Value of Registry Key - Relevance Question

I am attempting to create a BigFix analysis to locate the McAfee DAT version, the value of “AVDatVersion”.

(exists keys "HKLM\SOFTWARE\Wow6432Node\McAfee\AVEngine"   whose (exists values whose(name of it = "AVDatVersion" ) of it) of registry) AND (exists keys "HKLM\SOFTWARE\Wow6432Node\McAfee\AVEngine"   whose (exists values whose(name of it = "AVDatVersion" ) of it) of registry)

I think you have a GRAMMAR error… it should read “I HAVE created”… :wink: It seems to work, so were you asking a question?

1 Like

Here are two ways to accomplish this:

If you are looking just under the “HKLM\SOFTWARE\Wow6432Node\McAfee\AVEngine” key then you could use

exists value "AVDatVersion" of key "HKLM\SOFTWARE\Wow6432Node\McAfee\AVEngine" of registry

Or if you want to inspect all of the sub keys of “HKLM\SOFTWARE\Wow6432Node\McAfee\AVEngine” then you could use:

(name of it, exists value "AVDatVersion" of it) of keys of key "HKLM\SOFTWARE\Wow6432Node\McAfee\AVEngine" of registry

I hope this helps

If you are using “of registry” you don’t need the Wow6432Node part as that is assumed by the client

nm, found it! Typo on my end. value "AVDatVersion" of key "HKLM\SOFTWARE\Wow6432Node\McAfee\AVEngine" of native registry

Just to be clear the following would work on both 32 and 64 bit machines fine

value "AVDatVersion" of key "HKLM\SOFTWARE\McAfee\AVEngine" of registry
1 Like

I recommend writing stuff like this in this form:

unique values of (it as string) of values "AVDatVersion" of keys "HKLM\SOFTWARE\McAfee\AVEngine" of (x64 registries;x32 registries)