Registry Key Checking

(imported topic written by AndyKay)

Hi, I am trying to create a piece of relevance which will check if a key either doesn’t exist or exists with a value of 1 - so far it seems to report “true” no matter what:

(exists keys “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext” whose (exists values whose(name of it = “VersionCheckEnabled” AND it as string as lowercase = “00000001” as lowercase ) of it) of registry)or (not exists keys “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext” whose(name of it = “VersionCheckEnabled”) of registry)

Any thoughts?

Thanks

(imported comment written by Tim.Rice)

HKEY_CURRENT_USER Key branch of the registry is “special”. It’s actually an “Alias” that points to the appropriate HKEY_USERS key.

The following came from …

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Relevance%20Tips

Querying HKEY_CURRENT_USER branch of registry

Since the BigFix Agent runs as the SYSTEM account, when you write relevance that accesses the “HKEY_CURRENT_USER” branch of the registry, the agent will query the SYSTEM account’s HKCU rather than the logged in user’s HKCU (note that this is different from what you see in the Relevance Debugger, which will return results from the HKCU of your logged on user). To help query the local logged on users’ HKCU branch of the registry, there is an inspector “current user keys” that can be used:

q: exists key “Software\BigFix” of current user keys (logged on users) of registry

A: True

1 Like

(imported comment written by AndyKay)

Ah that makes sense!

Thanks for the explanation.