Topic
  • 5 replies
  • Latest Post - ‏2014-04-26T13:49:06Z by jgstew
jdefilip
jdefilip
19 Posts

Pinned topic Relevance clause for registry

‏2014-04-23T14:44:32Z |

Hi,

I'm trying to build an analyses that reports the registry keys in HKEY_CURRENT_USER\Software\ODBC\ODBC.INI. 

q: (names of it, it) of key of key "HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI" of registry

a: ODBC File DSN, HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC File DSN

Please advise where I am making a mistake.

Thanks.

 

 

  • TomásQuintanilla
    TomásQuintanilla
    5 Posts
    ACCEPTED ANSWER

    Re: Relevance clause for registry

    ‏2014-04-23T15:19:16Z  

    Hi,

    i think you could change the first 'key' for 'keys':

     

    q: (names of it, it) of keys of key "HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI" of registry

    A: dBASE Files, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\dBASE Files

    A: Excel Files, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\Excel Files

    A: MS Access Database, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\MS Access Database

    A: ODBC Data Sources, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources

    T: 0.127 ms

    I: plural ( string, registry key )

     

    Regards.

  • TomásQuintanilla
    TomásQuintanilla
    5 Posts

    Re: Relevance clause for registry

    ‏2014-04-23T15:19:16Z  

    Hi,

    i think you could change the first 'key' for 'keys':

     

    q: (names of it, it) of keys of key "HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI" of registry

    A: dBASE Files, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\dBASE Files

    A: Excel Files, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\Excel Files

    A: MS Access Database, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\MS Access Database

    A: ODBC Data Sources, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources

    T: 0.127 ms

    I: plural ( string, registry key )

     

    Regards.

  • jdefilip
    jdefilip
    19 Posts

    Re: Relevance clause for registry

    ‏2014-04-23T16:22:21Z  

    Hi,

    i think you could change the first 'key' for 'keys':

     

    q: (names of it, it) of keys of key "HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI" of registry

    A: dBASE Files, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\dBASE Files

    A: Excel Files, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\Excel Files

    A: MS Access Database, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\MS Access Database

    A: ODBC Data Sources, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources

    T: 0.127 ms

    I: plural ( string, registry key )

     

    Regards.

     Thanks Tomas!

  • Tim.Rice
    Tim.Rice
    79 Posts

    Re: Relevance clause for registry

    ‏2014-04-23T19:05:52Z  

    Hi,

    i think you could change the first 'key' for 'keys':

     

    q: (names of it, it) of keys of key "HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI" of registry

    A: dBASE Files, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\dBASE Files

    A: Excel Files, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\Excel Files

    A: MS Access Database, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\MS Access Database

    A: ODBC Data Sources, HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources

    T: 0.127 ms

    I: plural ( string, registry key )

     

    Regards.

    Be careful trying to query the HKEY_CURRENT_USER hive in the Windows Registry.  Don't forget that when the IEM/TEM client executes the query, it's going to refer to the LocalSystem element.  The HKEY_CURRENT_USER branch is really an Alias that points to the HKEY_USERS hive branch associated with the SID for the currently logged i user.

    It will query just fine in the Fixlet Debugger, but the BES Client will usually return a different result, if it can return one at all.  In this case I don't think it makes much difference.  I get the same result running it either way.  You can get an idea of what will really be returned by changing how the Client Debugger evaluates the clauses, either itself or by handing them off to the Local Client on the machine and waiting for the results to pass back.  You can switch back and forth using the DEBUG | EVALUATE USING menu's in the Fixlet Debugger.

     

  • TomásQuintanilla
    TomásQuintanilla
    5 Posts

    Re: Relevance clause for registry

    ‏2014-04-24T07:49:55Z  
    • Tim.Rice
    • ‏2014-04-23T19:05:52Z

    Be careful trying to query the HKEY_CURRENT_USER hive in the Windows Registry.  Don't forget that when the IEM/TEM client executes the query, it's going to refer to the LocalSystem element.  The HKEY_CURRENT_USER branch is really an Alias that points to the HKEY_USERS hive branch associated with the SID for the currently logged i user.

    It will query just fine in the Fixlet Debugger, but the BES Client will usually return a different result, if it can return one at all.  In this case I don't think it makes much difference.  I get the same result running it either way.  You can get an idea of what will really be returned by changing how the Client Debugger evaluates the clauses, either itself or by handing them off to the Local Client on the machine and waiting for the results to pass back.  You can switch back and forth using the DEBUG | EVALUATE USING menu's in the Fixlet Debugger.

     

    You are right Tim, when I have to do this type of querys into a task relevance or in action script, I use this way and check the option "Run when at least one of the selected users is logged on, and only display the user interface to those users" in the Users tab when taking action:

    q: (names of it, it) of keys of key ("HKEY_USERS\" & component string of sid of security account (name of logged on users) & "\SOFTWARE\ODBC\ODBC.INI") of registry

    A: dBASE Files, HKEY_USERS\S-1-5-21-3521556863-2430161068-2134602639-1214\SOFTWARE\ODBC\ODBC.INI\dBASE Files

    A: Excel Files, HKEY_USERS\S-1-5-21-3521556863-2430161068-2134602639-1214\SOFTWARE\ODBC\ODBC.INI\Excel Files

    A: MS Access Database, HKEY_USERS\S-1-5-21-3521556863-2430161068-2134602639-1214\SOFTWARE\ODBC\ODBC.INI\MS Access Database

    A: ODBC Data Sources, HKEY_USERS\S-1-5-21-3521556863-2430161068-2134602639-1214\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources

    A: Visio Database Samples, HKEY_USERS\S-1-5-21-3521556863-2430161068-2134602639-1214\SOFTWARE\ODBC\ODBC.INI\Visio Database Samples

    T: 1.205 ms

    I: plural ( string, registry key )

     

    in action script:

     

    "HKEY_USERS\{component string of sid of security account (name of logged on users)}\SOFTWARE\ODBC\ODBC.INI"

     

    Regards

     

  • jgstew
    jgstew
    410 Posts

    Re: Relevance clause for registry

    ‏2014-04-26T13:49:06Z  
    • Tim.Rice
    • ‏2014-04-23T19:05:52Z

    Be careful trying to query the HKEY_CURRENT_USER hive in the Windows Registry.  Don't forget that when the IEM/TEM client executes the query, it's going to refer to the LocalSystem element.  The HKEY_CURRENT_USER branch is really an Alias that points to the HKEY_USERS hive branch associated with the SID for the currently logged i user.

    It will query just fine in the Fixlet Debugger, but the BES Client will usually return a different result, if it can return one at all.  In this case I don't think it makes much difference.  I get the same result running it either way.  You can get an idea of what will really be returned by changing how the Client Debugger evaluates the clauses, either itself or by handing them off to the Local Client on the machine and waiting for the results to pass back.  You can switch back and forth using the DEBUG | EVALUATE USING menu's in the Fixlet Debugger.

     

     

    You can query ALL of the HKEY_USER keys, but you cannot query the current user one through IEM so easily.

     

    See this example:

    http://bigfix.me/analysis/details/2994643

    All Users Run key - 

    ( (unique values of (it as string) of values whose(it as string as trimmed string != "") of keys "Software\Microsoft\Windows\CurrentVersion\Run" of keys whose(exists key "Software\Microsoft\Windows\CurrentVersion\Run" of it) of key "HKEY_USERS" of registry) )