Question

retaining registry key with hostname

  • 18 April 2023
  • 8 replies
  • 315 views

Badge

Good morning,

 

We direly need your assistance, and this is really time sensitive as it deals with our Antivirus software (Crowd Strike).  In a nutshell, we have Crowd Strike installed on our environment, but it is managed by parent corporate Sec Ops team.  Just recently they reported not seeing 484 Hosts on the console, and needed us to remediate the issue.  As per their team, to remediate we would need a special key from the registry per host, and provide those keys to Sec Ops team.  They will then provide a token key to uninstall Crowd Strike.  Then installation would be via Automox, which we have already scripted and available.

 

Our issue is scripting an API that could pull registry entries from all of our hosts along with the hostname, and putting them on a table format.  If there is any help you can provide in creating the API script it would be helpful.


8 replies

Userlevel 2
Badge

Hey @Deepan.bala! We would love to learn more about what you are trying to accomplish and how we can help. I am going to have our Customer Success team reach out.
 

Looking at what you are trying to accomplish, it sounds like you want a report of devices that do or don’t meet certain criteria based on a registry check for windows devices within your environment. One way to accomplish this is to schedule or manually run a worklet against a target list of devices and write output to stdout so that it displays in the Activity Log. Once you completed the manual run of the worklet, you can filter by policy within the activity log and export to CSV.

Badge

Hello @BenG-Automox What we are trying to accomplish is to get a particular Registry Key from:

 

Path: HKLM\System\CurrentControlSet\services\CSAgent\Sim

And there is a particular key we need from every host we have in an excel file.  And if we can get a script to output the key along with the hostname, it would be great so that we can put that into a CSV file for reporting.

Userlevel 3

Hi @Deepan.bala!

 

Here is a Worklet you can use for retrieving a value from the CSAgent\Sim registry hive.

 

Evaluation Code:

<#
.SYNOPSIS
Windows - Security - Detect CSAgent Registry Key
.DESCRIPTION
Determine if a registry key for the Crowdstrike Agent exists.
If found, flag the device for remediation to retrieve the key value.
If not found, exit the Worklet Evaluation.

.USAGE
Complete the $regPath and $regName variables

.EXAMPLE
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Sim'
$regName = 'CU'

.NOTES
Author: John Guarracino
Date: April 19, 2023
#>

#Pre-Defined registry key
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Sim'

#Pre-Defined registry value
$regName = 'CU'

$exists = (Get-ItemProperty -Path "$regPath" -Name "$regName" -ErrorAction SilentlyContinue).$regName

If ($exists)
{
Write-Output "The registry key was found. Flagging for remediation to determine the key's value."
Exit 1
}

Else
{
Write-Output "The registry value was not found. Now exiting."
Exit 0
}

 

Remediation Code:

<#
.SYNOPSIS
Windows - Security - Detect CSAgent Registry Key
.DESCRIPTION
Determine if a registry key for the Crowdstrike Agent exists.
If found, convert the value from binary to plain text
and output the string to the Automox Activity Log.

.USAGE
Complete the $regPath and $regName variables

.EXAMPLE
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Sim'
$regName = 'CU'

.NOTES
Author: John Guarracino
Date: April 19, 2023
#>

#Pre-Defined registry key
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Sim'

#Pre-Defined registry value
$regName = 'CU'

$exists = (Get-ItemProperty -Path "$regPath" -Name "$regName" -ErrorAction SilentlyContinue).$regName

#Convert value from binary
$binary = [System.BitConverter]::ToString($exists)

If ($exists)
{
Write-Output "$binary"
Exit 0
}

Else
{
Write-Output "The registry value was not found."
Exit 0
}

 

I pre-populated the $regPath and $regName variables based on your last comment, but feel free to set them according to your needs.  In my code currently, we are searching for the ‘CU’ value under CSAgent\Sim, but that can be changed to whatever value you’d like.

 

The Worklet Evaluation Code will then check to see if the CSAgent\Sim key is present.  If not found, it will end the script run. If found, it will schedule the Remediation Code to run. 

Note: If you are not intending on using a schedule with this worklet, you can run it manually against a device. 

 

The Remediation Code will then capture the value of the $regName variable, convert it from a binary value to a readable string, and output it to your Automox Activity Log.

You can then sort the Activity Log by the Worklet name, and export the report to a CSV:


The resultant CSV will include the Device’s Host name, and the CSAgent value will be found under the Details Column:

 

I hopes this helps!  Let me know if you have any questions.

 

Have a great day!

Badge

Thank you so much John!  You’re a rockstar! 

Yes it works as intended. I just ran it on a single machine with the required Key I am looking for, and it provides exactly what we need. 

This is a useful policy to get registry key for any other information we need!  Are you able to add this to the WorkLet Catalog?

Userlevel 3

Hey Deepan,

 

Glad to hear that worked for you!

 

And right you are!  You could change out the $regPath and $regName variables to potentially get any other registry values that you may need.

 

I will work with the team to get this published in the Worklet Catalog. 😀

 

Have a great day!

Badge

Hey John

Are we able to use Device Tagging, and get the keys from a set Device Tagged PCs?

Userlevel 3

Hi Deepan,

 

You most certainly can use Tags in tandem with Device Targeting to filter the scope of the worklet run!

 

You’ll want to tag your devices in bulk first.

 

You then can enable device targeting on the Worklet, and select the tag that you just created.

 

Note, device targeting works by searching inside the associated group for devices that meet the filtered criteria. With that being said, you’ll want to make sure that you have all appropriate groups assigned to the Worklet.  The Preview Impacted Device button is a quick way to ensure that you have all of your desired devices in scope.

 

Have a great day!

Badge

Thanks for the quick reply John, and I tried the Device Targeting with assigned host machines, but for some reason it is not running on those machines.  I will try it again.

Reply