I realize it's not the solution asked for, but this is exceedingly easy with logmon and powershell:
# (home) get-itemproperty 'HKCU:\Software\Nimbus Software\NimBUS Manager' | select version
It will be great if this probe is developed.
Actually there is quite a simple commandline available from microsoft:reg query
help on this command reg query /?
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /s
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU NoAUShutdownOption REG_DWORD 0x0 NoAUAsDefaultShutdownOption REG_DWORD 0x0 AUPowerManagement REG_DWORD 0x1 AutoInstallMinorUpdates REG_DWORD 0x1 IncludeRecommendedUpdates REG_DWORD 0x1 NoAutoRebootWithLoggedOnUsers REG_DWORD 0x1 RebootWarningTimeoutEnabled REG_DWORD 0x1 RebootWarningTimeout REG_DWORD 0x5 EnableFeaturedSoftware REG_DWORD 0x1 DetectionFrequencyEnabled REG_DWORD 0x1 DetectionFrequency REG_DWORD 0x16 RebootRelaunchTimeoutEnabled REG_DWORD 0x1 RebootRelaunchTimeout REG_DWORD 0x3c RescheduleWaitTimeEnabled REG_DWORD 0x1 RescheduleWaitTime REG_DWORD 0xf NoAutoUpdate REG_DWORD 0x0 AUOptions REG_DWORD 0x3 ScheduledInstallDay REG_DWORD 0x0 ScheduledInstallTime REG_DWORD 0xa UseWUServer REG_DWORD 0x1
which is quite easy to parse in any common language
Since the return from this is a multi-line can the logmon probe parse each line and match on a particular line entry? How would you check if say the "AUOptions" value was Not equal to "0x3"
I would set logmon to run the command.
then I would set the regex match to match the line such as AUOptions
then create a variable for the third column and set it not equal to 0x3
I'm trying to set this up but its not that easy. So for a test I created a Test1 reg entry in the Nimbus Software tree:
and its value was set to test1001.
From a command line using the command above we can get the value but since there's a space in "Nimbus Software" we have to throw "" around the whole reg key address:
But now in the logmon profile I setup I have it set to mode: command and the command box I am trying to run:
REG QUERY "HKEY_CURRENT_USER\Software\Nimbus Software" /v Test1
but from the logs I see the reg command doesn't like this for some reason:
I tried all combinations of adding quotes, single quotes, escape characters but nothings working.. Any ideas?
I also tried a different reg-ex address that doesn't have a space in it and the same issue occurs in the logs.
Looks like an issue with the command and the latest version. even a batch file does not work.
I think any command that takes command line arguments might be affected.. I am looking into this further.
I tried v3.91 and v3.90 and same results as well.
For the command line text I tried:
cmd /c REG QUERY "HKEY_CURRENT_USER\Software\Nimbus Software" /v Test1
start /w REG QUERY "HKEY_CURRENT_USER\Software\Nimbus Software" /v Test1
Jun 14 11:01:46:403  logmon: [RegistryCheck] start scanning 'cmd /c REG QUERY "HKEY_CURRENT_USER\Software\Nimbus Software" /v Test1' Jun 14 11:01:46:403  logmon: [RegistryCheck] storing file-stats as 'RegistryCheck' Jun 14 11:01:46:406  logmon: lgm: Read from COMMAND Jun 14 11:01:46:507  logmon: lgm: read the line from cmd:[ERROR: The system was unable to find the specified registry key or value.]
Any update here or should I open a case to track this officially?
WOW I really am getting slow in my old age... Hkey_current_user is using the current logged in account. the probe runs as system and does not have a hkey-current_user registry context.
I received this from dev:
This is not a probe issue.
I tested this in my lab and it worked as well..... I think I was on vacation too long and lost some brain cells
Retrieving data ...