Question concerning regdelete for hkey_current_user

(imported topic written by SystemAdmin)

Hi All,

I created the following action using information from the following post: http://forum.bigfix.com/viewtopic.php?id=11

regdelete “” “{names of values whose (it as string = “010000006e0000000000000063003a005c00700072006f006700720061006d002000660069006c00650073005c006d0073006e00200074006f006f006c006200610072002000730075006900740065005c006d0073006e007400620066006f0072006f00750074006c006f006f006b002e0064006c006c000000”) of key “HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” of registry}”

When I run this in the action script debugger I get:

runtime error

Invalid Relevance Clause

Line 1

The reason for the last piece is that the binary value is consistent, but the value name is not, so what I need to do is to delete any value where the binary is the above.

I cannot see what I am doing incorrectly. Any help would be greatly appreciated.

Thanks

(imported comment written by jessewk)

The problem is that your relevance returns a plural result. If there is only ever one key with that value the solution is simple… just use ‘name of value’ instead of ‘names of values’.

If there could be multiple keys you want to delete, you’ll want to craft a .reg file using appendfile (or createfile) and then import the .reg. There is an example in this post:

http://forum.bigfix.com/viewtopic.php?id=1017

(imported comment written by SystemAdmin)

Hi Jesse,

I am not sure if that is the case. I changed the action to the following:

regdelete “” “1612A138”

I still receive the same error in the debugger. On the machine I am testing on, I am logged in as current user and the value does exists. I spoke to the engineer in our company who requested this and that binary value, if present, should exists as a single instance under the user.

I also followed your recommendation of just using “name of value”

regdelete “” “{name of value whose (it as string = “010000006e0000000000000063003a005c00700072006f006700720061006d002000660069006c00650073005c006d0073006e00200074006f006f006c006200610072002000730075006900740065005c006d0073006e007400620066006f0072006f00750074006c006f006f006b002e0064006c006c000000”) of key “HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” of registry}”

I still receive the same error.

The relevance for this piece would be the following:

name of operating system = “WinXP” and (exist value whose (it as string = “010000006e0000000000000063003a005c00700072006f006700720061006d002000660069006c00650073005c006d0073006e00200074006f006f006c006200610072002000730075006900740065005c006d0073006e007400620066006f0072006f00750074006c006f006f006b002e0064006c006c000000”) of key “Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems” of (key whose ((it = name of current user as lowercase OR it starts with name of current user as lowercase & “@” ) of (it as string as lowercase) of value “Logon User Name” of key “Software\Microsoft\Windows\CurrentVersion\Explorer” of it) of key “HKEY_USERS” of registry))

Which returns true on the machine I am testing on.

Thanks

Rob

(imported comment written by jessewk)

Ah, I think you need to use the same trick for the current user key in the value expression as you do in the key expression. So try this:

regdelete “” “{name of value whose (it as string = “010000006e0000000000000063003a005c00700072006f006700720061006d002000660069006c00650073005c006d0073006e00200074006f006f006c006200610072002000730075006900740065005c006d0073006e007400620066006f0072006f00750074006c006f006f006b002e0064006c006c000000”) of key (“HKEY_USERS” & name of (key whose ((it = name of current user as lowercase OR it starts with name of current user as lowercase & “@” ) of (it as string as lowercase) of value “Logon User Name” of key “Software\Microsoft\Windows\CurrentVersion\Explorer” of it) of key “HKEY_USERS” of registry) & “Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems”) of registry}”

Sorry I didn’t test it out… sitting in the car right now on my Mac.

Also, you might try actually running the action on a client instead of through the action debugger.

Jesse

(imported comment written by SystemAdmin)

Hi Jesse,

I ran what you suggested I got the following in the BigFix Log:

Command failed (Relevance substitution failed) regdelete “” “{name of value whose (it as string = “010000006e0000000000000063003a005c00700072006f006700720061006d002000660069006c00650073005c006d0073006e00200074006f006f006c006200610072002000730075006900740065005c006d0073006e007400620066006f0072006f00750074006c006f006f006b002e0064006c006c000000”) of key (“HKEY_USERS” & name of (key whose ((it = name of current user as lowercase OR it starts with name of current user as lowercase & “@” ) of (it as string as lowercase) of value “Logon User Name” of key “Software\Microsoft\Windows\CurrentVersion\Explorer” of it) of key “HKEY_USERS” of registry) & “Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems”) of registry}” (fixlet 13380)

The action does not seem to be interpreting the relevance language. Is the anything else I can try?

Thanks

Rob

(imported comment written by jessewk)

Hi Rob,

The relevance is not evaluating correctly. I’m pretty sure the reason is we’re missing a back slash before “Software\Microsoft\Office…”.

Try this:

regdelete “” “{name of value whose (it as string = “010000006e0000000000000063003a005c00700072006f006700720061006d002000660069006c00650073005c006d0073006e00200074006f006f006c006200610072002000730075006900740065005c006d0073006e007400620066006f0072006f00750074006c006f006f006b002e0064006c006c000000”) of key (“HKEY_USERS” & name of (key whose ((it = name of current user as lowercase OR it starts with name of current user as lowercase & “@” ) of (it as string as lowercase) of value “Logon User Name” of key “Software\Microsoft\Windows\CurrentVersion\Explorer” of it) of key “HKEY_USERS” of registry) & “\Software\Microsoft\Office\11.0\Outlook\Resiliency\DisabledItems”) of registry}”

Also, is there a ‘current user’ logged on when you are running the action? You probably want to add ‘exists current user’ to your relevance. Also, what version of BES are you using? In 7.0 you might consider using ‘exists logged on user’. See here for a full discussion of the differences: http://forum.bigfix.com/viewtopic.php?id=1187

In particular, with the logged on user inspector it’s much easier to access the HKEY_CURRENT_USER branch of the registry.

-Jesse

(imported comment written by SystemAdmin)

Thanks Jesse