Relevance for Current User setting

(imported topic written by flayofish91)

Hello,

Trying to make sure I do this correctly. I setup a fixlet to remove a malicious registry setting.

Here is the exact relevance code:

(exists x32 registry AND NOT exists x64 registry) AND (name of operating system = “WinXP” OR name of operating system = “WinXP-2003”) AND values “StartMenuLogoff” of keys “Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” of current user keys (logged on users) of registry

Here is the action code:

action uses wow64 redirection false

delete __createfile

delete deletestartmenulogoff.reg

createfile until @end_create_reg_file

Windows Registry Editor Version 5.00

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

“StartMenuLogoff”=-

@end_create_reg_file

move __createfile deletestartmenulogoff.reg

prefetch RunAsCurrentUser.exe sha1:a72371f4e968da7ead24f0f4e68c14b234ac94f6 size:184320 http://software.bigfix.com/download/bes … er-2.0.exe

utility __Download\RunAsCurrentUser.exe

waithidden_Download\RunAsCurrentUser.exe regedit /s “deletestartmenulogoff.reg”

Any Help Appreciated!

(imported comment written by BenKus)

Is there a typo? It should be:

waithidden __Download …

(with a space and two ‘_’)

Ben

(imported comment written by flayofish91)

That was a typo, thanks!

Regarding the relevance, does that look correct? We have infected people in the environment, but they are not showing relevant in BigFix. Clients are running Windows XP Pro SP3.

-thanks

(imported comment written by MrFixit)

Perhaps you need to add an exists to the registry value check:

(exists x32 registry AND NOT exists x64 registry) AND (name of operating system = “WinXP” OR name of operating system = “WinXP-2003”) AND exists values “StartMenuLogoff” of keys “Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced” of current user keys (logged on users) of registry