Registry query relevance

liorme · November 4, 2020, 3:02pm

i’ve made an analysis with this relevance :

under property i’ve added : ( not exists key “HKEY_LOCAL_MACHINE\Software\key name” of registry

and under the relevance i’ve added os with win7 and win10

the analysis lists all of my computers, even ones that does have this registry key. what am i doing wrong?

cmcannady · November 4, 2020, 3:04pm

@liorme, you would need to add relevance to your analysis to exclude endpoints that do no have the registry key in question.

liorme · November 4, 2020, 3:07pm

how do i do that please?

cmcannady · November 4, 2020, 3:14pm

@liorme, you would add a relevance statement that an endpoint would require the key in question to be applicable.

exists key “HKEY_LOCAL_MACHINE\Software\key name” of registry

If you want examples to draw inspiration from, please checkout BigFix.me.

liorme · November 4, 2020, 3:46pm

but i want that the analysis will list computers without this key

is it not what i did? not exists key “HKEY_LOCAL_MACHINE\Software\key name” of registry

cmcannady · November 4, 2020, 3:49pm

@liorme, your 1st post stated:

which differs from your last post. Can you please review and confirm your direction?

liorme · November 4, 2020, 4:04pm

let me give you the full scenario, maybe i’m wrong with my approach.

i have an application to install, which is an exe files with some switches such as /d /quiet /key:xxx and so on.

i iave 1 exe for workstations and 1 for servers

so in order to detect if the program is installed, i’ve selected registry for query

so i need bigfix to :

query workstations/servers (1 “job” for each type) that doesn’t have a certain registry key
will not automate the install but let me install manually by bigfix

so let’s say that bigfix found 100 workstations that doesn’t have this registry key. i need to be able to push the app to them, by manually select them from the list and take action

cmcannady · November 4, 2020, 4:18pm

@liorme, I would likely create a single fixlet with multiple actions, but having two distinct fixlets would allow for use of the following relevance to delineate between workstations:

((select (“ProductType from Win32_OperatingSystem”) of WMI) as string contains “1”)

and servers:

((select (“ProductType from Win32_OperatingSystem”) of WMI) as string contains “2”) OR ((select (“ProductType from Win32_OperatingSystem”) of WMI) as string contains “3”)

I would utilize prefetch items and action parameter query in order to download the required binaries and to populate the registration key and any other options for the install process.

Using the not exists for the registry key in question. For more details on interrogating registry keys, please refer to the documentation.

JasonWalker · November 4, 2020, 4:19pm

Ahh, so you want the property to show both True and False results, but you are getting a lot more True than expected?

I believe you may be having a problem with 32-bit redirection. For legacy support reasons, the ‘registry’ inspector defaults to 32-bit registry hives - so instead of checking HKLM\Software, it’s actually checking HKLM\Software\Wow6432Node. Try the 'native registry’s inspector instead -

not exists key "HKEY_LOCAL_MACHINE\Software\key name" of native registry

JasonWalker · November 4, 2020, 4:20pm

Further, rather than creating Analysis properties, the common case would be to add this to your Fixlet/Task Relevance - so only computers missing the key will show up as Relevant for the task.

MMosley · November 4, 2020, 4:40pm

you could also use,

not exists keys “HKEY_LOCAL_MACHINE\Software\key name” of (x32 registries;x64 registries)