TROUBLESHOOTING: Upload multiple registry keys
Log In or Register to download the BES file, and more.

0 Votes

Description

 This task will export the specified registry keys with reg.exe, compress them with the built in windows makecab.exe utility, and upload the resulting .cab to the Bigfix server.

 

To specify multiple registry keys, separate the values with a semicolon.  A common example to gather the SxS and CBS keys for windows patch troubleshooting would look like this:

HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing;HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide

To locate the compressed registry export files, you must have access to the file system of the Bigfix root server, and know the computer ID of the computer that you want to find the files for.  The filename ends in registryexport.cab, and the path for each computer ID will look like this:

<Bigfix server install folder>\UploadManagerData\BufferDir\sha1\<last two digits of computer ID>\<full computer ID>

This fixlet has a hardcoded secure parameter to prevent targeting endpoints by property, this reduces the risk of an unintentional DDoS on your infrastructure.  To disable this behavior, make a copy of this fixlet and remove the script element below this text.


Property Details

ID27369
StatusBeta - Preliminary testing ready for more
TitleTROUBLESHOOTING: Upload multiple registry keys
DomainBESC
SourceInternal
Source Release Date3/10/2019 12:00:00 AM
KeywordsTroubleshooting, upload, archive manager, windows, registry
Is TaskTrue
Added by on 9/24/2024 3:18:41 PM
Last Modified by on 9/24/2024 3:18:41 PM
Counters 328 Views / 2 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 274)
Used in 592 fixlets and 3 analyses   * Results in a true/false
Show indented relevance
name of operating system starts with "Win"

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
action parameter query "RegistryKeys" with description "Please enter full registry key names to export.  Separate multiple keys with a semicolon ;"
action uses wow64 redirection false

//set and create working directory
parameter "Exportfolder" = "{data folder of client as string & "\registryexport"}"
folder create "{parameter "Exportfolder"}"


//create batch file to run reg.exe against each semicolon separated registry key. Deletes all .reg files in the working directory. Names resulting .reg files after the last key name + a random number to prevent duplicate filenames
appendfile cd "{parameter "Exportfolder"}"
appendfile del *.reg
appendfile {("reg.exe export %22" & it as string & "%22 %22" & following text of last "\" of (it as string) & index of it as string & ".reg%22 /y%0d%0a") of (tuple items of it of (concatenations ", " of (substrings separated by ";" of Parameter "RegistryKeys")))}
delete "{parameter "Exportfolder" & "\export.bat"}"
move __appendfile "{parameter "Exportfolder" & "\export.bat"}"
waithidden cmd.exe /c "{parameter "Exportfolder" & "\export.bat"}"


//create makecab file list
appendfile {("%22" & it & "%22%0d%0a") of (pathnames of files whose (name of it contains ".reg") of folder (parameter "Exportfolder"))}
delete "{parameter "Exportfolder" & "\files.txt"}"
move __appendfile "{parameter "Exportfolder" & "\files.txt"}"

//compress listed files
waithidden makecab /d CabinetName1={computer ID}registryexport.cab /d MaxDiskSize=0 /D CompressionType=LZX /D DiskDirectoryTemplate="{parameter "Exportfolder"}" /f "{parameter "Exportfolder" & "\files.txt"}"


//limit upload results to 20MB and start the upload.
setting "_BESClient_ArchiveManager_MaxArchiveSize"="20971520" on "{parameter "action issue date" of action}" for client
setting "_BESClient_ArchiveManager_OperatingMode"="2" on "{parameter "action issue date" of action}" for client
setting "_BESClient_ArchiveManager_FileSet-RegistryExport"="{parameter "Exportfolder"}\{computer ID}registryexport.cab" on "{parameter "action issue date" of action}" for client
archive now
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!