/build/static/layout/Breadcrumb_cap_w.png
10/30/2019 228 views

I have been working with Quest support on this, and basically they are saying it's not supported to assist with custom inventory rules (*sigh*).  So here I am, seeing if anyone can assist.

I am using a Custom inventory rule with RegKeyExists (and have tried ShellCommandReturn), and no matter what I do it does not show the software as installed per the rule.

All systems are Windows 10, 64-bit.  I am aware that KACE does weird things with reading a 64-bit reg key, but I have tried this in every way I can imagine.  It still returns nothing on any of my systems:

RegistryKeyExists(HKEY_LOCAL_MACHINE64\SOFTWARE\SOMEKEY\SomeSubKey)

RegistryKeyExists(HKEY_LOCAL_MACHINE\SOFTWARE\SOMEKEY\SomeSubKey)

RegistryKeyExists(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SOMEKEY\SomeSubKey)

ShellCommandTextReturn("c:\windows\sysnative\reg.exe query HKLM64\SOFTWARE\SOMEKEY\SomeSubKey")

ShellCommandTextReturn("c:\windows\sysnative\reg.exe query HKLM\SOFTWARE\SOMEKEY\SomeSubKey")

ShellCommandTextReturn(reg query "HKEY_LOCAL_MACHINE64\SOFTWARE\SOMEKEY\SomeSubKey")

ShellCommandTextReturn(reg query "HKEY_LOCAL_MACHINE\SOFTWARE\SOMEKEY\SomeSubKey")


Any ideas what I'm doing wrong?  Thanks in advance.



2 Comments   [ + ] Show comments

Comments

  • I use HKLM64 as the base for 64bit issues. Have you tried using RegistryValueReturn to see if you can query a value?
  • it works fine but keep in mind:
    a Custom Inventory Rule is not always seen as a value in the inventory.
    The main function is to count software installs, so if you use a Query which returns a BOOLEAN results (like RegistryKeyExists() you can only see it in the Software Item.
    If you want to have something as a CIR in the Inventory you need to have a non boolean return value.
    Also these results fill with a check in of the affected machine and not with setting it up.


Community Chosen Answer

3

Z

9k=

2Q==

9k=

2Q==


Answered 10/31/2019 by: SMal.tmcc
Red Belt

All Answers

1

The function works fine but it does not show as a CIR but as an installed program.

See this blog for the proper verbiage to read the keys

https://www.itninja.com/blog/view/emotet-returns-from-summer-vacation-ramps-up-stolen-email-tactic-identifying-the-infected-machines-detect-files-created-by-trojan-emotet-using-cirs

Here is a report on CIRs from my admin org, note the wording to look for registry key

Z

I created this key on my machine to get a positive return

2Q==

ran inventory got a hit on my machine

2Q==
9k=

This is where the positive return exists in machine detail.