We direly need your assistance, and this is really time sensitive as it deals with our Antivirus software (Crowd Strike). In a nutshell, we have Crowd Strike installed on our environment, but it is managed by parent corporate Sec Ops team. Just recently they reported not seeing 484 Hosts on the console, and needed us to remediate the issue. As per their team, to remediate we would need a special key from the registry per host, and provide those keys to Sec Ops team. They will then provide a token key to uninstall Crowd Strike. Then installation would be via Automox, which we have already scripted and available.
Our issue is scripting an API that could pull registry entries from all of our hosts along with the hostname, and putting them on a table format. If there is any help you can provide in creating the API script it would be helpful.
Page 1 / 1
Hey @Deepan.bala! We would love to learn more about what you are trying to accomplish and how we can help. I am going to have our Customer Success team reach out.
Looking at what you are trying to accomplish, it sounds like you want a report of devices that do or don’t meet certain criteria based on a registry check for windows devices within your environment. One way to accomplish this is to schedule or manually run a worklet against a target list of devices and write output to stdout so that it displays in the Activity Log. Once you completed the manual run of the worklet, you can filter by policy within the activity log and export to CSV.
Hello @BenG-Automox What we are trying to accomplish is to get a particular Registry Key from:
And there is a particular key we need from every host we have in an excel file. And if we can get a script to output the key along with the hostname, it would be great so that we can put that into a CSV file for reporting.
Hi @Deepan.bala!
Here is a Worklet you can use for retrieving a value from the CSAgent\Sim registry hive.
Evaluation Code:
<# .SYNOPSIS Windows - Security - Detect CSAgent Registry Key .DESCRIPTION Determine if a registry key for the Crowdstrike Agent exists. If found, flag the device for remediation to retrieve the key value. If not found, exit the Worklet Evaluation.
.USAGE Complete the $regPath and $regName variables
If ($exists) { Write-Output "The registry key was found. Flagging for remediation to determine the key's value." Exit 1 }
Else { Write-Output "The registry value was not found. Now exiting." Exit 0 }
Remediation Code:
<# .SYNOPSIS Windows - Security - Detect CSAgent Registry Key .DESCRIPTION Determine if a registry key for the Crowdstrike Agent exists. If found, convert the value from binary to plain text and output the string to the Automox Activity Log.
.USAGE Complete the $regPath and $regName variables
#Convert value from binary $binary = System.BitConverter]::ToString($exists)
If ($exists) { Write-Output "$binary" Exit 0 }
Else { Write-Output "The registry value was not found." Exit 0 }
I pre-populated the $regPath and $regName variables based on your last comment, but feel free to set them according to your needs. In my code currently, we are searching for the ‘CU’ value under CSAgent\Sim, but that can be changed to whatever value you’d like.
The Worklet Evaluation Code will then check to see if the CSAgent\Sim key is present. If not found, it will end the script run. If found, it will schedule the Remediation Code to run.
Note: If you are not intending on using a schedule with this worklet, you can run it manually against a device.
The Remediation Code will then capture the value of the $regName variable, convert it from a binary value to a readable string, and output it to your Automox Activity Log.
You can then sort the Activity Log by the Worklet name, and export the report to a CSV:
The resultant CSV will include the Device’s Host name, and the CSAgent value will be found under the Details Column:
I hopes this helps! Let me know if you have any questions.
Have a great day!
Thank you so much John! You’re a rockstar!
Yes it works as intended. I just ran it on a single machine with the required Key I am looking for, and it provides exactly what we need.
This is a useful policy to get registry key for any other information we need! Are you able to add this to the WorkLet Catalog?
Hey Deepan,
Glad to hear that worked for you!
And right you are! You could change out the $regPath and $regName variables to potentially get any other registry values that you may need.
I will work with the team to get this published in the Worklet Catalog.
Have a great day!
Hey John
Are we able to use Device Tagging, and get the keys from a set Device Tagged PCs?
Hi Deepan,
You most certainly can use Tags in tandem with Device Targeting to filter the scope of the worklet run!
You then can enable device targeting on the Worklet, and select the tag that you just created.
Note, device targeting works by searching inside the associated group for devices that meet the filtered criteria. With that being said, you’ll want to make sure that you have all appropriate groups assigned to the Worklet. The Preview Impacted Device button is a quick way to ensure that you have all of your desired devices in scope.
Have a great day!
Thanks for the quick reply John, and I tried the Device Targeting with assigned host machines, but for some reason it is not running on those machines. I will try it again.
