Inventory List of Reg Keys (ZoneMap)

system · October 11, 2006, 11:08pm

(imported topic written by wnolan91)

We are looking for a way to Inventory

1- Can BigFix drill down to a location in the registry and look iteratively at a number of indeterminate keys. What I mean is that there could be no keys or many keys.

The exact registry location is:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

There could be a number of keys in there.

2- Assuming that it is possible to retrieve this information, how is this information going to be presented? i.e. comma delimited format etc?

system · October 12, 2006, 1:28am

(imported comment written by brolly3391)

wnolan,

It looks like you are looking for a list of all domains that they entered into their custom zones in IE?

This should give you a good start. It will return a comma-delimited list of the keys.

q: concatenation ", " of names of keys of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry

A: testlocal.com, testrestricted.com, testtrusted.com

T: 0.414 ms

I: singular string

Seems that pulling the value would be very useful.

dword 1=local zone

dword 2=trusted zone

dword 4=restricted zone

but there are sometimes subkeys of the key (www) that would also need to be tested against. That makes it a little more complicated.

I will put something together (or one of the experts might have something faster than I) and get back to you. This seems like a really nifty line to pursue for a nice retrieved property.

Cheers,

Brolly

system · October 12, 2006, 6:14am

(imported comment written by brolly3391)

wnolan,

This registry structure for this is kind of whacky.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

You have domains in the first tier of subkeys. If the zone entry does not have a suffix, such as www or support or forum, then the protocols are in values directly under that key with the dword data in the value set to 1 2 3 or 4. If the zone entry does have a suffix, then there is a subkey with the suffix name and the protocols are in values under that suffix key, again with the dword values 1, 2, 3 or 4. Both conditions can exist for a single domain as well, further complicating things.

so our structure for a given domain is

domain

protocols

=zone AND/OR domain\suffixes

protocols

=zone

and the return value I was working toward was

Local - protocol://suffix.domain, protocol://suffix.domain, protocol://domain

Trusted - protocol://suffix.domain, protocol://domain

Internet -

Restricted - protocol://domain, protocol://suffix.domain

I can’t seem to figure out how to recurse several keys deep while concatenating information from each tier of keys. I could do it if I could use

parent of registry key

but that does not seems to exist.

this kind of works:

q: "Local - " & concatenation ", " of (names of keys whose (exists value whose (it=1)of it or exists value whose (it=1) of keys of it) of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry) & "%0dTrusted - " & concatenation ", " of (names of keys whose (exists value whose (it=2)of it or exists value whose (it=2) of keys of it) of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry) & "%0dInternet - " & concatenation ", " of (names of keys whose (exists value whose (it=3)of it or exists value whose (it=3) of keys of it) of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry)& "%0dRestricted - " & concatenation ", " of (names of keys whose (exists value whose (it=4)of it or exists value whose (it=4) of keys of it) of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry)

A: Local - testlocal.com, testlocal.org

Trusted - testserver, testtrusted.com

Internet -

Restricted - restricted.org, testtrusted.com

T: 17.845 ms

I: singular string

But I cannot seem to include the suffix and protocol information for the entries, which could be in different zones for the same domain.

I surrender. Jesse? Ben? Tyler? Rad?

Cheers,

Brolly

BenKus · October 12, 2006, 11:24am

(imported comment written by BenKus)

Hey Brolly,

This relevance is very tricky due to the complexity of this set of registry keys… You did very well, but you need to employ several tricks that are non-obvious…

q: (if (it starts with “1;;”) then "Local - " & following text of first “;;” of it else if (it starts with “2;;”) then "Trusted - " & following text of first “;;” of it else if (it starts with “4;;”) then "Restricted - " & following text of first “;;” of it else nothings) of ( concatenation of substrings separated by ", " of it) of (((it as string & “;;” & name of it & “://”) of values of it as string, names of it) as string;((it as string & “;;” & name of it & “://”) of values of keys of it, (it & “.”) of names of keys of it, names of it) as string) of ( keys of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry)

A: Restricted - http://altiris.com

A: Trusted - https://www.benkus.com

A: Trusted - http://www.benkus.com

A: Trusted - http://forum.bigfix.com

A: Restricted - http://www.patchlink.com

Note that this uses “tuples” (the commas) and will only work in BES 6.0+ Agents.

One of the tricks is that tuples allow for “cross products” so it will iterate through all the possibilities of (value name, key name). It is a little difficult to understand exactly what it is doing, but this is a very advanced relevance expression.

Ben

system · October 12, 2006, 4:17pm

(imported comment written by brolly3391)

Ben,

Wow…

Thanks! I had played with using tuples to attack this puzzle but I did not think to use nested

its

with them so I kept getting lists with lots of duplicates or “requires singular expression”

Now, to analyze your code to be sure that I understand:

There are 2 lists generated. The first list is a set of 3 tuples

q: (((it as string & “;;” & name of it & “://”) of values of keys of it, (it & “.”) of names of keys of it, names of it) as string) of ( keys of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry)

A: 2;;http://, www., benkus.com

A: 2;;http://, forum., bigfix.com

A: 4;;http://, www., patchlink.com

and the second is a set of 2 tuples.

q: ((it as string & “;;” & name of it & “://”) of values of it as string, names of it) of ( keys of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry)

A: 4;;http://, altiris.com

A: 2;;https://, benkus.com

Then you use the

;

operator to combine the 2 lists into a single result

q: (((it as string & “;;” & name of it & “://”) of values of keys of it, (it & “.”) of names of keys of it, names of it) as string) of ( keys of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry)

;

((it as string & “;;” & name of it & “://”) of values of it as string, names of it) of ( keys of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” of registry)as string

A: 2;;http://, www., benkus.com

A: 2;;http://, forum., bigfix.com

A: 4;;http://, www., patchlink.com

A: 4;;http://, altiris.com

A: 2;;https://, benkus.com

My, what intersting restricted zones you have.

The rest is just housekeeping, parsing to remove the commas from the tuples and some if thens to decode our 1, 2, 3, and 4 into their text equivalents. I take it that

else nothings

are not quite the same as sweet nothings…

Cheers,

Brolly