Skip to main content
Question

Query Endpoint for Registry Value

  • May 1, 2023
  • 3 replies
  • 310 views
S
Forum|alt.badge.img

Is it possible to run a worklet that will query a device looking for a specific registry key?

    3 replies

    JohnG-Automox
    Forum|alt.badge.img
    • JohnG-Automox
    • Automox Employee
    • May 3, 2023

    Hi @srheins !

     

    This is a great use case of a worklet!

     


    Here’s an example of a simple worklet that checks for a registry key. If the key is not found during the evaluation run, the device is compliant and no further actions will be triggered. If the key is found, the device will be flagged for remediation and the key values will be output to the Automox Activity Log. 

     

    The $regPath and $regName variables should be changed in both the Evaluation and Remediation code to target the specific registry key that you are looking for.

    Evaluation Code:

    <#
    .SYNOPSIS
        Windows - Security - Detect Registry Key
    .DESCRIPTION
    	Determine if a registry key exists.
        If found, flag the device for remediation to retrieve the key value.
        If not found, exit the Worklet Evaluation.

    .USAGE
        Complete the $regPath and $regName variables

    .EXAMPLE
        $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'
        $regName = 'fDenyTSConnections'

    .NOTES
        Author: John Guarracino
        Date: May 3, 2023
    #>

    #Pre-Defined registry key
    $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'

    #Pre-Defined registry value
    $regName = 'fDenyTSConnections'

    $exists = (Get-ItemProperty -Path "$regPath" -Name "$regName" -ErrorAction SilentlyContinue).$regName

    If ($exists)
    {
    	Write-Output "The registry key was found. Flagging for remediation to determine the key's value."
    	Exit 1
    }

    Else
    {
    	Write-Output "The registry value was not found. Now exiting."
    	Exit 0
    }

     

    Remediation Code:

    <#
    .SYNOPSIS
        Windows - Security - Detect Registry Key
    .DESCRIPTION
    	Determine if a registry key exists.
        If found, output the key values to the Automox Activity Log.

    .USAGE
        Complete the $regPath and $regName variables

    .EXAMPLE
        $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'
        $regName = 'fDenyTSConnections'

    .NOTES
        Author: John Guarracino
        Date: May 3, 2023
    #>

    #Pre-Defined registry key
    $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server'

    #Pre-Defined registry value
    $regName = 'fDenyTSConnections'

    $exists = (Get-ItemProperty -Path "$regPath" -Name "$regName" -ErrorAction SilentlyContinue)

    If ($exists)
    {
    	Write-Output "The registry key was found:"
    	Write-Output ($exists | Format-List)
    	Exit 0
    }

    Else
    {
    	Write-Output "The registry value was not found."
    	Exit 0
    }

     

    Note, there is a small caveat with this worklet.  Since Automox runs as SYSTEM, in the worklet’s current form it won’t be able to check for keys in the HKCU hives.  We do have a workaround for this though, so if this worklet doesn’t give you what you’re looking for, let me know the registry path and name and I’ll see what I can put together.

     

    I hope this helps!

     

    Have a great day!

    S
    Forum|alt.badge.img
    • srheins
    • Author
    • Pro
    • May 3, 2023

    Thank you for getting back to me.  I’ll test the script and let you know how it works.

    S
    Forum|alt.badge.img
    • srheins
    • Author
    • Pro
    • July 18, 2023

    This worked out great for me

    Terms & ConditionsCookie settingsAccessibility statement