Relevance for software installed on clients

Hi, I am new to the relevance language and hoping to get a pointer in the right direction…i am trying to create an automatic group that discovers all of my clients that have a particular package installed (McAfee to be precise)
I am unsure how to start and best practice…any help will be most appreciated

Thanks in advance

This will depend on the OS in question. Can you narrow the field a little?

sure, apologies for the ambiguity, there are a number of soft packages that i want to discover to be installed, namely some of the applications are McAfee and Bit9, which would be installed on the Windows platform (Workstations and Servers)

OK, For Windows, we are interested in what’s listed under the Uninstall key in the Registry.

As a Specific example, let’s look to see if you have the “IBM BigFix Client” installed.

As a “Best Practices”, it’s not enough to simply look to see if there is a Key that has a “DisplayName” listing “IBM BigFix Client”, we need to also check to see if the “DisplayName” property even exists. This prevents returning errors when writing Relevance to be used in Analyses. In this case you could get away without it, but I try to make it a habit.

So, we’re going to look to see if a Registry Key exists under the Uninstall Key that has a Value “DisplayName” AND where the “DisplayName” has a value of “IBM BigFix Client”

Exists key whose (exists Value "DisplayName" of it AND (Value "DisplayName" of it) as string starts with "IBM BigFix Client") of Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (if (x64 of Operating System) THEN (x32 Registry; x64 Registry) ELSE (Registry))

2 Likes

You can use plural relevance instead. This is how I would recommend doing it:

exists (it as string) whose(it contains "IBM BigFix Client") of values "DisplayName" of keys of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)

This is more efficient and more readable and is one step away from being used to report on all DisplayNames:

unique values of (it as string as trimmed string) of values "DisplayName" of keys of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)

This is actually what I start with, returning all of the results in a sensible way for reporting, then filtering the result using whose and adding exists which then turns the reporting results into a TRUE/FALSE that can be used for applicability / automatic groups / etc…

Also look at the related analysis Application Information (Windows) in the BES Inventory and License site.

2 Likes

Hi jgstew. I have been trying to find a simple way to check a machine to see if it has a particular KB installed or not in relevance. I don’t need to know any additional data. All I need is a check.

I have a created analysis that is checking for Windows Security update by date rance. Example Analysis one would be to see if all devices have patched these three.
So here is one attempt at relevance:
Results are iffy like this:
(exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4056897 was successfully changed to the Installed state”) of event log “Setup”) and (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4074587 was successfully changed to the Installed state”) of event log “Setup”) and (exists descriptions of records whose (event id of it = 2 AND description of it contains “KB4088878 was successfully changed to the Installed state”) of event log “Setup”)

and Here is my latest iteration using WMI:
exists (string values of properties “HotFixID” of it) whose(it starts with “KB4056897”) of select objects “HotFixID from Win32_QuickFixEngineering” of wmis and exists (string values of properties “HotFixID” of it) whose(it starts with “KB4074587”) of select objects “HotFixID from Win32_QuickFixEngineering” of wmis and exists (string values of properties “HotFixID” of it) whose(it starts with “KB4088878”) of select objects “HotFixID from Win32_QuickFixEngineering” of wmis

What would be the fastest way to check if specific KBs have installed on WIndows 7 OS machine?

Hi, I’m a newbie building a bunch of software deployments, and I’m wondering if it’s better to use registry queries in the uninstall sections, or looking for a file existing.

Using the QNA tool, the file exists check takes about .3ms,
-not exists file “C:\Program Files\Common Files\LogiShrd\Unifying\DJCUHost.exe”

and the registry query takes about 1000ms.
-not exists keys whose (exists value “DisplayName” whose (it as string as lowercase contains “logitech unifying”) of it) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x64 registries;x32 registries)

I’m inclined to use registry queries because that would mean the program is properly installed - except the odd case where a program doesn’t register itself there. We have one of those.
What do you experts think?

Usually a registry check is faster than a file check. You’ve encountered the exception by the way your relevance is crafted.

If you could tighten up the registry check, I usually recommend the registry way.

For instance, your file check looks for only one exact file to exist, but your registry check is looking at every uninstall key and pattern-mattching the DisplayName value.

You could shorten that by excluding one of x32 registries or x64 registries; checking for an exact match on the name of the GUID/name of the uninstall key; try an exact match on the DisplayName value rather than ‘contains’.

2 Likes

Hi just a newbie , will a relevancy wotk with single regkey such as HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall key and look for 2 Values such as DisplayName and DisplayVersion ??

It will - you can grab as many values as you like

Try this in the Fixlet Debugger and tweak up to get the application you want.

 (
   value "DisplayName" of it, value "DisplayVersion" of it
 )
 of keys 
 whose
 (
   exists value "DisplayName" 
   whose
   (
     it as string contains "BigFix Client"
   )
   of it
 )
 of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of 
 (
   x32 registries; x64 registries
 )

Hi , thanks for input. Does it work ok on your fixlet deubber as mine errors with the registry checks at the end as it cannot parse for both x86 and x86 .

Your syntax is wrong with multiple ‘whose’ clauses on one subject.

I’m on a phone now (no Bigfix work today) but try a variant of

value “DisplayName” of it, value “DisplayVersion” of it
)
of keys
whose
(
exists value "DisplayName"
whose
(
it as string contains “BigFix Client”
)
of it
and
exists value "DisplayVersion"
whose (it as string as version = "9.5.13")
of it)
of keys “HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall” of
(
x32 registries; x64 registries
)

The error in your debugger is likely because of the smart quotes…

“ != "
Try this one where I corrected the quotes

(value "DisplayName" of it, value "DisplayVersion" of it)
of keys whose ( 
	exists value "DisplayName" 
			whose( it as string contains "BigFix Client")
	of it)
of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of
(x32 registries; x64 registries)

Blockquote
exists (it as string) whose(it contains “Notepad++ (32-bit x86)”) of values “DisplayName”
and
exists (it as string) whose (it as string as version = “11.4.7507.2”) of values “DisplayVersion”
of keys of keys “HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall” of (x64 registries; x32 registries)

Blockquote

I was trying to amend your query to narrow the field to apps of a certain version but i get no results. What have I done wrong?

exists (it as string) whose(it contains “Notepad++ (32-bit x86)”) of values “DisplayName”
and
exists (it as string) whose (it as string as version = “11.4.7507.2”) of values “DisplayVersion”
of keys of keys “HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall” of (x64 registries; x32 registries)

you want to check both things, it might be easier to put them both into a whose and move your existance check to the key level. like this:

exists keys whose (value "DisplayName" of it as string contains "Notepad++ (32-bit x86)" and value "DisplayVersion" of it as string as version = "11.4.7507.2") of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
1 Like

Thanks brolly33, I’d come up with the below

exists keys whose ( exists value “DisplayName” whose ( it as string contains “Notepad++” ) of it and exists value “DisplayVersion” whose (it as string as version = “8.1.4”) of it) of keys “HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall” of ( x32 registries; x64 registries )

I can see how yours is more streamlined! I’ll be doing the relevance 401 training soon so hopefully will get a handle on it. Thanks again

1 Like

Yours works fine. I just flattened the whose down a layer. Both ways are good and both are efficient.
Cheers and good luck with the relevance training!

1 Like