Registry Files and the Custom Software feature

Tom

The Custom Software feature now supports loading .reg files.

Or rather, when you upload a .reg file, it will automatically run reg.exe with the parameters you supply.

One possible use case for this, is to update the "ignorePaths" settings for the SecTeer VulnDetect Agent:

First you need to load this file on one machine with the VulnDetect Agent:
vulndetect-ignorePaths.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SecTeer\Agent]
"inspectionPaths"=hex(7):00,00
"ignorePaths"=hex(7):00,00

You can load it using this command:
reg IMPORT ignorePaths.reg

Now open regedt32 and go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SecTeer\Agent

Now double click ignorePaths and edit it, you enter data like this:

D:\
C:\Users\test\Downloads\
C:\Users\test\SysInternals\

You may get a warning about empty strings, it is safe to ignore, as regedt32 will remove them automatically.

Now you need to export this:
reg export HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SecTeer\Agent ignorePaths.reg

It is IMPORTANT to edit this file!

It will look like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SecTeer\Agent]
"LogFile"="C:\\WINDOWS\\Logs\\SecTeer\\secteer.log"
"LogLevel"=dword:00000006
"authToken"="1111111-2222-3333-4444-aaaaaaaaaaaa"
"inspectionPaths"=hex(7):00,00
"ignorePaths"=hex(7):44,00,3a,00,5c,00,00,00,43,00,3a,00,5c,00,55,00,73,00,65,\
  00,72,00,73,00,5c,00,74,00,65,00,73,00,74,00,5c,00,44,00,6f,00,77,00,6e,00,\
  6c,00,6f,00,61,00,64,00,73,00,5c,00,00,00,43,00,3a,00,5c,00,55,00,73,00,65,\
  00,72,00,73,00,5c,00,74,00,65,00,73,00,74,00,5c,00,53,00,79,00,73,00,49,00,\
  6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,73,00,5c,00,00,00,00,00

If you import this to the wrong host, then you will create a clash between the hosts. Deleting the unnecessary lines is vital:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SecTeer\Agent]
"inspectionPaths"=hex(7):00,00
"ignorePaths"=hex(7):44,00,3a,00,5c,00,00,00,43,00,3a,00,5c,00,55,00,73,00,65,\
  00,72,00,73,00,5c,00,74,00,65,00,73,00,74,00,5c,00,44,00,6f,00,77,00,6e,00,\
  6c,00,6f,00,61,00,64,00,73,00,5c,00,00,00,43,00,3a,00,5c,00,55,00,73,00,65,\
  00,72,00,73,00,5c,00,74,00,65,00,73,00,74,00,5c,00,53,00,79,00,73,00,49,00,\
  6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,73,00,5c,00,00,00,00,00

This file is safe to import.

You can simply select it in Custom Software, remember to set the Installer Arguments to IMPORT.

The package tool will run the following:
reg.exe IMPORT yourfile.reg

It is important to understand, that this registry entry will prevent the agent from inspecting those folders and the contents will be completely hidden from the VulnDetect backend. This feature was originally intended for developers, IT-enthusiasts and users with e.g. old archive/backup drives attached.