Only Evaluate Property When User Is Logged In

mjohnson2469 · March 3, 2016, 10:59pm

I am trying to get data from the HKCU instance of the registry, and this context is only available when a user is logged in. How can I evaluate a property only when a user is logged in?

Thanks!

jgstew · March 4, 2016, 7:54am

What are you trying to accomplish?
are you trying to set settings in HKCU if they are not set the way you want?
if so, then use Local GPO to do it

If you are just trying to read the values, you can read the value from ALL user hives.

What is the registry value you are trying to read?

See here: https://bigfix.me/analysis/details/2994785
Specifically this: https://bigfix.me/relevance/details/3002225
Local GPO Example: https://bigfix.me/fixlet/details/3741

SLB · March 4, 2016, 2:29pm

This might not do exactly as you want but could be another route for you to explore

if ((exists logged on user) and (1 = number of logged on users)) then (((value "USERPROFILE" of key ("HKEY_USERS\" & (component string of sid of security account (name of logged on user)) & "\Volatile Environment") of registry as string))) else (nothing)

mjohnson2469 · March 4, 2016, 4:37pm

I have been trying the code from the links you provided to no avail, but i would like to give the requester two options that you mentioned. We are trying to determine if users have saved passwords in IE. This would be signified by value BC50CEA858262E09CFCD98822F5C046BFAA14C06D4 being present in: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

I am hoping you can help me get the code correct. I am looking to:

Give a True/False if it’s present in any of the users registries
Give the user name it’s under (if possible)
Any help is appreciated!

jgstew · March 4, 2016, 6:04pm

I am curious what the goal is here.

If you want to prevent users from storing passwords, then that feature should be turned off using Local GPO through BigFix or through Domain GPO.

This is how you would detect that across ALL user registry hives:

exists values "BC50CEA858262E09CFCD98822F5C046BFAA14C06D4" of keys "Software\Microsoft\Internet Explorer\IntelliForms\Storage2" of keys of keys "HKEY_USERS" of (x64 registries; x32 registries)

This is how you would get the names of the user registry hives that have the value:

names of keys whose(exists values "BC50CEA858262E09CFCD98822F5C046BFAA14C06D4" of keys "Software\Microsoft\Internet Explorer\IntelliForms\Storage2" of it) of keys "HKEY_USERS" of (x64 registries; x32 registries)

This info could be used to derive the actual user name of the person with the value… somehow.

Here is an example of using Local GPO through BigFix to disable something: https://bigfix.me/fixlet/details/3741

jgstew · March 4, 2016, 6:08pm

That should be similar to:

current user key of registry

But in practice, I would do this:

current user keys (logged on users; current users) of registries

On Windows 10, this has to be run as the local client evaluator to get results.

mjohnson2469 · March 4, 2016, 6:43pm

Thanks jgstew - It sounds like Windows 10 is going to have some significant changes to how we query using BgiFix.