Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > FIM Does Not Support Specifying Registry Aliases

FIM Does Not Support Specifying Registry Aliases

Table of contents
No headers
Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 2 Votes: 0 Revisions: 10

FIM does not support specifying aliases due to the fact  that the registry has many aliased regions where the same key appears in multiple locations.  For example, when a  foo.ttt file is created and the association is set , it creates the .ttt key.  This key shows up in all the following locations in regedit:
 

HKEY_USERS\S-1-5-21-138434890-818224588-799959843-500\Software\Classes\.ttt
 HKEY_USERS\S-1-5-21-138434890-818224588-799959843-500_Classes\.ttt
 HKEY_CURRENT_USER\Software\Classes\.ttt
 HKEY_CLASSES_ROOT\.ttt

 


The first location listed below is an actual location where the key is created with others being its aliases. This actual path goes through at the kernel level. You can capture the action by setting the driver to watch HKEY_USERS key recursively with a pattern of *ttt*, however in this case monitoring other 3 locations will not capture event.

 

 

 

RegKey Read (RegNotifyClass = RegNtQueryKey)
         Time: 2014-03-21 17:02:22.365
      Reg Key: \REGISTRY\USER\S-1-5-21-138434890-818224588-799959843-500_CLASSES\.ttt
    WEDirName: HKU
    WEPattern: *TTT*
     User SID: S-1-5-21-138434890-818224588-799959843-500
     WE Flags: 0x0
   WE Op Mask: 0xff
       Status: 0x0
        Flags: 0x0

 

 

Note: The example above is tied to the way Windows processes the “add new file association” scenario. Monitoring aliases can still prove useful in case Registry actions are performed manually via regedit or command line.

Additionally the entire HKEY_CURRENT_USER Windows key is an alias whose definition is constantly changing depending on the context. This is why FIM works with complete, fully resolved names instead. You should avoid using aliases (e.g. HKEY_CURRENT_USER key) explicitly in your FIM Connector Configuration and select the actual keys.  Instead of using HKEY_CURRENT_USER choose the key for a specific user from USERS Registry Key (e.g. HKEY_USER\<user_sid>).</user_sid>

In a 64-bit Windows configuration, the WOW64 subsystem plays additional remapping and aliasing depending on whether an app is 32-bit or 64-bit.  For more information, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa384253(v=vs.85).aspx

Last modified
20:00, 22 Jun 2016

Tags

Classifications

Public