Time passed since Timestamp

We are making changes in the registry that required a reboot. Until the reboot occurs, the system is vulnerable.

When we make the change, we dump a “now” timestamp in the registry. What I need now is a way to see if the uptime of the system is less than the time passed since the timestamp.

If the reboot occurred since the key change, the system is no longer vulnerable otherwise the system is vulnerable.

I have searched far and wide with nothing that is helping me figure this out.

I tried to use this but I was not able to tweak it to work for me.

To set…
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\MYREGKEY\Remediations\Remediation233]" "RemediationTime"="{now}"

To read…
value whose (name of it is "RemediationTime") of key "HKEY_LOCAL_MACHINE\SOFTWARE\MYREGKEY\Remediations\Remediation233" of x64 registry

Then to compare that to boot time

Any suggestions

When you push the changes why don’t you just include:

action requires restart "Name/GUID/Identifier"

You could include a reboot as part of the action and/or a separate action to reboot at a different time if necessary.

1 Like

Also this will evaluate to True in the above example:

pending restart "Name/GUID/Identifier"

For more details, you can reference the following documentation:

I agree with @jgallas on this one, it would be easier to use

action requires restart "MyRegUpdate"

Along with

not pending restart "MyRegUpdate"

For the original case though, we can read our timestamps from the registry, just need to cast as string as time

Exists value "RemediationTime" whose (it as string as time > boot time of operating system) of key "HKEY_LOCAL_MACHINE\SOFTWARE\MYREGKEY\Remediations\Remediation233" of x64 registry

1 Like

Thanks guys
I will set it up that way.