32bit vs 64bit Registry Operations

  • 5 October 2020
  • 1 reply
  • 280 views

Userlevel 4
Badge

I faced issues using a worklet to extract information out of the 64-bit registry hive. The issue is due to Crowdstrike detecting this as malicious activity (I followed the steps here: https://support.automox.com/help/enforce-windows-registry-settings-worklet).


For those who face the same issue, you can use the sample code below to read the 64-bit registry. Make adjustments are required. The sample code below reads HKLM:\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun\Configuration and returns the registry key called “Platform” to detect the bitness of version of Office installed.



$key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)

$subKey = $key.OpenSubKey(“SOFTWARE\Microsoft\Office\ClickToRun\Configuration”)

$root = $subKey.GetValue(“Platform”)

Write-Output “Office bitness: $root”



1 reply

Thanks, this fixed my issue where Get-ItemProperty was empty !

Reply