I need to search the registry on a few machines for this text here: 5.0.17.31213 but I’m not sure how to write the Analyses. Can someone help me? I just need to know the registry key where it is located.

As usual, thanks for any help.

Sno

You won’t be able to do that with only Relevance. You will need to find a command line tool like ‘reg query’ and execute that in an Action, save the output to a file, and then read the file in an Analysis.
I’m not going to be able to write that up right now, but this may help point in the right direction. I can post more on it tomorrow if you need more help with it.

Be very careful… Scanning the registry can take a long time and cause long evaluation times. This can cause a system to shows as “Not reported” on all of its actions.

I would recommend you target specific machines and do not dynamically target machines.

Hopefully @JasonWalker can supply a good scanning process.

I tested it with your string using Reg Query on my machine, it took almost an hour!!! Reg Query alone will not help & is extremely slow if you are going against top level registry hives, such as “HKLM”! which is definitely not good.

Discovered a quicker way to do it, which takes only 30 seconds to complete using the method below.

$startTime = Get-Date
reg export HKLM "$env:TEMP\registry_export.reg" /y
$result = Select-String -Path "$env:TEMP\registry_export.reg" -Pattern "5.0.17.31213"
$endTime = Get-Date
$executionTime = New-TimeSpan -Start $startTime -End $endTime

# Display the results of the registry search
if ($result) {
    Write-Host "Registry search completed. Result:" $result
} else {
    Write-Host "No matches found."
}

# Display the start and end timestamps and the total execution time
Write-Host "Start Time: $($startTime.ToString())"
Write-Host "End Time: $($endTime.ToString())"
Write-Host "Execution Time: $($executionTime.ToString())"

Comparison of the results of my script between the old (reg query) and new (reg export & search):

Registry search completed. Result:  End of search: 0 match(es) found.
Start Time: 3/27/2024 1:05:02 PM
End Time: 3/27/2024 1:58:33 PM
Execution Time: 00:53:30.9737226

No matches found.
Start Time: 3/27/2024 2:35:02 PM
End Time: 3/27/2024 2:35:37 PM
Execution Time: 00:00:34.4203601

by your version number and a google search this seems to be .net related. Try searching in these locations

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

If I am wrong then completely ignore this post

VK, is this a bigfix script or powershell?

$startTime = Get-Date
reg export HKLM “$env:TEMP\registry_export.reg” /y
$result = Select-String -Path “$env:TEMP\registry_export.reg” -Pattern “5.0.17.31213”
$endTime = Get-Date
$executionTime = New-TimeSpan -Start $startTime -End $endTime

Display the results of the registry search

if ($result) {
Write-Host “Registry search completed. Result:” $result
} else {
Write-Host “No matches found.”
}

Display the start and end timestamps and the total execution time

Write-Host “Start Time: $($startTime.ToString())”
Write-Host “End Time: $($endTime.ToString())”
Write-Host “Execution Time: $($executionTime.ToString())”

@Snojack The code VK shared is straight-up Powershell. So you’d either do it as a native powershell action or use createfile until to encapsulate the powershell code in BigFix actionscript. I’d recommend the second method so you can make the search string an action parameter query.

@vk.khurava That’s a brilliant way to work around the slowness of registry search!

Can you give me the tweak where this writes the reg file right to c:\temp? thanks so much!

reg export HKLM “$env:TEMP\registry_export.reg” /y
$result = Select-String -Path “$env:TEMP\registry_export.reg” -Pattern “5.0.17.31213”
The above lines write the reg file to registry_export.reg into whatever folder the “TEMP” environment variable points to, and then read it from the same place.
Just replace “$env:TEMP\registry_export.reg” in those lines with "c:\temp\registry_export.reg” and it’ll use c:\temp instead.

Here you go with complete BigFix stuff, create BigFix task using below action script & you are done.

//Action Script
action parameter query "SearchKeyword" with description "Enter the desired value which you want to search in registry"

delete __createfile
delete __Download\regexport.ps1

createfile until EOF
# Define paths
$LogFilePath = "C:\temp\RegExport.log"
$RegistryExportPath = "C:\temp\registry_export.reg"

# Delete older log file if exists
if (Test-Path $LogFilePath) {{
    Remove-Item $LogFilePath -Force
}

# Delete older registry export file if exists
if (Test-Path $RegistryExportPath) {{
    Remove-Item $RegistryExportPath -Force
}

# Export registry
reg export HKLM $RegistryExportPath /y

# Search registry export for specific keyword
$result = Select-String -Path $RegistryExportPath -Pattern "{parameter "SearchKeyword"}"

# Write results to log file
if ($result) {{
    $result.Line | Out-File -FilePath $LogFilePath -Append
} else {{
    Write-Output "No matches found." | Out-File -FilePath $LogFilePath -Append
}
EOF

move __createfile __Download\regexport.ps1

action uses wow64 redirection false
waithidden "{pathname of regapp "powershell.exe"}" -ExecutionPolicy Bypass -File __Download\regexport.ps1

Thanks so much for this! Is there a way to make this DELETE all registry keys that find “5.0.17.31213” ? That would be tremendously helpful.

Thanks!

1st you need to collect & combine the data, once all there you can use reg delete option to delete the desired results.

https://developer.bigfix.com/action-script/reference/registry/regdelete.html
https://developer.bigfix.com/action-script/reference/registry/regdelete64.html

Or you can also use BigFix “Windows Registry Wizard” to populate task for deletion of desired reg key/value.

image1330×342 15.7 KB

There are many other ways to delete reg keys, try exploring forum posts for reg keys deletion.