I am trying to create a new check that would verify if a specific registry key exists.
when i click on new check, the check builder appears, i enter the name for the check, specify the platform (windows) and the labels (registrysettings), on the select primitives page i select windows registry key existence check, on the following page i enter the information for the key i want to verify:
Hive equals: HKEY_LOCAL_MACHINE
Parameter equals: SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash
SSLCertificateSHA1Hash is the key i want to verify if exist.
when i run my check, regardless if the key is present or not on a system, i get a failed result
any ideas on what i am doing wrong?
any help would be greatly appreciated
I've used this primitive several times, and followed the same process you outlined below. It has always seemed to work, unless I used a bad RegEx or misspelled the name of the key.
If you look in the System Rules - Failed section of the Audit results, and then click on the link labeled "failed" under Results, it may provide a bit more information. You may also try creating the check but not specifying a platform or label.
One last suggestion would be to export the check, then run the Check.xml you've exported using the Policy Auditor CLI. i.e. engineMain.exe –m oval –i Check.xml –f –o results.xml
Enginemain is found in the ..\Policy Auditor Agent\Engine directory. The results.xml will provide some debug-level output on the execution of the check, which may help you figure out which part of the check is causing the 'fail' result.
Hope that helps!