We are making changes in the registry that required a reboot. Until the reboot occurs, the system is vulnerable.
When we make the change, we dump a “now” timestamp in the registry. What I need now is a way to see if the uptime of the system is less than the time passed since the timestamp.
If the reboot occurred since the key change, the system is no longer vulnerable otherwise the system is vulnerable.
I have searched far and wide with nothing that is helping me figure this out.
I tried to use this but I was not able to tweak it to work for me.
To set… regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\MYREGKEY\Remediations\Remediation233]" "RemediationTime"="{now}"
To read… value whose (name of it is "RemediationTime") of key "HKEY_LOCAL_MACHINE\SOFTWARE\MYREGKEY\Remediations\Remediation233" of x64 registry
I agree with @jgallas on this one, it would be easier to use
action requires restart "MyRegUpdate"
Along with
not pending restart "MyRegUpdate"
For the original case though, we can read our timestamps from the registry, just need to cast as string as time
Exists value "RemediationTime" whose (it as string as time > boot time of operating system) of key "HKEY_LOCAL_MACHINE\SOFTWARE\MYREGKEY\Remediations\Remediation233" of x64 registry