I need to search the registry on a few machines for this text here: 5.0.17.31213 but I’m not sure how to write the Analyses. Can someone help me? I just need to know the registry key where it is located.
As usual, thanks for any help.
Sno
I need to search the registry on a few machines for this text here: 5.0.17.31213 but I’m not sure how to write the Analyses. Can someone help me? I just need to know the registry key where it is located.
As usual, thanks for any help.
Sno
You won’t be able to do that with only Relevance. You will need to find a command line tool like ‘reg query’ and execute that in an Action, save the output to a file, and then read the file in an Analysis.
I’m not going to be able to write that up right now, but this may help point in the right direction. I can post more on it tomorrow if you need more help with it.
Be very careful… Scanning the registry can take a long time and cause long evaluation times. This can cause a system to shows as “Not reported” on all of its actions.
I would recommend you target specific machines and do not dynamically target machines.
Hopefully @JasonWalker can supply a good scanning process.
I tested it with your string using Reg Query on my machine, it took almost an hour!!! Reg Query
alone will not help & is extremely slow if you are going against top level registry hives, such as “HKLM”! which is definitely not good.
Discovered a quicker way to do it, which takes only 30 seconds to complete using the method below.
$startTime = Get-Date
reg export HKLM "$env:TEMP\registry_export.reg" /y
$result = Select-String -Path "$env:TEMP\registry_export.reg" -Pattern "5.0.17.31213"
$endTime = Get-Date
$executionTime = New-TimeSpan -Start $startTime -End $endTime
# Display the results of the registry search
if ($result) {
Write-Host "Registry search completed. Result:" $result
} else {
Write-Host "No matches found."
}
# Display the start and end timestamps and the total execution time
Write-Host "Start Time: $($startTime.ToString())"
Write-Host "End Time: $($endTime.ToString())"
Write-Host "Execution Time: $($executionTime.ToString())"
Comparison of the results of my script between the old (reg query
) and new (reg export & search
):
Registry search completed. Result: End of search: 0 match(es) found.
Start Time: 3/27/2024 1:05:02 PM
End Time: 3/27/2024 1:58:33 PM
Execution Time: 00:53:30.9737226
No matches found.
Start Time: 3/27/2024 2:35:02 PM
End Time: 3/27/2024 2:35:37 PM
Execution Time: 00:00:34.4203601
by your version number and a google search this seems to be .net related. Try searching in these locations
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
If I am wrong then completely ignore this post
VK, is this a bigfix script or powershell?
$startTime = Get-Date
reg export HKLM “$env:TEMP\registry_export.reg” /y
$result = Select-String -Path “$env:TEMP\registry_export.reg” -Pattern “5.0.17.31213”
$endTime = Get-Date
$executionTime = New-TimeSpan -Start $startTime -End $endTime
if ($result) {
Write-Host “Registry search completed. Result:” $result
} else {
Write-Host “No matches found.”
}
Write-Host “Start Time: $($startTime.ToString())”
Write-Host “End Time: $($endTime.ToString())”
Write-Host “Execution Time: $($executionTime.ToString())”
@Snojack The code VK shared is straight-up Powershell. So you’d either do it as a native powershell action or use createfile until
to encapsulate the powershell code in BigFix actionscript. I’d recommend the second method so you can make the search string an action parameter query.
@vk.khurava That’s a brilliant way to work around the slowness of registry search!
Can you give me the tweak where this writes the reg file right to c:\temp? thanks so much!
reg export HKLM “$env:TEMP\registry_export.reg” /y
$result = Select-String -Path “$env:TEMP\registry_export.reg” -Pattern “5.0.17.31213”
The above lines write the reg file to registry_export.reg into whatever folder the “TEMP” environment variable points to, and then read it from the same place.
Just replace “$env:TEMP\registry_export.reg” in those lines with "c:\temp\registry_export.reg” and it’ll use c:\temp instead.
Here you go with complete BigFix stuff, create BigFix task using below action script & you are done.
//Action Script
action parameter query "SearchKeyword" with description "Enter the desired value which you want to search in registry"
delete __createfile
delete __Download\regexport.ps1
createfile until EOF
# Define paths
$LogFilePath = "C:\temp\RegExport.log"
$RegistryExportPath = "C:\temp\registry_export.reg"
# Delete older log file if exists
if (Test-Path $LogFilePath) {{
Remove-Item $LogFilePath -Force
}
# Delete older registry export file if exists
if (Test-Path $RegistryExportPath) {{
Remove-Item $RegistryExportPath -Force
}
# Export registry
reg export HKLM $RegistryExportPath /y
# Search registry export for specific keyword
$result = Select-String -Path $RegistryExportPath -Pattern "{parameter "SearchKeyword"}"
# Write results to log file
if ($result) {{
$result.Line | Out-File -FilePath $LogFilePath -Append
} else {{
Write-Output "No matches found." | Out-File -FilePath $LogFilePath -Append
}
EOF
move __createfile __Download\regexport.ps1
action uses wow64 redirection false
waithidden "{pathname of regapp "powershell.exe"}" -ExecutionPolicy Bypass -File __Download\regexport.ps1
Thanks so much for this! Is there a way to make this DELETE all registry keys that find “5.0.17.31213” ? That would be tremendously helpful.
Thanks!
1st you need to collect & combine the data, once all there you can use reg delete option to delete the desired results.
https://developer.bigfix.com/action-script/reference/registry/regdelete.html
https://developer.bigfix.com/action-script/reference/registry/regdelete64.html
Or you can also use BigFix “Windows Registry Wizard” to populate task for deletion of desired reg key/value.
There are many other ways to delete reg keys, try exploring forum posts for reg keys deletion.