Regkeytomof and hardware inventory in general is no so good for HKCU entries (I don't think.)
p.s. below I meant 2007R3-not R2. From: [email protected] [mailto:[email protected]] On Behalf Of Hyatt, Dewayne Sent: Tuesday, October 29, 2013 3:15 PM To: [email protected] Subject: [mssms] RE: Detect CryptoLocker with DCM? You could use RegKeytoMof and add it to your hinv. http://myitforum.com/cs2/blogs/skissinger/archive/2009/04/13/mark-cochrane-s-regkeytomof.aspx We've had reports of this nasty little thing, so I need to be thinking about this too. Dewayne From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller, Todd Sent: Tuesday, October 29, 2013 2:58 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Detect CryptoLocker with DCM? Assume SCCM 2007withR2. I've been asked to develop a way to detect machines that have been affected by CryptoLocker. CryptoLocker infections will have a registry key at HKCU\Software\CryptoLocker. I thought I might first try to use DCM to detect machines where that registry key exists for any user. I've never used DCM before and I am having a little trouble. Is it possible to create a DCM where it detects simply if a Key exists? I don't care what values are there. I have no idea what I am doing.... It seems like all I need is this. But that totally is not working. The value of the instance count is always "0" and thus compliant whether the Key exists or not. I tried flipping the operator to "not equal" and that marked all clients as non-compliant --that is how I know the instance count is "0" all the time whether or not the key exists at HKCU\Software\CryptoLocker. I am game to use a completely different method of finding machines where the key HKCU\Software\CrytoLocker exists. I just thought that sounded like a perfect job for DCM. I imagine that HKCU is fouling things up. [cid:[email protected]][cid:[email protected]] Even though I have created a key at HKCU\Software\CryptoLocker (and at HKCU\Software\Wow6432node\CryptoLocker - as a test) ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________
<<inline: image001.png>>
<<inline: image002.png>>
