How to check whether these keys are already present using BigFix Relevance
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"FeatureSettingsOverride"=dword:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"FeatureSettingsOverrideMask"=dword:3
Thanks in advance!!
Hello All,
I have created the relevance and it is working fine. In case anybody need the same can utilize the below one
Q:((value “FeatureSettingsOverride” of it as string as version = “0”) of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of native registry)
A: True
T: 0.152 ms
Q:((value “FeatureSettingsOverrideMask” of it as string as version = “3”) of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of native registry)
A: True
T: 0.148 ms
I implemented the Relevance through Analysis for all the windows endpoints but for few of the endpoints I am getting output as error.
Can anyone please help me what does this exactly mean.
If the Key doesn’t exist you’ll get an error. You need a construct that checks to see if the Key exists then if the Value exists within it. THEN you can reliably compare the VALUE of it.
Try something like this to return the Value of the Registry if it exists or a blank value if it doesn’t …
IF (exists Key "HKLM\SYSTEm\CurrentControlSet\Control\Session Manager\Memory Management" whose (exists value "FeatureSettingsOverrideMask" of it) of Native Registry) THEN (Value "FeatureSettingsOverrideMask" of Key "HKLM\SYSTEm\CurrentControlSet\Control\Session Manager\Memory Management" of Native Registry) ELSE (NOTHING)
well you’re going to get that error if your referring to an non-existent object and like Tim suggested always wrap it up with a If-else statement to avoid those errors.
I disagree. I don’t use If/then/else, I instead use plural relevance:
exists values "FeatureSettingsOverride" whose(it as string as version = "0") of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of native registry
exists values "FeatureSettingsOverrideMask" whose(it as string as version = "3") of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of native registry
Alternative relevance, without plurals, and the preferred method vs. if-then-else:
exist key "Memory Management" whose (value "FeatureSettingsOverride" as string as version = "0") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of native registry
That could still result in a singular expression error if the key existed but the value did not.
I would personally universally recommend using plurals to avoid singular expression errors as opposed to multiple exists statements, but if you wanted to use exists you’d be better off doing
exist key “Memory Management” whose (exist value “FeatureSettingsOverride” whose (it as string as version = “0”) of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of native registry
Personally, my money is on the plural path, as JGStew already provided an example for:
The general expression “exists key whose (boolean expression) of key of registry” will always return a true/false value, unless the second “key” in the above does not exist.
The plurals from jgstew doesn’t help any when using the “exist” operator. All you need is one to exist for it to be true.
Good point.
That being said, you did miss an “of it” in your original statement. Has to be the following to work
exist key “Memory Management” whose (value “FeatureSettingsOverride” of it as string as version = “0”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” of native registry
The uncertainty regarding the second key is part of the reason why I prefer plurals. I also think it’s easier to read.
exist key “y” whose (value “x” of it = “a”) of key “z” of registry
vs
exists values “x” whose (it = “a” ) of keys “y” of registry
To my mind, the latter just reads a lot easier. Relevance is already complicated enough 
I provided 2 separate statements, if you want both to definitely exist with that config, then it would be combined as:
( exists values "FeatureSettingsOverride" whose(it as string as version = "0") of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of native registry ) AND ( exists values "FeatureSettingsOverrideMask" whose(it as string as version = "3") of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of native registry )
Which is just mashing them both together with an AND statement, which wouldn’t be as efficient as checking them both in a single relevance statement:
exists values "FeatureSettingsOverride" whose(it as string as version = "0") of keys "Memory Management" whose(exists values "FeatureSettingsOverrideMask" whose(it as string as version = "3") of it) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of native registry
This is slightly more efficient combination because if the one is not satisfied, then it will be false sooner. It is only true if both exist and are set to the values specified.
I like your solutions, but I’m having some trouble making it a negative - I just put NOT before the two EXISTS, thinking that would make the relevance true if either entry were missing.
It seems to be true for all systems, so I messed something up. Before the NOTs were put in it was working correctly.
EDIT: I believe this is working :
NOT exists values “FeatureSettingsOverrideMask” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of native registry
I decided I didn’t really care what the values were and if one key is missing that would mean I need to run the fixlet in any event, so I simplified it a great deal. But I’m still in testing mode…
You would get the NOT by doing:
not exists values "FeatureSettingsOverride" whose(it as string as version = "0") of keys "Memory Management" whose(exists values "FeatureSettingsOverrideMask" whose(it as string as version = "3") of it) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of native registry
That is true, but the single combined statement doesn’t have that issue.
exists ? AND exists ? would be made into a negation by doing not exists ? OR not exists ? by De Morgan’s laws: De Morgan's laws - Wikipedia (which just states that when negating logic, AND becomes OR and vis versa) so that not (exists ? AND exists ?) is equivalent to not exists ? OR not exists ?