0

We are experiencing an issue while using our RMM software to modify a registry key on multiple computers. The RMM software utilizes the SYSTEM account for this task.

When executing the following command through the RMM software:

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\NcdAutoSetup\Private" /f /v NcdAutoSetup /t REG_DWORD /d 2

and subsequently running:

REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\NcdAutoSetup\Private" /v NcdAutoSetup

We receive a confirmation that the value has changed to 0x2.

However, when opening REGEDIT with local admin privileges and checking the key, we observe a different value: 0x1, as shown in the screenshot: Regedit and command prompt

It appears that the RMM software is writing to a different hive or location. When we update the value using Command Prompt on the local PC, the change is reflected only in REGEDIT and REG QUERY from Command Prompt, not when running the REG QUERY through the RMM software.

We are trying to understand why there are two different values displayed depending on whether we use the SYSTEM account or local admin.

Does anyone know why this is happening? to be clear, it's happening on every Win10 / Win11 machine we've tested it on, not just one.

asked Apr 12, 2023 at 14:26
3
  • Is the RMM software a 32-bit process? Commented Apr 12, 2023 at 14:37
  • @user1686 It is, but the WOW6432Node key doesn't contain it either. REG QUERY "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\NcdAutoSetup\Private" /v AutoSetup /reg:32 sure does show the value from the RMM (when run on command prompt) so that must be it. Thanks. Commented Apr 12, 2023 at 14:41
  • If it's a 32-bit process then it's incapable of modifying the 64-bit registry location. Commented Apr 12, 2023 at 15:15

1 Answer 1

2

On 64-bit systems, certain registry writes by 32-bit processes are transparently redirected to an alternate location under the "Wow6432node" key.

In addition, I believe 32-bit processes will automatically run the 32-bit variant of reg.exe (thanks to the same kind of redirection for the filesystem), so the registry redirection ends up being inherited even by the external tool.

So if the program uses reg add, you may need to make it run with the /reg:64 option to update the correct keys (or, if possible, migrate to a 64-bit version of the program).

answered Apr 12, 2023 at 14:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.