Scripting Question

Get Registry Value for Reboot Required -- cannot seem to get registry value as SYSTEM ?

05/11/2016 1861 views

I had earlier posted a question regarding using Custom Inventory Rules to look for the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

I have tried to get this through CIR, and also by scripting using the reg query command, however I am not able to get it.  It seems like the KACE agent runs the script and tries to get the registry value in CIR as SYSTEM, and SYSTEM is not able to read this key.  I do not want to have to run this script as logged-on user because this would not cover computers that are logged in through Remote Desktop.  Is there some way we can get SYSTEM to query the registry key above?  I have tried using some VBS and Powershell script for the script process to call upon to query the registry key, but I have not been able to get it to work.  As SYSTEM, when it tries to query that key, it thinks that the key does not exist.  

Has anyone had an issue like this and how can we get around this?

0 Comments   [ + ] Show comments


All Answers

You might want to use this simple Powershell script. It doesn't depend on a registry read, it uses a WMI query instead, and can take textfile input to get state for multiple remote computers.
Answered 05/17/2016 by: grayhat64
White Belt

This content is currently hidden from public view.
Reason: Removed by member request For more information, visit our FAQ's.

Sounds like a permissions problem. However, have you checked that the process doing the checking is not a 32 bit process, as it would then be looking at HKLM/Software/Wow6432Node, where of course the last valid key would be HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion.

So check whether your program can "see" the WOW6432Node key, as if it cannot, you are running in 32 bit mode.

Answered 05/20/2016 by: EdT
Red Belt

Weird, SYSTEM has full access to key on my Windows 10 machine. Haven't tried to query it though. Will test it out when Im at work as SYSTEM and get back to you.
Answered 05/11/2016 by: rileyz
Red Belt

  • I can see SYSTEM does have access to registry keys, however it seems it is just not able to query that RebootRequired key. Also, I am doing this on Windows 7.
    • No time to test sorry, but download this tool and launch cmd - it should launch cmd as SYSTEM, check with whoami.


      You should be able to test from there hopefully.
      • Hi, thanks for the tool. This was exactly the type of tool I was looking for to be able to test this. In any case, I have used the tool and I can confirm that as SYSTEM, I am not able to query starting at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate. I ran regedit in the RunAsSystem console and that regedit does not see WindowsUpdate in the CurrentVersion key.
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ