/build/static/layout/Breadcrumb_cap_w.png

Get Registry Value for Reboot Required -- cannot seem to get registry value as SYSTEM ?

Hi

I had earlier posted a question regarding using Custom Inventory Rules to look for the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

I have tried to get this through CIR, and also by scripting using the reg query command, however I am not able to get it.  It seems like the KACE agent runs the script and tries to get the registry value in CIR as SYSTEM, and SYSTEM is not able to read this key.  I do not want to have to run this script as logged-on user because this would not cover computers that are logged in through Remote Desktop.  Is there some way we can get SYSTEM to query the registry key above?  I have tried using some VBS and Powershell script for the script process to call upon to query the registry key, but I have not been able to get it to work.  As SYSTEM, when it tries to query that key, it thinks that the key does not exist.  

Has anyone had an issue like this and how can we get around this?


0 Comments   [ + ] Show comments

Answers (3)

Posted by: grayhat64 4 years ago
White Belt
0
You might want to use this simple Powershell script. It doesn't depend on a registry read, it uses a WMI query instead, and can take textfile input to get state for multiple remote computers.
Posted by: EdT 4 years ago
Red Belt
0

Sounds like a permissions problem. However, have you checked that the process doing the checking is not a 32 bit process, as it would then be looking at HKLM/Software/Wow6432Node, where of course the last valid key would be HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion.

So check whether your program can "see" the WOW6432Node key, as if it cannot, you are running in 32 bit mode.

Posted by: rileyz 4 years ago
Red Belt
0
Weird, SYSTEM has full access to key on my Windows 10 machine. Haven't tried to query it though. Will test it out when Im at work as SYSTEM and get back to you.

Comments:
  • I can see SYSTEM does have access to registry keys, however it seems it is just not able to query that RebootRequired key. Also, I am doing this on Windows 7. - tuyen 4 years ago
    • No time to test sorry, but download this tool and launch cmd - it should launch cmd as SYSTEM, check with whoami.

      https://www.apreltech.com/Free

      You should be able to test from there hopefully. - rileyz 4 years ago
      • Hi, thanks for the tool. This was exactly the type of tool I was looking for to be able to test this. In any case, I have used the tool and I can confirm that as SYSTEM, I am not able to query starting at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate. I ran regedit in the RunAsSystem console and that regedit does not see WindowsUpdate in the CurrentVersion key. - tuyen 4 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ