locked
Extending Endpoint detection analyzis (Test Registry Key) - UAG RRS feed

  • Question



  • Hello,

    I use UAG to publish web applications (OWA, Sharepoint, etc..).

    With session access policy set up on the trunk, I try to set up a verification of a registry key on a workstation.

    I used the articles below to create the custom script:
    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/39ff1347-78fa-4894-afb2-0d9edd88b8b8
    http://blogs.technet.com/b/fesnouf/archive/2009/07/21/extending-client-side-analyzis-example-test-registry-key.aspx
    http://www.alexgiraud.net/blog/Lists/Categories/Category.aspx?Name=Microsoft%20Whale%20IAG%202007
    http://www.ssl-vpn.de/wiki/Full%20Example%20Endpoint%20detection.ashx


    My script :
    ----------------------------------
    On Error Resume Next

    Results("test_key")=False

    valueVV=Whale.Registry.RegRead(rkHKEY_LOCAL_MACHINE,"SOFTWARE\Alex","test_key")
    whale.debugecho ("Read value to be (" & value & ")")

    if Err=0 And lcase(valueVV)="1" then
    Results("test_key")=True
    Whale.DebugEcho "test_key registry check PASSED"
    End If

    if Results("test_key") = False And Err=0 And lcase(valueV)="1" then
    Results("test_key")=True
    Whale.DebugEcho "test_key registry check PASSED"
    else
    Whale.DebugEcho "Error: test_key registry check FAILED"
    end if
    ----------------------------------

    When I use the tool 'UAG release bit tracing' to check that the custom script is executed correctly, I note that the control of the registry key returns the message that the key is not detected. While this key exists on the computer from which I make the endpoint detection test (HKEY_LOCAL_MACHINE, Key: "SOFTWARE\TestKey", value chain : "test_key", data : "1").

    The details of the result of the trace file :
    [0]16c.10f0 06/15/2010-12:35:44.698 [detectionengine CWhaleUtils::DebugEcho WhaleUtils.cpp@113] Info:Read value to be ()
    [0]16c.10f0 06/15/2010-12:35:44.700 [detectionengine CWhaleUtils::DebugEcho WhaleUtils.cpp@113] Info:Error: test_key registry check FAILED

    Have you any idea to solve this problem?

    Regards,

    David
    Tuesday, June 15, 2010 1:36 PM

Answers

  • I solved my problem. The key was in the registry 64-bit instead of being in the registry 32-bit.

    UAG appears to control only the 32-bit registry. The key is detected once I've added it in the registry 32-bit

     

    Best regards, David

    • Marked as answer by davidbuisson Wednesday, June 16, 2010 3:57 PM
    Wednesday, June 16, 2010 3:57 PM

All replies

  • Hi David. Maybe it is just a typo in the post, but the script is looking for a testkey in Software\Alex and in your explanation you say the key is on Software (no Alex)
    // Raúl - I love this game
    Tuesday, June 15, 2010 2:28 PM
  • Sorry I made a mistake in the script that I provided. Here is the corrected (and that which is present on UAG)

    ----------------------------------
    On Error Resume Next

    Results("test_key")=False

    valueVV=Whale.Registry.RegRead(rkHKEY_LOCAL_MACHINE,"SOFTWARE\TestKey","test_key")
    whale.debugecho ("Read value to be (" & value & ")")

    if Err=0 And lcase(valueVV)="1" then
    Results("test_key")=True
    Whale.DebugEcho "test_key registry check PASSED"
    End If

    if Results("test_key") = False And Err=0 And lcase(valueV)="1" then
    Results("test_key")=True
    Whale.DebugEcho "test_key registry check PASSED"
    else
    Whale.DebugEcho "Error: test_key registry check FAILED"
    end if
    ----------------------------------

    This key exists on the computer from which I make the endpoint detection test (HKEY_LOCAL_MACHINE, Key: "SOFTWARE\TestKey", value chain : "test_key", data : "1").

    Thanks for this,

    David.

    Tuesday, June 15, 2010 3:54 PM
  • OK. It´s clear now. I suggest you to first troubleshhot the script itself saving as .vbs and running under cscript. Insert some breakpoints with "messageboxes" showing the value of the key, the result, etc Just to discard type mismatches (strings, integers..) If the results are OK then we can go to troubleshoot UAG detection

    Hope it helps


    // Raúl - I love this game
    Tuesday, June 15, 2010 4:42 PM
  • Sorry I made a mistake in the script that I provided. Here is the corrected (and that which is present on UAG)

    ----------------------------------
    On Error Resume Next

    Results("test_key")=False

    valueVV=Whale.Registry.RegRead(rkHKEY_LOCAL_MACHINE,"SOFTWARE\TestKey","test_key")
    whale.debugecho ("Read value to be (" & value & ")")

    if Err=0 And lcase(valueVV)="1" then
    Results("test_key")=True
    Whale.DebugEcho "test_key registry check PASSED"
    End If

    if Results("test_key") = False And Err=0 And lcase(valueV)="1" then
    Results("test_key")=True
    Whale.DebugEcho "test_key registry check PASSED"
    else
    Whale.DebugEcho "Error: test_key registry check FAILED"
    end if
    ----------------------------------

    This key exists on the computer from which I make the endpoint detection test (HKEY_LOCAL_MACHINE, Key: "SOFTWARE\TestKey", value chain : "test_key", data : "1").

    Thanks for this,

    David.


    Hi David,

    Is this really the script you are running? If it is, it looks to me like you have some inconsistencies in the script, as well as some logical errors.

    The inconsistency is the variable you are using to store the registry key: you sometimes refer to it as “valueVV”, other times as “valueV” and in the whale.debug.echo statement you’re printing another one – “value” (and this could be the cause that the trace shows you an empty value).

    Then the logic error: you have two consecutive if…then statements, and I believe this is due to some copy/paste and/or some unintentional leftover. Not sure why you would need the 2nd if…then…else statement.

    -Ran

    Tuesday, June 15, 2010 9:20 PM
  • I solved my problem. The key was in the registry 64-bit instead of being in the registry 32-bit.

    UAG appears to control only the 32-bit registry. The key is detected once I've added it in the registry 32-bit

     

    Best regards, David

    • Marked as answer by davidbuisson Wednesday, June 16, 2010 3:57 PM
    Wednesday, June 16, 2010 3:57 PM