Registry Export with Date Timestamp

I am trying to create a task that will export all of HKLM in the Windows registry to a file with the current date. When it creates the file, instead of creating it as 23.02.2023_HKLM_Backup.reg.bak, it creates it as “((first 2 of it &”."& (last 3 of first 6 of it as month as two digits) &"."& last 4 of first 11 of it) of (last 17 of first 22 of (now as string)))_HKLM_Backup.reg.bak". Can someone enlighten me on how to modify this action so that it only puts the actual date into the file name?

// Define the backup directory
parameter “backup_directory” = “C:\RegistryBackups”

// Create the backup directory if it doesn’t already exist
if {not exist folder (parameter “backup_directory”)}
waithidden cmd /c "mkdir {(parameter “backup_directory”)}"
endif

// Define the date as a file name
parameter “datefilename” = “(((first 2 of it &”."& (last 3 of first 6 of it as month as two digits) &"."& last 4 of first 11 of it) of (last 17 of first 22 of (now as string)))"

// Define the filename for the backup
parameter “backup_filename” = “{parameter “datefilename”}_HKLM_Backup.reg.bak”

// Define the full path for the backup file
parameter “backup_filepath” = “{parameter “backup_directory”}{parameter “backup_filename”}”

// Define the command to export the registry to the backup file
parameter “export_command” = “reg export HKEY_LOCAL_MACHINE %22{parameter “backup_filepath”}%22 /y”

// Run the export command
waithidden cmd.exe /C “{parameter “export_command”}”

The ‘parameter’ statement isn’t using a relevance substitution - you need the curly brackets.

parameter “datefilename” = “(((first 2 of it &”."& (last 3 of first 6 of it as month as two digits) &"."& last 4 of first 11 of it) of (last 17 of first 22 of (now as string)))"

Should be

parameter “datefilename” = “{(((first 2 of it &”."& (last 3 of first 6 of it as month as two digits) &"."& last 4 of first 11 of it) of (last 17 of first 22 of (now as string)))}"

(Also some doublequotes that need to be fixed, but I can’t tell on my phone)

Yeah, I tried that, but then Q&A reports back “Relevance clauses must be surrounded by { and } guards.”

If I don’t include the curly brackets, it at least generates the file.

Then the relevance statement itself has a problem (likely because you’re casting now as string and then trying to pull months out of it? Or maybe parentheses?

First try it (without curly brackets) in the ‘Single Clause’ tab of Fixlet Debugger; then (with curly brackets) in the Action tab with the parameter statement

Yeah, the “Single Clause” tab shows you have too many open-parentheses at the front

Corrected version:

((first 2 of it &"."& (last 3 of first 6 of it as month as two digits) &"."& last 4 of first 11 of it) of (last 17 of first 22 of (now as string)))

YES!!! That and the squiggly brackets makes it functional. Thanks!

Now I can complicate it a little more. I’ll post my final script here in case it is useful to someone else that wants to back up the registry before making some OS hardening changes.

1 Like

This was my final action script:

// Define the backup directory
parameter “backup_directory” = “C:\RegistryBackups”

// Create the backup directory if it doesn’t already exist
if {not exist folder (parameter “backup_directory”)}
waithidden cmd /c "mkdir {(parameter “backup_directory”)}"
endif

// Define the date as a file name
parameter “datefilename” = “{((first 2 of it &”."& (last 3 of first 6 of it as month as two digits) &"."& last 4 of first 11 of it &"_"& first 2 of it &"."& last 2 of last 5 of it) of (last 17 of first 22 of (now as string)))}"

// Define the filename for the backup
parameter “backup_filename” = “{parameter “datefilename”}_HKLM_Backup.reg.bak”

// Define the full path for the backup file
parameter “backup_filepath” = “{parameter “backup_directory”}{parameter “backup_filename”}”

// Define the command to export the registry to the backup file
parameter “export_command” = “reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ %22{parameter “backup_filepath”}%22 /y”

// Run the export command
waithidden cmd.exe /C “{parameter “export_command”}”

// Define the filename for the backup
parameter “backup_filename2” = “{parameter “datefilename”}_SSL_Backup.reg.bak”

// Define the full path for the backup file
parameter “backup_filepath2” = “{parameter “backup_directory”}{parameter “backup_filename2”}”

// Define the command to export the registry to the backup file
parameter “export_command2” = “reg export HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\ %22{parameter “backup_filepath2”}%22 /y”

// Run the export command
waithidden cmd.exe /C “{parameter “export_command2”}”

1 Like

So that works wonderfully in Fixlet Debugger when run from ‘Action’.

Getting it to run as a fixlet appears to be a new challenge. I’m seeing (Exit Code=1) in the BES Client log, for both of the “waithidden cmd.exe…” commands in my action script. No files generated whatsoever.

If it take it down to only one “waithidden cmd.exe…” commands, it does not help

Back to the drawing board. Any suggestions are welcome.

Nevermind… I had some %22 entries in my script. Fixlet debugger overlooks them, but they fail when included with the command that BigFix executes. Removed them and I’m good to go.

1 Like

Any 64-bit devices?

You might want to add action uses wow64 redirection {not x64 of operating system} near the top of the script.

Without it you may be just running the 32-bit version of reg.exe and only exporting the 32-bit registry hive.

2 Likes

I forgot to thank you for this reminder trn