Microsoft Removal Tool secondary detection

Hi all,

I’m not very savvy with the relevance language here. I discovered today that one of our engineers manually installed the MRT on a couple servers but Bigfix is still reporting the MRT - Upgrade is relevant because it is looking at the reg key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\MSTools\RemovalTool\Statistics”. My intention here is to add a secondary reg key detection in case this occurs again. So far I have the below, however the Fixlet debugger is reporting false no matter what value I put in after the =. If someone can give me assistance, it would be much appreciated. Thanks in advance.

exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT” of registry AND (value “Version” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT” of registry as string as version) = “3AC662F4-BBD5-4771-B2A0-164912094D5D”

What do you get in the fixlet debugger when you run

value "Version" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT" of registry 

Also you are comparing a version to what looks like a GUID. Are you sure that is what you want?

Thanks for your reply. Basically, I’m trying to have the statement evaluate true if the value for “Version” is 3AC662F4-BBD5-4771-B2A0-164912094D5D as that refers to the March 2016 MRT.

Below is what I received from the Fixlet debugger:

Q: value "Version" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT" of registry
E: Singular expression refers to nonexistent object.
T: 6921

Do you have an example of one that returns data?

BigFix client, being a 32-bit application, gets redirected by default and your query actually examines HKLM\Software\Wow6432Node\Microsoft.

Try

value "Version" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT" of native registry

Yes I used that before, it gives the value for the “Version”, however, I am asking it to evaluate True if the value for “Version” is “3AC662F4-BBD5-4771-B2A0-164912094D5D”

Ok, good. If you notice, the relevance I gave queries “of native registry” rather than “of registry”. Try plugging “of native registry” into your existing relevance to see if that gives the true/false you’re looking for.

By using “of native registry”, we bypass the 32-bit redirection and query the real registry key.

exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT" of native registry AND (value "Version" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT" of native registry as string as version) = "3AC662F4-BBD5-4771-B2A0-164912094D5D"

I think you can also simplify the query somewhat with

exists values "Version" whose (it as string = "3AC662F4-BBD5-4771-B2A0-164912094D5D") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT" of native registry

By using the plural forms of “values” and “keys”, you don’t have to check for non-existence of the key/value.

Yes I did notice that and I tried inputting it into my orginal statement which still came up fals. However, your simplified version worked like a charm! Much appreciated!

Ok, it’s probably because you were trying to cast the GUID into a Version type, and the cast fails. In BigFix the “Version” data type represents dotted version-numbers, like “1”, “1.0”, “1.0.1”, or “1.2.3.4”. It’s intended to be used to check application version numbers better than a numeric/alphabetical sort, for instance to understand that version “3.19” is higher than version “3.2” even though character-by-character evaluation would have shown the “.2” as higher than “.1”

I generally always check both registries even when not required: https://bigfix.me/relevance/details/3017505

unique values of (it as string) of values "Version" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT" of (x64 registry; x32 registry)

This general form is just what I always use, except in rare cases where there are different values in each registry.