character at the end of the REG_EXPAND_SZ type of the ProfileImagePath Value. The NUL is printed as %00 in the Fixlet Debugger normally:
Q: (substring (0, length of it - 1) of it, it) of ((values "ProfileImagePath" of keys whose (name of it = "S-1-5-21-2861335655-1386391147-1020760451-500") of keys "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry) as string)
A: C:\Users\Administrator, C:\Users\Administrator%00
T: 0.402 ms
When evaluating using the Client, you can’t see the NUL.
Q: (substring (0, length of it - 1) of it, it) of ((values "ProfileImagePath" of keys whose (name of it = (component string of sid of logged on user whose (active of it = True) as string )) of keys "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry) as string)
A: C:\Users\Administrator, C:\Users\Administrator
.
Q: exists folders "Teams" whose (exists folders "current" of it ) of folders "AppData\Local\Microsoft\" of folders (substring (0, length of it - 1) of ((value "ProfileImagePath" of key whose (name of it = (component string of sid of logged on user whose (active of it = True) as string )) of key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry) as string))
A: True
.
Q: exists folders "Teams" whose (exists folders "current" whose (exists files whose (name of it = "Teams.exe") of it) of it ) of folders "AppData\Local\Microsoft\" of folders (substring (0, length of it - 1) of ((value "ProfileImagePath" of key whose (name of it = (component string of sid of logged on user whose (active of it = True) as string )) of key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry) as string))
A: True
4 Likes
Not sure why, but for some reason, the quotes appear unbalanced in the code above. Check closely if you copy it from here…
Thank you! You’re right I didn’t see the NUL. In fact, I saw another forum post that referenced this and I ignored it because I didn’t see it there either. Lesson learned always trust in the solutions on here no matter what your eyes tell you LOL
1 Like
I’m glad I could help.
2 Likes