Registry key help needed

Answered

Follow

Greg Mills

• June 05, 2019 13:40

Hi all, I've had my first attempt at setting up a collection based on a registry key value, specifically the HiberbootEnable flag, so that I can switch this feature off. I'm seeing systems in the results that cannot have this feature switched on though, as they are running versions of Windows prior to 10. So I don't trust that I have understood the way this works.

My scan profile looks like this.

And my collection filter looks like this.

Have I got this right?

0

• 

  Gary White

  • June 05, 2019 14:53

  For the dynamic collection, instead of filtering for the path HKLM\CurrentControlSet\Control\Session Manager\Power\Hiberbootenabled, try this:

  

  0

  Comment actions Permalink
• 

  Greg Mills

  • June 05, 2019 15:18

  Hi GWhite, thanks for your suggestion. I'm sure you are correct, but it hasn't changed the results. I still can't explain why I'm seeing systems running Windows 7, Server 2008 R2 and Server 2012. The small sample of machines I checked have different settings which don't show any pattern.

  For instance a machine running Win7 which doesn't have this key along with machines running Server 2012 R2 and Server 2016 which do have the key but set to 0, all appear in the results.

  Puzzling!

  0

  Comment actions Permalink
• 

  Gary White

  • June 05, 2019 18:13

  I too have a mix of Windows 7 and Windows 10, plus servers of course. I will do some testing and see if I can get to report correctly. While I do that, is your dynamic collection at the root or is it a sub-collection? I ask because I notice you do not have 'drill down from parent collection' selected and didn't know if that was skewing your results.

  0

  Comment actions Permalink
• 

  Gary White

  • June 05, 2019 18:26

  I was able to have only computers with HiberbootEnabled with a value of 1 added to the collection. I used the same scan profile as you and modified my collection slightly as shown below. Hopefully it works for you too.

  

  0

  Comment actions Permalink
• 

  Gary White

  • June 05, 2019 18:28

  I just took another look at your original collection screenshot. Change the Group Filter from Any to All. Any will return results for anything it finds with a value of 1, but not necessarily matching only the HiberbootEnabled key.

  0

  Comment actions Permalink
• 

  Greg Mills

  • June 06, 2019 09:48

  I watched the webinar on filtering and thought that might be the answer. Using All returns 0 systems with Fast Startup enabled which I know is not true. I must be missing something fundamental here.

  0

  Comment actions Permalink
• 

  Greg Mills

  • June 06, 2019 10:52

  Ah, I missed your earlier post. That was the answer, changing path to value name. Thanks!

  0

  Comment actions Permalink
• 

  Colby Bouma

  • June 06, 2019 14:50

  I edited your post to fix the images.

  0

  Comment actions Permalink
• 

  Greg Mills

  • June 06, 2019 15:05

  Thanks Colby, how do I get inline images for next time?

  0

  Comment actions Permalink
• 

  Colby Bouma

  • June 06, 2019 15:11

  I'm not sure how you didn't the first time 😄

  When you hit the Image button, it should format everything correctly.

  0

  Comment actions Permalink

Please sign in to leave a comment.