6 Replies Latest reply: Nov 24, 2014 5:36 PM by s7orm RSS

    Remote Registry for windows Disabled-MVM scan canot run

    devilson911

      Hi,

       

      we have small problem, as part or our minimum security base line , in all our windows server Remote registry is disabled and we run the MVM scan the results that it was unable to find any thing and was partially access to the system.

       

      some one can share his exprince how he mange this systems.

       

      Thanks.

        • 1. Re: Remote Registry for windows Disabled-MVM scan canot run

          Hi D-911,

           

          When 7.5.2 is released there will be an option to dynamically enable Remote Registry during a Windows Scan.  This will be configurable via an Engine Tweak.

           

          7.5.2 should be coming out very soon...  then you can search the KB for "Dynamically enable Remote Registry" for the specific tweak I'm talking about.

           

          I hope that helps!
          Cathy

          • 2. Re: Remote Registry for windows Disabled-MVM scan canot run
            devilson911

            Thanks for your help, and will be waiting for 7.5.2 since iam getting big problem with scanning our DMZ servers every time we have to ask the admin to Start the service and disable after scan is done.

            • 3. Re: Remote Registry for windows Disabled-MVM scan canot run

              Hi D,

               

              7.5.2 went out yesterday.

               

              Here's the KB I was telling you about   KB77852 ... actually it's not published yet.  So here are the details:

               

              With version 7.5.2 a registry tweak is available that will remotely enable the service for the purpose of scanning, and will disable (or set the service back to it's original state) at the end of the scan.

              1. Open the registry editor on the scan engine. Click Start, Run, type regedit and click OK.
              2. Navigate to:

                 * [HKEY_LOCAL_MACHINE]\SOFTWARE\Foundstone\Foundscan\Tweaks] (for 32-bit host) or

                  * [HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks]  (for 64-bit host)

                  ** if the key "Tweaks" doesn't exist, create it. **

               

                3. Create or modify the following tweak to the key:

                  * Valuename:  WHAM - DynamicallyEnableRemoteRegistry
                  * Valuetype: DWORD
                  * Value: (enabled)) 

               

                4.  Restart the FSScanEngineSvc service for the tweak to take effect.

               

              I haven't actually tried it out yet, but it got quite a bit of QA ... so if you get results (good or bad) post here ok?

               

              Thanks!
              Cathy

               

              Message was edited by: cgrim I had the wrong registry hive on 4/5/13 5:10:29 PM CDT
              • 4. Re: Remote Registry for windows Disabled-MVM scan canot run
                marc

                Hi Cathy,

                 

                greate tip.

                 

                The Tweak works fine. I had the same Problem - Remoteregistry Service on Win7 Clients was stopped and and set to manual start.

                The Tweak started the service and stopped them after the scan.

                 

                Many Thanks

                 

                Marc

                • 5. Re: Remote Registry for windows Disabled-MVM scan canot run
                  devilson911

                  the Feature has been added in the MVM 7.5 patch5.

                   

                  thanks to MVM team.

                  • 6. Re: Remote Registry for windows Disabled-MVM scan canot run
                    s7orm

                    I have tried to use this feature as it solves a problem for me. However I cant get it working, despite setting the registry (export below), I get the scan logs showing next to WindowsModule, Tweaks enabled, that DynamicallyEnableRemoteRegistryEnabled: 0

                     

                    Have I entered the registry key correctly? (Windows Server 2008 R2 Standard)

                     

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks]

                    "WHAM - DynamicallyEnableRemoteRegistry"=dword:00000001

                    "LogWam"=dword:000000ff

                     

                    From testing I know that the feature isnt working. I have tried restarting the service and rebooting the server.

                     

                    EDIT: Solution was a check box in the scan settings, which was not documented anywhere for MVM 7.5. In this version it appears you do not need the registry tweak.