I’ve been trying to create relevance that checks for the existence of a value within a registry key in current keys.
What I’ve created is the relevance below that hasn’t been working, bringing the error “Error: Singular expression refers to nonexistent object.”
q: not (exists (value “Wallpaper” whose (it as string contains “company\Employees - Data\Wallpaper\wallpaper.png”) of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System” of current user keys (logged on users) of registry))
On the other hand, I created the following one that works perfectly:
q: not (exists (keys “Software\Microsoft\Windows\CurrentVersion\Policies\System” of current user keys (logged on users) of registry))
What could I be doing wrong?
I also tried using this relevance, but regardless of anything, the return is always True:
q: not (exists key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System” of current user keys (logged on users) of registry AND exists value “Wallpaper” whose (it as string contains “company\Employees - Data\Wallpaper\wallpaper.png”) of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System” of current user keys (logged on users) of native registry)
Generally you should not try to set values in the current user registry key because the bigfix agent operates as the root user.
It can inspect the current user keys in some cases, but only if a user is logged in.
It is much better to use Local GPO to set the value for ALL users using BigFix, so that way all current users and all future users will get the configuration.
There are a few examples out there on BigFix.Me that do this.
It is generally best to try to inspect ALL user registry keys like this to detect if something is missing:
keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
I tried to use one of these forms you showed me. But it always returns true. What might I be doing wrong?
exists it whose( not exists values “WallPaper” whose(“company\Employees - Data\Wallpaper\wallpaper.png” = it as string) of keys of keys “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” of it) of keys whose(name of it is contained by set of unique values of component strings of sids of users of (logged on users;current users) ) of keys “HKEY_USERS” of registries
This part is very much the opposite of what I was suggesting.
Don’t check for the existence of the non existence of something. Instead write the relevance such that it returns TRUE if the condition you want to be there exists, then put not in front.
Also, I recommend first writing the relevance such that it returns the real value from all keys as a reporting measure, and only then turn it onto something true/false.
It also isn’t fully clear to me, what is the expected correct result that you want to be in place? What is an example registry entry look like?
I think this is more in line with what I would recommend:
not exists values "WallPaper" whose("company\Employees - Data\Wallpaper\wallpaper.png" = it as string) of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
but first, I would make sure that it actually returns the correct values when you query it, rather than trying to make it into a true/false check right away:
(multiplicity of it, it) of unique values of (it as string) of values "WallPaper" of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
Only once you can properly return the real raw values should you then add a whose filter to do a true/false check for if the configuration you want is present. If the relevance doesn’t correctly return the raw values, then the whose filter will never work.
Basically, you want to set an example system to have the correct configuration, then write relevance to read back that configuration, then add not exists in front to then detect when that correct configuration is NOT present. Then on your test system you can delete the correct configuration and then attempt to set it with BigFix.
I’ve tested the relevance below in various scenarios:
not exists values "WallPaper" whose("company\Employees - Data\Wallpaper\wallpaper.png" = it as string) of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
However, it always returns “True” for me. I’ve tried deleting the registry key, tested it with the registry key created, with and without the “Wallpaper” value, but in all these scenarios, it still returns “True”.
In the test you provided:
(multiplicity of it, it) of unique values of (it as string) of values "WallPaper" of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
The value is returned perfectly. So what could be the issue?
Are you sure you have the exact string matched? The comparison is case-sensitive.
For some more insight, try
(multiplicity of it, it, it as string = "company\Employees - Data\Wallpaper\wallpaper.png") of unique values of (it as string) of values "WallPaper" of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
(multiplicity of it, it) of unique values of (it as string) of values "WallPaper" of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
and the test:
(multiplicity of it, it, it as string = "company\Employees - Data\Wallpaper\wallpaper.png") of unique values of (it as string) of values "WallPaper" of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry return the value company\Employees - Data\Wallpaper\wallpaper.png
Work perfectly, returning 2, C:\company\Employees - Data\Wallpaper\wallpaper.png, False
The “False” at the end means that the string it found in the registry does not match the string you’re comparing.
We really can’t tell unless you post the real query and answers here, but obviously you have good reason to obfuscate company names & such… But something in your comparison string is wrong. It may be a capitalization, or an extra space, or something; but that “False” in the query says the string in the Registry does not match the string you are comparing.
Edit: unless you’re not obfuscating, if these are the literal values, then your comparison string is missing the "C:\" at the front.
Actually, I did mask the string. But I ended up realizing the issue, I believe.
Instead of checking for the exact existence of that string, I would like to verify some values within the string. Given that parts of the string are mutable according to the machine user.
With that in mind, how could I check if a fragment of this string exists on the machine?
I tried to use this relevance:
not exists values "WallPaper" whose (it as string contains "company\Employees - Data\Wallpaper\wallpaper.png" = it as string) of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
not exists values "WallPaper" whose (it as string contains "company\Employees - Data\Wallpaper\wallpaper.png") of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
q: not exists values "WallPaper" whose (it as string contains "company\Employees - Data\Wallpaper\wallpaper.png") of keys "System" of keys "Software\Microsoft\Windows\CurrentVersion\Policies" of keys of keys "HKEY_USERS" of registry
A: True