How to handle zero-length binary registry values?

(imported topic written by eammendola)

I am trying to create an analysis which captures a registry value, which is simple enough. However, I am having a problem with setting up a returned response if the data is a zero-length binary value.

In this example:

if

(
exists

(key

“HKEY_LOCAL_MACHINE\SOFTWARE\stuff\Install”

of

native registry)

and

(
exists

value

“SourceLocation”

of

key

“HKEY_LOCAL_MACHINE\SOFTWARE\stuff\Install”

of

native registry)

and

(value

“SourceLocation”

of

key

“HKEY_LOCAL_MACHINE\SOFTWARE\stuff\Install”

of

native registry

is not

“”
))

then

(value

“SourceLocation”

of

key

“HKEY_LOCAL_MACHINE\SOFTWARE\stuff\Install”

of

native registry

as

string)

else

(
“No SourceLocation Data”
)

The code above works great for string values, but my value is REG_BINARY, so the double quotes looking for an empty string does not work. The zero-length binary value “exists”, but is not something (to my knowledge) I can return or compare, like a 1 or 0. If the value contains anything it will return that information, but if it is zero-length, a “Singular expression refers to nonexistent object.” is returned.

Is there a way around this?

(imported comment written by jgstew)

Does this work?

((
value

“SourceLocation”

of

key
"HKEY_LOCAL_MACHINE\SOFTWARE\stuff\Install"

of

native registry

as

string
) | “NoValue”)

(imported comment written by eammendola)

That does in fact work. Thanks!

(imported comment written by jgstew)

You are welcome.

It took me quite a long time to figure out how to use the “|”.

Here is an example of an Analysis Property doing it the “hard” way:
http://bigfix.me/relevance/details/2998470

Here is the exact same example the “easy” way:
http://bigfix.me/relevance/details/2998536