Mark Cochrane's RegKeytoMof

Edit: New version v2.5 released!

Edit: new version v2 released!  Mark added x64 support, and the subkeys type of regkey mof edit.

Mark Cochrane (System Center Configuration Manager MVP) released an excellent tool to assist with your custom MOF snippet creations, RegkeyToMof.  (Old version 1 -->here <--, if you want it, but use v2)

To use it, Run regkeytomof on a box which has the regkeys you want to gather, and browse in the top window to the Regkey Location, until you see the keys & values you want on the right.  Then below in the middle-right, give it a ClassGroup (like CUSTOM) and a ClassName (this must be unique for each custom mof edit you do--but the ClassGroup of CUSTOM can always be CUSTOM) then just copy & paste the results for configuration mof & sms_def.mof
If there are values that you don't want to see in your database, before you save sms_def.mof, just change those from TRUE to FALSE.  (Leave them defined, but change to FALSE, it needs to be consistent)

For example, I've been meaning to make up a Microsoft Forefront client mof edit, similar to the ones available for McAfee and Symantec, for client AV signature info.  Mark's tool made it much easier.  If you look at the below screenshot, I just browsed until I found the regkeys I wanted (in Software\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates.  On the right, I could see there were entries for AVSignatureVersion and ASSignatureVersion.  Looks like just what I wanted!

In the middle, I changed the Classgroup to CUSTOM.  I always use CUSTOM for my custom edits.  That helps me to differentiate anything I've done from a 'real' mof snippet from Microsoft.  If you like, you could use any name; but I would keep it short and consistent, and no spaces.  i.e., if you work for ACME Corporation, use something like ACMECorp.  For ClassName, this must be unique for each custom edit you make.  For example, let's say that one day there will be a Microsoft Forefront version 2.0, and that clients' info goes into a completely different area of the registry.  But for a time, I might need to gather both 1.0 keys and 2.0 keys.  So I couldn't call both of the ClassNames "MSForefront".  That's why in my sample I called it MSForefront1, anticipating that one day there will be a MSForeFront2 I'll want to have.  Also, for the ClassName, no spaces.  And don't use _ i.e., don't use MS_ForeFront_1.0.  I think you *can* use them, but in some places within your database tables/views, you might end up with double _; that just feels messy to me.  So avoid the whole thing and don't use spaces or underscores.  AND keep it short. 

So, cool; I've got my edits.  I'm using Configuration Manager, so I need the results from the SCCM Configuration.mof and SCCM sms_def.mof.  Now, to check them.  Hm... do I really need AVSignatureApplied?  I could, I suppose.. but if I *do* want them, if I actually go look at the registry, those binary values are multi binary, not just 1 entry for binary of 0 vs 1.  It's hard to programmatically see that with regkeytomof, so it's not already set to be multi; but if I DID want to gather that info, I just need to add the [] to those entries.  But actually... those values don't really mean much to me.  They aren't in any kind of calendar date format that makes sense to me.  So I would likely just change those from TRUE to FALSE anyway.  So I'd end up with this.  And it only took me about 10 minutes to get that edit together, and make decisions about TRUE vs. FALSE.  Easy!

// configuration.mof for MS Forefront 1.0 Client Signatures
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("MSForeFront1", NOFAIL)
[DYNPROPS]
Class MSForeFront1
{
[key] string KeyName;
String EngineVersion;
String AVSignatureVersion;
String ASSignatureVersion;
Boolean ASSignatureApplied[];
Boolean AVSignatureApplied[];
String SignatureLocation;
};
[DYNPROPS]
Instance of MSForeFront1
{
keyname="SystemCenter.fr";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft Forefront\\Client Security\\1.0\\AM\\Signature Updates|EngineVersion"),Dynamic,Provider("RegPropProv")] EngineVersion;
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft Forefront\\Client Security\\1.0\\AM\\Signature Updates|AVSignatureVersion"),Dynamic,Provider("RegPropProv")] AVSignatureVersion;
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft Forefront\\Client Security\\1.0\\AM\\Signature Updates|ASSignatureVersion"),Dynamic,Provider("RegPropProv")] ASSignatureVersion;
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft Forefront\\Client Security\\1.0\\AM\\Signature Updates|ASSignatureApplied"),Dynamic,Provider("RegPropProv")] ASSignatureApplied;
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft Forefront\\Client Security\\1.0\\AM\\Signature Updates|AVSignatureApplied"),Dynamic,Provider("RegPropProv")] AVSignatureApplied;
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft Forefront\\Client Security\\1.0\\AM\\Signature Updates|SignatureLocation"),Dynamic,Provider("RegPropProv")] SignatureLocation;
};

//sms_def.mof for MS Forefront 1.0 Client Signatures
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("MSForeFront1", NOFAIL)
[SMS_Report(TRUE),SMS_Group_Name("MSForeFront1"),SMS_Class_ID("CUSTOM|MSForeFront1|1.0")]
Class MSForeFront1: SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE)] String EngineVersion;
[SMS_Report(TRUE)] String AVSignatureVersion;
[SMS_Report(TRUE)] String ASSignatureVersion;
[SMS_Report(FALSE)] Boolean ASSignatureApplied[];
[SMS_Report(FALSE)] Boolean AVSignatureApplied[];
[SMS_Report(FALSE)] String SignatureLocation;
};

 

Published Monday, April 13, 2009 9:30 PM by skissinger

Comments

# re: Mark Cochrane's RegKeytoMof

WOW ..  I just used this this morning ...  Way Cool !

Tuesday, April 14, 2009 7:44 AM by hwilson542