RegKeyExists Function for Custom Software Inventory Rule Does NOT Work
I have been working with Quest support on this, and basically they are saying it's not supported to assist with custom inventory rules (*sigh*). So here I am, seeing if anyone can assist.
I am using a Custom inventory rule with RegKeyExists (and have tried ShellCommandReturn), and no matter what I do it does not show the software as installed per the rule.
All systems are Windows 10, 64-bit. I am aware that KACE does weird things with reading a 64-bit reg key, but I have tried this in every way I can imagine. It still returns nothing on any of my systems:
RegistryKeyExists(HKEY_LOCAL_MACHINE64\SOFTWARE\SOMEKEY\SomeSubKey)
RegistryKeyExists(HKEY_LOCAL_MACHINE\SOFTWARE\SOMEKEY\SomeSubKey)
RegistryKeyExists(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SOMEKEY\SomeSubKey)
ShellCommandTextReturn("c:\windows\sysnative\reg.exe query HKLM64\SOFTWARE\SOMEKEY\SomeSubKey")
ShellCommandTextReturn("c:\windows\sysnative\reg.exe query HKLM\SOFTWARE\SOMEKEY\SomeSubKey")
ShellCommandTextReturn(reg query "HKEY_LOCAL_MACHINE64\SOFTWARE\SOMEKEY\SomeSubKey")
ShellCommandTextReturn(reg query "HKEY_LOCAL_MACHINE\SOFTWARE\SOMEKEY\SomeSubKey")
Any ideas what I'm doing wrong? Thanks in advance.
Answers (2)
The function works fine but it does not show as a CIR but as an installed program.
See this blog for the proper verbiage to read the keys
https://www.itninja.com/blog/view/emotet-returns-from-summer-vacation-ramps-up-stolen-email-tactic-identifying-the-infected-machines-detect-files-created-by-trojan-emotet-using-cirs
Here is a report on CIRs from my admin org, note the wording to look for registry key
I created this key on my machine to get a positive return
ran inventory got a hit on my machine
This is where the positive return exists in machine detail.
Comments:
-
Make sure it is a key you are doing the CIR against not a value - SMal.tmcc 5 years ago
-
Ahh that must be it! I'm looking for a VALUE. So that said, I still don't know what to do here. I can't use RegistryKeyExists. I also can't use RegistryValueReturn, because I don't want to return a value. I only want the inventory rule to show that the software is installed if there IS a value (that value changes often). Is there anything else I can use? - woody1878 5 years ago
-
Why can't you use RegistryKeyExists? - chucksteel 5 years ago
-
see other answer for value query - SMal.tmcc 5 years ago
-
Because it does work for 1 (see original post), but secondly it's not a key I'm checking, it's that a value exists (pointed out by SMal.tmcc) - woody1878 5 years ago
-
Did you see my comment about trying HKLM64? It does work, at least it does on my appliance.
Does the software really only place one registry value on the machine? What about files? - chucksteel 5 years ago-
I've tried HKLM64, but since this is a value RegistryKeyExists will always fail because it's looking for a key.
the software does put files on the machine and I am checking those as well. But, there is a state that exists when the package is "registered" vs "non registered". If that key value exists that its "registered". I need the rule to only apply if it's registered. If not, I want it to re-deploy. So I am using other methods too but there's no way I can see to just to look and see if a key value is there.? - woody1878 5 years ago -
You might be able to:
Create your CIR using RegistryValueReturn.
Create a smart label that applies to machines that have the software installed but don't have a value for the CIR. - chucksteel 5 years ago
a Custom Inventory Rule is not always seen as a value in the inventory.
The main function is to count software installs, so if you use a Query which returns a BOOLEAN results (like RegistryKeyExists() you can only see it in the Software Item.
If you want to have something as a CIR in the Inventory you need to have a non boolean return value.
Also these results fill with a check in of the affected machine and not with setting it up. - Nico_K 5 years ago