Relevance Discrepant with Debugger

(imported topic written by SystemAdmin)

Hello All, I have had a problem with some task relevances that I hope someone can help with. These relevances are failing to reconcile with debugger results. The current task I am working on is a very straightforward change to the registry value:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache

“Persistent”.

I have built a task with relevance:(name of operating system = “Win2003”) AND (value “Persistent” of key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache” of registry is 1)

However, systems that have this exact value set to 1 are not coming up in the “Applicable Computers” tab. Also, if I paste that expression into the debugger on the target system it too yields the correct result as “True.”

I have created an analysis that corroborates what the relevance is doing indicating an error for this value. The error is “Singular Expression Refers to Nonexistent Object.” The analysis appears to be failing to even detect the existence of the value. However, I believe the analysis issue is simply a deficiency in the data that is available to this function, since I have been told that analyses results will not necessarily correspond with debugger results.

Any help with this will be greatly appreciated. Thanks and Happy Holidays!

(imported comment written by jessewk)

Welcome to the forum 13roadway!

The problem is that the action debugger runs in user context but the client runs in system context so HKCU is different when you are running using the action debugger vs. when the client runs the task.

Please see this thread on dealing with the HKCU branch: http://forum.bigfix.com/viewtopic.php?id=1909

Jesse

(imported comment written by SystemAdmin)

Thanks Jesse for the quick response. From the information on the referenced post, it looks like I should be able to tweak my relevance to get it working.

Joe

(imported comment written by SystemAdmin)

On a related note, I googled a way to spawn a debugger instance as the Local System. Queries in this debugger match the analyses results.

The commands below will open a command prompt as Local System. In turn, anything opened through this prompt will use the Local System account.

sc create testsvc binpath= “cmd /K start” type= own type= interact

sc start testsvc

(imported comment written by SystemAdmin)

I forgot to cite this blog as the source for this trick: http://blogs.msdn.com/adioltean/articles/271063.aspx

(imported comment written by BenKus)

Hi Joe,

We have our own set of tricks for this too:

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=484

Ben