Hey! Sooner or late some upper management come to you and ask if you can check your machines if they are infected of a registry key (often a virus). They also ask if you can post a nice report of this. So how do you do? Well, in my opinion, This is the best way. Configuration Item (In this case I’m looking for “HKLM:\Software\Classes\MJ” exist or not)
1. First, Go to your console -> Assets and Compliance -> Configuration Item
2. Right click “Create Configuration Item”
3. Pick a good name for your CI
4. Go With Default settings, Next, Next, Summary, Close.
5. Right click on the CI, go to Properties> Settings and New
6. Do the settings like this
6.1 Name it to ” Check for a Registry Value”
6.2 Change Setting type to Script
6.3 Change Data type to String
6.4 Click on Discovery script
6.5 Script language to Windows Powershell, then copy this
function Get-Registrykey
{
[CmdletBinding()]
param ()
Begin
{
}
Process
{
Try {
$Result = Test-Path "HKLM:\Software\Classes\MJ"
ForEach-Object {
If($Result -match "True") {
$State = 1}
ElseIf($Result -match "False") {
$State = 0}
}
}
catch {
# Error hantering
}
$state
}
End
{
}
}
Get-Registrykey
6.6 Click on Ok
7. Go to the Compliance Rule Tab
8. Click on New
9. Then change the Following value to 1, and Check the box “Report noncompliance if this setting instance is not found. Then click on OK
10. Apply, Apply, Ok.
11. Go to Configuration Baselines, Create Configuration Baseline
12. Name it to ” Check for a Registry Value
13. Click on Add, Configuration Item
14. Ok.
15. Right click on the baseline, then Deploy
16. Do the settings like this,
16.1 “Check Remediate noncompliant rules when supported”
16.2 “Check Allow remediation outside the maintenance window”
16.3 Select a Collection that you want to run the script on.
16.4 Simple Schedule, 1 Time each day.
16.5 Ok.
17. Now we are done, The clients will report back if the registry exists or not.
Also shared the Files here, if you just want to import the CI
CI – Check for a Registrykey
Thanks for reading.
/Pontus
