Using Action Script and Relevance Substitution to change client settings - portions of Action Script disapearing

I have the following Action script to taske the value of the “PendingFileRenameOperations” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager” and use it to change the value of the “_BESClient_ActionManager_PendingRestartExclusions” client setting:

setting "_BESClient_ActionManager_PendingRestartExclusions"="{(value "PendingFileRenameOperations" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of registry)}" on "{now}"

I get the following error on the client logs:

Command failed (Missing 'on' keyword) setting "_BESClient_ActionManager_PendingRestartExclusions"="\??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe

…so it looks like the relevance is being substituted properly, but somehow, everything after the relevance substitution has disappeared. In other words…

" on “{now}”

has disappeared from the end of the action script.

The string that comes back from PendingFileRenameOperations is a REG_MULTI_SZ so its string with multiple nulls in it

It may be as simple as:

{ (value "PendingFileRenameOperations" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of registry) as string }

But the string that makes up the command after we do the registry substitution is being truncated because of the extra nulls in it. The “as string” may help that as the coercion doesn’t do as good a job as the explicit string convert in this case. That being said it we don’t have a good way to handle the REG_MULTI_SZ type yet (it should be a multiple answer) so you might want to file an RFE

How would the “setting” command deal with a plural result in this case? You may need to try something like

concatenation “;” of substrings separated by “%00” of (value “PendingFileRenameOperations” of key “HKLM\System\CurrentControlSet\Control\Session Manager\Environment” of native registry as string)

Also, I’m not completely sure it’s required, but in all the references I’ve seen, the command is
setting “X”=“Y” on “(date/time)” for client

I don’t see the “for client” part in your statement.

Too right about the missing “for client”. I had indeed left that out. I don’t think it ever got that far, though, as it got stuck at the “Missing ‘on’ keyword”.

I have updated my action script as follows:

setting "_BESClient_ActionManager_PendingRestartExclusions"={concatenation ";" of substrings seperated by "%00" of (value "PendingFileRenameOperations" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of registry) as string} on "{now}" for client

My error has now changed to:

Command failed (Relevance substitution failed) setting "_BESClient_ActionManager_PendingRestartExclusions"={concatenation ";" of substrings seperated by "%00" of (value "PendingFileRenameOperations" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of registry) as string} on "{now}" for client (action:20331)

Did I get the syntax as you envisioned?

Very very close…
Check your spelling on “separated by”, and put the “as string” inside the “or registry” parentheses set. You need to cast the “Value X of key Y of registry” to a string, before you can look at “substrings separated by” on it.

Also, looking closer at my test, I’m seeing 2 NULL characters between each; I’m not sure whether there are always 2 NULLs, or whether my particular “pending renames” are actually deletes. If there are always two NULLs, you could change it to ’ concatenation “;” of substrings separated by “%00%00” ’

    q: (value "PendingFileRenameOperations" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of registry as string) 
A: \??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe%00%00\??\C:\Users\AAJWAL~1\AppData\Local\Temp\~nsu.tmp\Au_.exe%00%00
T: 0.154 ms
I: singular string

q: concatenation ";" of substrings separated by "%00" of (value "PendingFileRenameOperations" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of registry as string)  
A: \??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe;;\??\C:\Users\AAJWAL~1\AppData\Local\Temp\~nsu.tmp\Au_.exe

Very interesting. So , using one instance of “%00” gives a success in the client log, with some of those null values included:

   Command succeeded setting "_BESClient_ActionManager_PendingRestartExclusions"="\??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe;;\??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe;;;" on "Thu, 19 Mar 2015 10:29:20 -0400" for client (action:20360)

Using “%00%00” removes some of the nulls, but produces an error:

   Command failed (Missing 'on' keyword) setting "_BESClient_ActionManager_PendingRestartExclusions"="\??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe;\??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe;

The nulls in the client setting don’t seem to be a problem, though, as the client no longer shows as applicable for the fixlet “Restart Needed - Not Triggered by a BES Action”, which is exactly what I wanted.

The whole reason for this endeavor is that, for some reason, clients would show as applicable for the fixlet “Restart Needed - Triggered by a BES action” even if they were actually showing as ‘restart needed’ due to the existence of a PendingFileRenameOperations key value. As a test, we took a client that showed as applicable for “Restart Needed - Triggered by a BES action”, and deleted the PendingFileRenameOperations value. Even without rebooting, the client no longer showed as applicable for “Restart Needed - Triggered by a BES action”.

We were having a hell of a time making sure actions had completed, because many of our clients were showing ‘Restart Pending’ even though we knew some of them had already restarted.

Anyhow, thanks so much to everyone for walking me through this!

I see. At the very end of your first result, you had three semicolons, indicating three NULLS had been replaced. The Registry value seems to be using two nulls as field separators, and a third null to terminate the value.

In the second query, using the “%00%00” replaced two out of the three final null characters, leaving the third null in place to break the ActionScript "setting " command

So here’s the definition of a REG_MULTI_SZ from Registry value types - Win32 apps | Microsoft Learn

A sequence of null-terminated strings, terminated by an empty string (\0).
The following is an example:
The first \0 terminates the first string, the second to the last \0
terminates the last string, and the final \0 terminates the sequence.
Note that the final terminator must be factored into the length of the

So you can see that there are nulls everywhere so eliminating the double null first then doing the concatenation might be the trick?

I think we should replace the nulls but not ignore them. We are seeing double nulls where the target filename is empty (for a delete, rather than a move).

Normally the PendingFileRename key would contain


Here’s a link to the info from IBM that I am working off of for this project:

What I am still unsure of at this point is whether or not a ‘pending restart’ will be triggered if there are any nulls in PendingFileRenameOperations that are not accounted for in “_BESClient_ActionManager_PendingRestartExclusions”, or if it is good enough to have at least one null value in “_BESClient_ActionManager_PendingRestartExclusions”.

That doc is out of date and I’ve been trying to get that updated.

That being said the values on Vista/2008 and better that are checked by the client are:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
    value PendingFileRenameOperations
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending
    value UpdateExeVolatile

But, I’m questioning why you are trying to automatically remove these from consideration? Sometimes some updates require multiple reboots of the system to actually clear out and if its a pending restart from something OTHER than the BESClient then its probably something legitimate

It became difficult to tell whether or not actions had completed, because PC’s would remain in a ‘pending restart’ even after the PC had rebooted.

Some testing revealed the following:

I had a number of computers that were relevant for the “390 - Restart Needed – Triggered by a BES Action” fixlet even after applying this fixlet and confirming that the machines had restarted. I checked their registry, and sure enough, the HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart key still existed, making them relevant.

Out of curiosity, I checked to see if they were relevant for the “391 – Not Triggered by a BES Action” fixlet. Some were, some weren’t. Oddly, all affected machines had the PendingFileRenameOperations key value present in the registry, which should make them applicable to 391.

So, again, out of curiosity, I deleted the PendingFileRenameOperations value from the affected machines, and they were then no longer relevant for 391, which makes sense. The curious thing is that they were then no longer relevant for 390 either, even though they still had the HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\BESPendingRestart key.

The results of this test made me feel that it is a good idea to keep the PendingFileRenameOperations key value clean, as it seems to really mess with a machines ‘restart needed’ status of a client.

Reminder that altering this key can mean that installs do not complete. These entries are put there by installers and not by the agent so the install itself is not the one putting them there.

Yes. These were test machines. I typically would not blow away keys on production machines :slight_smile:

I worded that badly.

I meant:

" made me feel that it's a good idea to exclude the contents of PendingFileRenameOperations from BES's 'restart pending' evaluations"
concatenation ";" of substrings separated by "%00" whose(it as trimmed string != "") of (it as string) of values "PendingFileRenameOperations" of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" of registries

FWIW, I’ve seen a similar problems handling NULL characters in registry values using Session Relevance in a JavaScript function in a custom dashboard.

I also couldn’t seem to use the ‘escape’ function in Session Relevance though it does work on the client. Had to resort to

concatenation ";" of substrings separated by "%00" of it