Registry key help needed

0

Hi all, I've had my first attempt at setting up a collection based on a registry key value, specifically the HiberbootEnable flag, so that I can switch this feature off. I'm seeing systems in the results that cannot have this feature switched on though, as they are running versions of Windows prior to 10. So I don't trust that I have understood the way this works.

My scan profile looks like this.

enter image description here

And my collection filter looks like this.

enter image description here

Have I got this right?

I edited your post to fix the images.

Thanks Colby, how do I get inline images for next time?

I'm not sure how you didn't the first time 😄

When you hit the Image button, it should format everything correctly.

Cancel
login to comment
0

I was able to have only computers with HiberbootEnabled with a value of 1 added to the collection. I used the same scan profile as you and modified my collection slightly as shown below. Hopefully it works for you too.

enter image description here

Cancel
login to comment

0

For the dynamic collection, instead of filtering for the path HKLM\CurrentControlSet\Control\Session Manager\Power\Hiberbootenabled, try this:

enter image description here

Cancel
login to comment

0

Hi GWhite, thanks for your suggestion. I'm sure you are correct, but it hasn't changed the results. I still can't explain why I'm seeing systems running Windows 7, Server 2008 R2 and Server 2012. The small sample of machines I checked have different settings which don't show any pattern.

For instance a machine running Win7 which doesn't have this key along with machines running Server 2012 R2 and Server 2016 which do have the key but set to 0, all appear in the results.

Puzzling!

Cancel
login to comment

0

I too have a mix of Windows 7 and Windows 10, plus servers of course. I will do some testing and see if I can get to report correctly. While I do that, is your dynamic collection at the root or is it a sub-collection? I ask because I notice you do not have 'drill down from parent collection' selected and didn't know if that was skewing your results.

Cancel
login to comment

0

I just took another look at your original collection screenshot. Change the Group Filter from Any to All. Any will return results for anything it finds with a value of 1, but not necessarily matching only the HiberbootEnabled key.

Cancel
login to comment

0

I watched the webinar on filtering and thought that might be the answer. Using All returns 0 systems with Fast Startup enabled which I know is not true. I must be missing something fundamental here.

Cancel
login to comment

0

Ah, I missed your earlier post. That was the answer, changing path to value name. Thanks!

Cancel
login to comment

Reply