Populate Analyses Property with registry values

(imported topic written by wustldz)

I’m attempting to populate a property with the names of the keys of a registry key. Using TEM 8.X I created the following:

(if exists (key “HKEY_CURRENT_USERSPrinters\Connections” of registry) then (("") of (keys of key “HKEY_CURRENT_USERSPrinters\Connections” of registry)) else “No printer connections”)

This works well from the debugger but when evaluated by the client via the property it displays the else clause “No printer connections”.

Thanks for any insight.

(imported comment written by wustldz)

Updated code. I noticed there was a piece missing:

(if exists (key “HKEY_CURRENT_USERSPrinters\Connections” of registry) then (("") of (keys of key “HKEY_CURRENT_USERSPrinters\Connections” of registry)) else “No printer connections”)

(imported comment written by SystemAdmin)

wustldz wrote:

Updated code. I noticed there was a piece missing:

(if exists (key “HKEY_CURRENT_USERSPrinters\Connections" of registry) then ((”") of (keys of key "HKEY_CURRENT_USERSPrinters\Connections" of registry)) else “No printer connections”)

I am unclear about your second post, does this code now work for you?

(imported comment written by wustldz)

ChrisLuther wrote:

wustldz wrote:

Updated code. I noticed there was a piece missing:

(if exists (key “HKEY_CURRENT_USERSPrinters\Connections" of registry) then ((”") of (keys of key "HKEY_CURRENT_USERSPrinters\Connections" of registry)) else “No printer connections”)

I am unclear about your second post, does this code now work for you?

The code still does not work. I did the second post because the then part of the relevance was stripped out because i failed to use the code markup. Here is the relevance I’m trying to use.

(

if exists (key 
"HKEY_CURRENT_USERSPrinters\Connections\" of registry) then (("[-HKEY_CURRENT_USERS\Printers\Connections\
" & name of it & "]
") of (keys of key "HKEY_CURRENT_USERSPrinters\Connections\
" of registry)) else "No printer connections
")

Thanks for the help.

(imported comment written by SystemAdmin)

The Fixlet Debugger runs under the security content of the logged in user (i.e., you), BUT the BESClient service

runs under the LocalSystem security content. Since any analysis will also be evaluated under the LocalSystem context,

and because there is no guarantee that the HKCU registry hive is actually loaded when the analysis is evaluated by the

client, it could be expected that “No printer connections” is returned.

Have you looked into using "current user key of " object? The description is:

On 2000/2003/XP/Vista, this Inspector returns RegOpenCurrentUser. Under NT4, it uses HKEY_USERS<sid>. On these

systems, the Inspector may fail if run in a non-privileged context. Under Windows 9x, it returns HKEY_USERS<username>

if it exists. Otherwise it uses HKEY_USERS\Default. CAUTION: This Inspector will produce errors when run on a terminal

server where a user has logged off but there is a ‘keep alive’ setting on the user session. This is because there is

technically a logged-on user but that user’s Current User registry hive is not loaded. To avoid this issue, use a

qualifying ‘whose’ statement: current user keys (logged on users whose (active of it)) of registry

There is also a “Logged on User” object, which reads:

These Windows and Macintosh Inspectors return information about the currently logged-on user. With the advent of

Terminal Services and Fast User Switching, these Inspectors are designed to iterate over all logged on users.

• Windows Note: If Terminal Services are available (NT/2000/2003/XP/Vista) and enabled, these Inspectors iterate

over the active and disconnected sessions as returned by WTSEnumerateSessions. Disconnected sessions are those where

a user logs on, but is currently inactive. On Vista, the non-interactive session 0 (used for services isolation) is

not included. If Terminal Services aren’t available, the ACLs on the security descriptor of the “winsta0” window

station are examined for user logons. On Windows 9x systems, these Inspectors return the user session associated

with the registry value “Current User” of “SYSTEM\CurrentControlSet\Control” if it exists. Otherwise, if a shell

process process such as Explorer.exe is running, they return a single session associated with an unnamed user (which

occurs when the user cancels the 9x login dialog).

So in other words, make the analysis property only return information if a user is currently logged on, otherwise return

an empty string or something other than “No printer connections”.

If you look in http://support.bigfix.com/fixlet/documents/Windows%20Inspectors%2081_110706.pdf you will find more

information on these objects.