Why does RegApp fail sometimes?

I have an analysis that shows what versions of Microsoft Office are installed. For the analysis relevance I have the following (some VMs don’t have Outlook so I added excel as well):

( exists regapp "outlook.exe" ) OR ( exists regapp "excel.exe" )

This works on most of our computers however there are 2 where the above relevance does not work. I ran a WebUI query on one of the 2 computers and other apps show up as registered apps however no Office apps are listed:

"Device","Results"
"LAPTOP-NAME","Acrobat.exe","11.0.23.22","Adobe Acrobat ","11.0.23.22","Adobe Systems Incorporated"
"LAPTOP-NAME","AcrobatInfo.exe","11.0.18.21","Adobe Acrobat ","11.0.18.21","Adobe Systems Incorporated"
"LAPTOP-NAME","acrodist.exe","11.0.7.79","Acrobat  Distiller","11.0.07.79","Adobe Systems Incorporated."
"LAPTOP-NAME","BESClient.exe","10.0.10.46","BigFix Agent","10.0.10.46","HCL Technologies Limited"
"LAPTOP-NAME","DJCUHost.exe","2.50.25.0","Unifying Software (UNICODE)","2.50.25","Logitech, Inc."
"LAPTOP-NAME","iediagcmd.exe","11.0.19041.3636","Diagnostics utility for Internet Explorer","11.00.19041.3636 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","iediagcmd.exe","11.0.19041.3636","Diagnostics utility for Internet Explorer","11.00.19041.3636 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","iexplore.exe","11.0.19041.3636","Internet Explorer","11.00.19041.1 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","javaws.exe","8.0.1110.14","Java(TM) Web Start Launcher","11.111.2.14","Oracle Corporation"
"LAPTOP-NAME","mip.exe","10.0.19041.3636","Math Input Panel Accessory","10.0.19041.1 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","wmplayer.exe","12.0.19041.3636","Windows Media Player","12.0.19041.1 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","ms-teams.exe","23306.3315.2560.6525","Microsoft Teams (work or school)","23306.3315.2560.6525","Microsoft Corporation"
"LAPTOP-NAME","ms-teamsupdate.exe","23306.3315.2560.6525","Microsoft Teams Updater (work or school)","23306.3315.2560.6525","Microsoft Corporation"
"LAPTOP-NAME","msedge.exe","120.0.2210.77","Microsoft Edge","120.0.2210.77","Microsoft Corporation"
"LAPTOP-NAME","MSOXMLED.EXE","16.0.17029.20000","Office XML Handler","16.0.17029.20000","Microsoft Corporation"
"LAPTOP-NAME","olk.exe","1.2023.816.100","Microsoft Outlook","1.2023.816.100","Microsoft Corporation"
"LAPTOP-NAME","mspaint.exe","10.0.19041.3758","Paint","10.0.19041.3758 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","powershell.exe","10.0.19041.3636","Windows PowerShell","10.0.19041.1 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","Skype.exe","8.110.0.218","Skype","8.110.0.218","Skype Technologies S.A."
"LAPTOP-NAME","SKYPESERVER.EXE","16.0.17029.0","DocumentChat COM SkypeServer","16.0.17029.20000","Microsoft Corporation"
"LAPTOP-NAME","TabTip.exe","10.0.19041.3636","Touch Keyboard and Handwriting Panel","10.0.19041.1 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","wab.exe","10.0.19041.3636","Windows Contacts","10.0.19041.3636 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","wabmig.exe","10.0.19041.3636","Microsoft (R) Contacts Import Tool","10.0.19041.3636 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","WindowsPackageManagerServer.exe","1.21.2312.14002","WindowsPackageManagerServer.exe","1.21.2312.14002","Microsoft Corporation"
"LAPTOP-NAME","winget.exe","1.21.2312.14002","winget.exe","1.21.2312.14002","Microsoft Corporation"
"LAPTOP-NAME","wmplayer.exe","12.0.19041.3636","Windows Media Player","12.0.19041.1 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","wordpad.exe","10.0.19041.3758","Windows Wordpad Application","10.0.19041.1 (WinBuild.160101.0800)","Microsoft Corporation"
"LAPTOP-NAME","wordpad.exe","10.0.19041.3758","Windows Wordpad Application","10.0.19041.1 (WinBuild.160101.0800)","Microsoft Corporation"  

I know the computer has Microsoft 365 Apps for enterprise - en-us installed from the Application Information (Windows) analysis data so I also know they have those apps installed. I just don’t know what mechanism BigFix uses to determine this or if it is a BigFix problem or a Windows OS issue.

I’m honestly not sure whether we are using the Windows API, or interrogating the Registry directly, but in either case the keys involved are described at https://learn.microsoft.com/en-us/windows/win32/shell/app-registration so you can check there.

I’d note that the Application Information analysis includes per-user software installs for the logged-on users; I would suspect that a per-user install may not show up in regapps but may be present in the Analysis

First of all thanks for the quicky response as always Jason!

I was able to remotely access the registry on the same system above and can see all the Office apps listed under the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths:

image461×634 118 KB

It is certainly possible (although unlikely) that Office was installed per-user but if the app registration shows up under HKLM wouldn’t that indicate it was installed per-machine?

Yes I think that does indicate a per-machine install. Can you check some of those expected regapps keys and verify the (Default) value is a fully-qualified path to the executable?

If that looks correct I’d ask you to open a support ticket so Dev can give a response. I don’t think there is a 32/64-bit issue with the inspector but I don’t use regapps very much and can’t say for certain

Interesting so the only ones that don’t have the default path are the Office apps. All the others have the path. For the Office apps they show (value not set) for the Default data.

Hmm that sounds like it’s not registered properly, but not sure why it would do that. Maybe left behind by uninstalling a per-systen version and changing to per-user, perhaps?

I checked the HKCU path and it is not populated with the Office apps at all so it does not appear to be installed per-user. I’ll pursue it as a Windows problem because of the lack of paths for the Office keys. Thanks for your help in narrowing it down!