Relevance Expression for GoToAssist Analysis

DragonAsh_82 · September 11, 2017, 2:03am

Hi guys,
Wondering if someone could point out my error here.

I’m creating an analysis to return the version of Citrix GoToAssist installed.

I’ve created the first part which returns the registry values (see screenshot). Trouble is that when the software is upgraded it appears to leave old keys behind. I’d like to get the most recent key but when when I inspect the GoToAssist Express Customer (to try and remove the old result), it fails.

techadmin · September 11, 2017, 6:26pm

try with “unique values” instead of “values” in the beginning of your relevance.

DragonAsh_82 · September 11, 2017, 10:14pm

Unique values would work in the case in the image but not all keys have the same DisplayName. Some have two unique values so both would be returned.

I would like to know if anyone can tell me what’s wrong with the key name that I’ve added using the full key path.

techadmin · September 11, 2017, 10:19pm

@DragonAsh_82 try to add (x32 registries; x64 registries) at the end? looks like you are referring to a 64bit registry patch (Wow6432node)

JasonWalker · September 24, 2017, 2:29am

Actually, anything below Wow6432Node is the 32-bit registry path on a 64-bit host, so “x32 registry” is the correct inspector to use.

For a posting like this, doing a copy/paste (with the Code tags) is more convenient for quoting, rather than a screen snapshot. It would make explaining this much easier, so here’s your relevance statement -

q: value "displayname" of key whose (value "displayname" of it as string contains "GoToAssist" of key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GoToAssist Express Customer" of x32 registry
E: Singular expression refers to nonexistent object.`

You talk about the fact that there are duplicate keys, and that’s true, but this error message is not about plural results, it’s about a nonexistent object.
So drilling into your query, you’re checking for a key path of “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GoToAssist Express Customer” , and then looking for a subkey of it with a DisplayName value of “GoToAssist”.

So, you have a little bit of a mess, between looking in the wrong key, and also not handling the plurals that are going to come up when you hit the right parent key.

I think what you’re looking for is

q: values "displayname" of keys whose (value "displayname" of it as string starts with "GoToAssist" of keys "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of x32 registry

Here, we use “HKLM…\Uninstall” as the key that may contain subkeys for GoToAssist; and plurals for “keys” and “Values”. I also use “starts with” rather than “contains” when looking for GoToAssist. “starts with” is more efficient than “contains” if the match is going to be at the start of the string.

DragonAsh_82 · September 25, 2017, 12:37am

Thanks for your reply Jason but what I’m asking for is to specifically query the “GoToAssist Express Customer” parent key as this is the one that contains the most recent version as it’s DisplayName.

The screenshot was included as it shows that the registry location does exist on the machine I’m running the qna on (apologies as I should probably have explained this).

Your query should be:

q: values “displayname” of keys whose (value “displayname” of it as string starts with “GoToAssist”) of keys “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall” of x32 registry

for it to work. This however doesn’t provide the most recent version and still provides both results thus not what I’m trying achieve by returning a single, most recent version of the install.

JasonWalker · September 25, 2017, 2:20am

Oh, ok then.

values "displayname" of keys "hklm\software\microsoft\windows\currentversion\gotoassist express customer" of x32 registry

Since you already know the full pathname of the key, you don’t need to search through subkeys, you can just retrieve the displayname directly.

DragonAsh_82 · September 25, 2017, 2:43am

Thanks Jason but this is where it’s failing.

I must be just being a gumby because when I try the above it gives me the error of it not existing.

If I try another \uninstall\parent key that has no spaces in the name of the key it works fine but just will not return for this one which I why I think I’m doing something incorrectly.

q: value “displayname” of key “hklm\software\microsoft\windows\currentversion\gotoassist express customer” of x32 registry
E: Singular expression refers to nonexistent object.

q: value “displayname” of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FormatFactory” of x32 registry
A: FormatFactory 3.6.0.0
T: 0.115 ms

itsmpro92 · September 25, 2017, 3:01am

Looks like the Uninstall branch is missing. Try

q: value “displayname” of key “HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\GoToAssist Express Customer” of x32 registry

DragonAsh_82 · September 25, 2017, 3:14am

That’d be it.

Far simpler than what I was trying to do.

Much appreciated guys.

JasonWalker · September 25, 2017, 2:31pm

Thanks, I was just about to reply the same. Sorry, I did my earlier response from my phone and didn’t have the debugger around.