I’ve activated the ‘Network Drivers’ analysis within BigFix, and I’m noticing that all 64-bit clients are returning “” as the value for the driver version propertly. This isn’t surprising since it references the registry. The
original
analysis looks like this:
(( version of file ( pathname of windows folder & “” & ( value “ImagePath” of it as string ) ) ) as string ) of keys ( ( “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” ) AND ( exists location information of it ) ) ) of registry as string
I tried changing “registry” to “x64 registry” in the relevance debugger, but I’m getting the following result (which happens to be the same result I get using the original analysis):
q: (( version of file ( pathname of windows folder & “” & ( value “ImagePath” of it as string ) ) ) as string ) of keys ( ( “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” ) AND ( exists location information of it ) ) ) of x64 registry as string
E: Singular expression refers to nonexistent object.
This appears to be the case ONLY with 64-bit clients, so I’m curious if there is some alteration that needs to be made to the syntax to point the analysis to the right place. That’s my thinking at the moment, but if anyone has any other ideas, I’m VERY open to hearing them.
Try using “of native registry” which will evaluate to the proper location for both x86 and x64 machines.
(( version of file ( pathname of windows folder & “” & ( value “ImagePath” of it as string ) ) ) as string ) of keys ( ( “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” ) AND ( exists location information of it ) ) ) of native registry as string
If this doesn’t work, then I would start looking at the relevance to make sure it evaluates properly.
Good suggestion - however I forgot to mention that I did try this as well:
q: (( version of file ( pathname of windows folder & “” & ( value “ImagePath” of it as string ) ) ) as string ) of keys ( ( “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” ) AND ( exists location information of it ) ) ) of native registry as string
E: Singular expression refers to nonexistent object.
That’s a good question. It was included in the original analysis which is included in a base BigFix install, so in short, I didn’t author this code and I’m not sure what “ImagePath” comes from. I also don’t know what “active devices” comes from either. I was trying to find a way to test different elements of the code, such as the value of “ImagePath”, but I’m afraid my inexperience with the syntax was getting in the way of making any progress with that, so I’m resorting to the forum.
I basically want the information provided by the analysis “Network Drivers” to return the same results for 64-bit client that it does for 32-bit clients - a list of network interfaces and driver versions.
Good suggestion Ben. I tried that and got the following result, which tells me that portion of the code is good.
q: number of active devices whose ( ( class of it = “Net” ) and (exists location information of it ))
A: 2
I’m guessing the issue must lie in the relevance earlier in the code. Any suggestions on breaking up those parts of the code and testing? I’m a bit lost on the “whose” and “it” syntax BigFix uses here. Thanks for the guidance here gents!
This should help decompose the problem by listing the reg keys and the files:
q: (service key value names of it, “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” and exists location information of it) )
A: b57nd60x, HKLM\SYSTEM\CurrentControlSet\Services\b57nd60x
A: NETw5v32, HKLM\SYSTEM\CurrentControlSet\Services\NETw5v32
T: 83.895 ms
I: plural ( string, string )
q: (( ( pathname of windows folder & “” & ( value “ImagePath” of it as string ) ) ) as string ) of keys ( ( “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” ) AND ( exists location information of it ) ) ) of registry as string
A: C:\Windows\system32\DRIVERS\b57nd60x.sys%00
A: C:\Windows\system32\DRIVERS\NETw5v32.sys%00
Again Ben, thanks for the suggestion. I’m getting a similar result to what you received. Any further suggestions?
q: (service key value names of it, “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” and exists location information of it) )
q: (( ( pathname of windows folder & “” & ( value “ImagePath” of it as string ) ) ) as string ) of keys ( ( “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” ) AND ( exists location information of it ) ) ) of registry as string
Ok… so last check is to see if those files exist… and now that I think about it, that is probably where the problem lies… They probably are not in the system32 folder and instead are in the system64 folder (or something like that)…
Can you please verify the file location and I will fix the relevance for you…
This is VERY interesting. The files no in fact exist. I’ve setup my relevance debugger to check the version of a DLL right on the root of the C: drive, another under the Windows\system32 folder, and another under the drivers folder and it seems the only issue is when you attempt to check files versions under the drivers folder.
q: version of file (“C:\WINDOWS\system32\DRIVERS\b57amd64.sys”)
E: Singular expression refers to nonexistent object.
q: version of file (“C:\install.res.1028.dll”)
A: 9.0.21022.8
q: version of file (“C:\WINDOWS\system32\aaaamon.dll”)
A: 5.2.3790.1830
q: version of file (“C:\WINDOWS\system32\drivers\afd.sys”)
E: Singular expression refers to nonexistent object.
I believe that is expected when you have a pure x64 file because Windows uses different libraries to access them… You can access them in relevance with the x64 file inspector… Try this:
q: version of x64 file (“C:\WINDOWS\system32\DRIVERS\b57amd64.sys”)
And then try the original expression modified to deal with x64 files:
q: (( versions of (if (x64 of operating system) then x64 file(it) else file (it)) of ( pathname of windows folder & “” & ( value “ImagePath” of it as string ) ) ) as string ) of keys ( ( “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” ) AND ( exists location information of it ) ) ) of registry as string
I ran the full modified expression and got accurate results. Thanks so much Ben! I hope others will find this helpful to update the builtin “Network Drivers” analysis to include 64-bit OSes. Sure wish BigFix had a way to update these for us through a fixlet though. Thanks again, Ben.
q: (( versions of (if (x64 of operating system) then x64 file(it) else file (it)) of ( pathname of windows folder & “” & ( value “ImagePath” of it as string ) ) ) as string ) of keys ( ( “HKLM\SYSTEM\CurrentControlSet\Services” & service key value name of it ) of active devices whose ( ( class of it = “Net” ) AND ( exists location information of it ) ) ) of registry as string
