RegistryValueGreaterThan for Mozilla Firefox Returns False
We are using SMA1000 and are having issues with custom inventory rules working. Observe this query to detect a Firefox version key:
RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox,(Default),64) OR
RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox,(Default),64)
When running this custom rule, it always returns false. The value of (Default) is 65.0.2. Everything I am reading is saying this should work, but I am not sure why it is not - we are wondering if its the nested (Default) because the whole statement is in parenthesis or if the validation detection is not smart enough to detect build numbers (ie. 65.0.2 is greater than 64).
Has anyone run into this before or have any advice that we can try?
Answers (3)
Most likely you are querying the 32 bit part of the registry and that key does not exist there.
Before you do a comparison try just reg return value to see if you get anything. This will tell you at you are reading the key at all.
I think you need to read (HKLM64\...) and you will be fine
Comments:
-
Thanks for the reply!
Thats actually precisely why we have a OR switch - we check both the 32 and 64 bit locations. If one doesn't exist, wouldn't that be false by default for that key when it is checked or is "blank/null" interpreted differently?
If we run the statements independently they do work though on this front - we were just hoping to have the same inventory rule for 1 software catalog item instead of 2.
Any ideas if OR is not allowed under this condition? - macrospect 5 years ago-
because the client is 32 bit it has the sysnative problem so the top line will actually look at syswow try (HKLM64\SOFTWARE\Mozilla\Mozilla Firefox,(Default),64) - SMal.tmcc 5 years ago
-
I see - so in that case both would still be true on a 64-bit OS, but on a 32-bit it would be true/false, so the OR statement should still work in theory though, correct? I am assuming OR means either Statement1=True OR Statement2=True. - macrospect 5 years ago
-
you should be able to get away with:
(HKLM64\SOFTWARE\Mozilla\Mozilla Firefox,(Default),64)or(HKLM\SOFTWARE\Mozilla\Mozilla Firefox,(Default),64)
because on the 64 bit machine the first will return and the second will redirect to syswow due to the 32bit client. but the second will return on a 32bit machine correctly - SMal.tmcc 5 years ago
Thats what we were thinking, but when this command runs on a 32 or 64 bit os it always returns False (we can see it in the KUSER logs where it evaluates the statement):
RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox,(Default),64) OR
RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox,(Default),64)
Weird, right? We were thinking of opening a support ticket, but figured I would check here first to see if anyone had luck with this type of statement. :)
Comments:
-
it may not know how to read "Default" no matter where in the registry. When you do a reg export default shows as a "@", try using the @ over (default)
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox]
@="65.0.2"
"CurrentVersion"="65.0.2 (x64 en-US)" - SMal.tmcc 5 years ago-
That was a really good call (seriously) - I see what you mean if you export it. Unfortunately if I try either using 65 or 65.0.0 for the version, I am getting the same result. Here are some logs:
[2019-03-08.15:56:32][KDeploy:CDeployController::Execu] rule ID [36955] : issuing rule [RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox,@,65.0.0) OR
RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox,@,65.0.0);]
[2019-03-08.15:56:32][KDeploy:CDeployController::Execu] rule [36955] statement result: "", FALSE - macrospect 5 years ago-
I fight with this all the time. It's a pain.
try first to get any return, you may have to settle for a return and then create a filtered report on that CIR.
RegistryValueReturn(HKEY_LOCAL_MACHINE64\SOFTWARE\Mozilla\Mozilla Firefox, @, number)or RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox, @, number)
RegistryValueReturn(HKEY_LOCAL_MACHINE64\SOFTWARE\Mozilla\Mozilla Firefox, @, text)or RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox, @, text) - SMal.tmcc 5 years ago
It won't work because 65.0.2 isn't a number value, thus it can't be compared to a number. For comparing version "numbers" it is best to use smart labels that leverage the software information which the SMA has already collected.
See my answers on these posts for more information: