Reverse registry keys

(imported topic written by SystemAdmin)

Hi,

We are putting together a report to track our AntiVirus program’s progress on deployment. To do this, we are watching 5 seperate registry keys and their values. I’ve created managed properties that report these key values.

Now I need to create a fixlet that will both:

A) Check for the values of all keys to be NOT true

B) Action a reset of the relevant registry keys to the correct values.

I’ve figured out for A) how to detect and report the information correctly for the above keys - but I really want to detect the opposite; ie the reverse of these value so that the clause is NOT true (ie false) and the fixlet needs to be applied.

My relevance currently goes like this:

(value “DatabasePath” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry = “\SHO2K3MS21\ofcscan\FileDB”) or (value “LocalServerPort” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry = 12345) or (value “Server” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry = “sho2k3ms21.wm.org.au”) or (value “ServerPort” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry = 80) or (value “UpdateFrom” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” of registry = “http://sho2k3ms21.wm.org.au/officescan/download”)

How do I make this say NOT true so that it will detect properly?

For B), I’ve written the following action script.

Will this work OK?

regset “HKey_LOCALMACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” “DatabasePath”="\\SHO2K3MS21\ofcscan\FileDB"

regset “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” “LocalServerPort”=dword:00003039

regset “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” “Server”=“sho2k3ms21.wm.org.au

regset “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” “ServerPort”=dword:00000050

regset “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” “UpdateFrom”=“http://sho2k3ms21.wm.org.au/officescan/download”)

Thanks in advance…

Markj

(imported comment written by BenKus)

Hey Markj,

Did you want the Fixlet to be true if any one of the clauses in not true or if all of them are not true?

The action seems good…

Ben

(imported comment written by SystemAdmin)

That’s right - if any one of these registry entries are false, then I want the action to reset them to the values in part B).

I figure it probably pretty easy, it just the syntax I can’t to get right.

Sort of a if NOT (the relevance as above).

(imported comment written by jessewk)

I think you just want this:

(value “DatabasePath” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != “\SHO2K3MS21\ofcscan\FileDB”) or (value “LocalServerPort” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != 12345) or (value “Server” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != “sho2k3ms21.wm.org.au”) or (value “ServerPort” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != 80) or (value “UpdateFrom” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” of registry != “http://sho2k3ms21.wm.org.au/officescan/download”)

Also, look for our upcomming integration with Trend Micro. You won’t have to mess with any of those settings anymore. We will have something out “real soon now”.

Jesse

(imported comment written by SystemAdmin)

Thanks Jesse.

One further question.

This clause hold true for almost all machines except a couple in our domain. For domain controllers, however, the last clause:

(value “UpdateFrom” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” of registry = “http://sho2k3ms21.wm.org.au/officescan/download”)

could also be:

(value “UpdateFrom” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” of registry = “\Localhost”).

How can I get it to report:

Clause 1 = false or

Clause 2 = false or

Clause 3 = false or

Clause 4= false or

Clause 5 or Clause 6 = false

This would mean that domain controllers (with Localhost) or normal computers (with “http://sho2k3ms21.wm.org.au/officescan/download”) would both be excluded from relevance.

Does that make sense?

So far I’ve tried:

(value “DatabasePath” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != “\SHO2K3MS21\ofcscan\FileDB”) or (value “LocalServerPort” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != 12345) or (value “Server” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != “sho2k3ms21.wm.org.au”) or (value “ServerPort” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != 80) or ((value “UpdateFrom” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” of registry != “\Localhost”) or (value “UpdateFrom” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” of registry != “http://sho2k3ms21.wm.org.au/officescan/download”))

…but this reports as true (instead of false). I thought the != and/or the double ()'s on the last clause would work…

Markj

(imported comment written by jessewk)

Hi Markj,

You’ve almost to got it, except your query will be true on all machines because the last clause checks for two values for the same key. If you OR those checks, one of them will always be true since a value can’t be two things at once. So just make the last part an AND and you are good to go:

(value “DatabasePath” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != “\SHO2K3MS21\ofcscan\FileDB”) or (value “LocalServerPort” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != 12345) or (value “Server” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != “sho2k3ms21.wm.org.au”) or (value “ServerPort” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry != 80) or ((value “UpdateFrom” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” of registry != “\Localhost”) AND (value “UpdateFrom” of key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” of registry != “http://sho2k3ms21.wm.org.au/officescan/download”))

Jesse

(imported comment written by SystemAdmin)

Of course! It’s so simiple!

Thanks again Jesse. Really appreciate your help with this one.

Markj