Device Query: Dead of 64-bits

Last Updated on February 3, 2024 by rudyooms

This blog is going to show you why the new Device Query Intune Suite feature could give you the wrong information when you are using the WindowsRegistry entity to retrieve some registry keys from your device!

I will divide this blog into multiple parts

  1. Introduction
  2. What’s happening?
  3. Programs
  4. The flow

1. Introduction

This week a new feature Device Query was officially released. With Device Query, we could query the device to get some real-time insights into the device.

I decided to take a deep dive into how the Device KQL Query will be sent to your device and how the Intune management extension is going to execute it for you.

Intune Device Query | Real-Time insights | Pivot | KQL (call4cloud.nl)

While spending time on that blog, I also ran into some issues in which the device query was not running at all. I decided to also take a closer look at how we could solve it and how people could troubleshoot Device Query when they run into some issues.

Device Query | An Error occurred. Try Running the query again (call4cloud.nl)

So, 2 blogs about Device Query, job done right? Nope… with the official release of Device Query, my tenant was also flighted for DataProtection (end-to-end encryption). With this IME feature, I could now query the Windows registry in a protected way.

From there on I decided to take a look to see if we could use device query to query some specific registry keys from our device.

For example, this is the DCLAPS registry key we previously used to temporarily store the LAPS admin password so we could retrieve it with our RMM tool.

Afbeelding met schermopname, tekst, software, lijn

Automatisch gegenereerde beschrijving

After selecting the proper device and opening the device query tab, I entered the command to fetch that registry key and pressed “Run”

Afbeelding met tekst, schermopname, lijn

Automatisch gegenereerde beschrijving

As shown above…. No results to show???? That’s definitely weird because I know for sure that there is a reg key in it. To be sure I wasn’t going mad, I also decided to take a look at a different registry key to find out if it was only impacting the Microsoft registry key or also other ones.

As shown above, that devicie registry key that’s in the root of the software registry key has the same outcome: No results!

2. What’s happening?

What’s happening, why am I not getting the proper results back???? No error? Just no results to show? Thats weird! Luckily procmon was also running. Guess what it showed me!

Afbeelding met tekst, schermopname, software, lijn

Automatisch gegenereerde beschrijving
Afbeelding met tekst, schermopname, Lettertype, scherm

Automatisch gegenereerde beschrijving

As shown above, the 32-bit IntuneWindowsAgent was trying to find the registry key in the corresponding 32-bit registry key on my 64-bit device. This wow6432node registry node doesn’t hold that DCLAPS key!

Let’s add the same DCLAPS registry key inside the wow6432node as shown below.

This time when running the same device query we will get some results! As shown below, we now get the results of the wow6432node DCLAP registry key!

Let me give a brief explanation of what is going on: when a 32-bit program runs on WOW64, it naturally looks at the 32-bit part of the registry. Similarly, a 64-bit program checks the 64-bit section of the registry. However, certain settings allow a 32-bit program to peek into the 64-bit part, and vice versa for a 64-bit program. These settings don’t influence shared registry entries.

Registry Keys Affected by WOW64 – Win32 apps | Microsoft Learn

Of course, this is not something new as I have been talking about this issue in one of my older blogs. In that blog, I am using the sysnative path to make sure I am looking at the proper registry key

From there on I started wondering, if maybe adding the KEY_WOW64_64KEY to the access request could solve it… Something like this I assume?

#include <Windows.h>
int main() {
HKEY hKey;
LONG result = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\DCLAPS", 0, KEY_READ | KEY_WOW64_64KEY, &hKey);
if (result == ERROR_SUCCESS) {
// Successfully opened the key in the 64-bit registry view
// Do your operations here
RegCloseKey(hKey);
} else {
// Handle error
}
return 0;
}

But this is definitely something Microsoft needs to take a look at, how they could fix the fact the Device Query looks for the 32 bits registry keys

3. Programs

After noticing that the WindowsRegistry entity was using the win32.registry key function, I was wondering if there was more. I started doing a bit of digging into the Pivot DLL itself to find out if more entities rely on the win32 bit registry key functionality.

After a few seconds, I stumbled upon the ‘Program’ entity that is missing from the Intune Device Query GUI

This entity that is used to fetch the applications that are installed on your device also uses the win32_registry function.

If we execute the Program entity device query, a command will be sent to the device to query the uninstall registry key and its subkeys

Afbeelding met tekst, schermopname, Lettertype, nummer

Automatisch gegenereerde beschrijving

If we take a look at procmon, we will notice that this program entity also opens the 32 bits registry node (wow6432node)

Afbeelding met tekst, schermopname, Lettertype, lijn

Automatisch gegenereerde beschrijving

Guess what output we get? All 32-bit applications! No 64-bit application will be mentioned in the results. So for example, the important 64-bit version of OneDrive will not be shown in the results!

Afbeelding met tekst, schermopname, Lettertype, lijn

Automatisch gegenereerde beschrijving

4. The Flow

As shown below, the corresponding WIndowsRegistry Flow.

Please Note: I manually added that warning in the known limitations device query faq

Conclusion

I love Device Query and what power it could give us to retrieve some actual information from the device. I am hoping that Microsoft will find a way to retrieve the 64 bits registry keys on the device! So for now, we need to be aware of the fact that it tries to find the 32 bits information!

Leave a Reply

Your email address will not be published. Required fields are marked *

1  +  3  =