I can only show you the Programs Entity, you’re the one that has to Device Query it!

Last Updated on April 10, 2024 by rudyooms

In this small blog, I will examine how the program’s entity in the Intune suite feature called Device Query is a work in progress. I will update this blog every time I notice a change in the CmPivot IntunePivot DLL

I will divide this blog into multiple parts:

  1. Introduction
  2. Programs Entity
  3. 32 / 64

1. Introduction

After noticing that the Windows Registry entity 32-bit issue was fixed, I wondered if there was more. I started digging into the IntunePivot DLL to determine if more entities rely on the Win32-bit registry key functionality. After a few seconds, I stumbled upon the ‘Program‘ entity.

Afbeelding met tekst, Lettertype, schermopname, lijn

Automatisch gegenereerde beschrijving

With this program entity that seems to be missing from the Intune Device Query GUI, I became interested in it.

Afbeelding met tekst, schermopname, Lettertype, ontwerp

Automatisch gegenereerde beschrijving

Programs Entity

Even though the program entity is missing from the properties List, we can still execute the Programs entity device query.

Afbeelding met tekst, schermopname, Lettertype, nummer

Automatisch gegenereerde beschrijving

When we execute this device query, a command will be sent to the device to query which programs are installed.

Things become more evident when looking at the IntunePivot.Dll and searching for the program entity. The Programs entity fetches the applications installed on your device (GetProgramsFromRegistry)

Afbeelding met tekst, Lettertype, lijn, schermopname

Automatisch gegenereerde beschrijving

If we look at the output, it will list the applications installed based on the Uninstall information it got from the uninstall registry registry keys.

As you already might have guessed, the IME is a 32-bit app that defaults the query to the wow6432node!

3. 32 bits / 64 bits

If we take a look at Procmon, we will notice that this program entity only opens the 32 bits HKLM registry node (wow6432node)

Afbeelding met tekst, schermopname, Lettertype, lijn

Automatisch gegenereerde beschrijving

Guess what output we get? Again, only the 32-bit applications will be mentioned in the results. So, for example, the 64-bit version of 7-Zip will NOT be shown in the results!

When we take a closer look at the code, we will notice that it does not contain any knowledge to fetch the 64-bit registry key.

I guess Microsoft needs to implement the same fix as they did with the registry entity—this RegistryView.Registry64 fix will ensure that the program can access the 64-bit view of the registry, regardless of whether it’s running as a 32-bit or 64-bit process.

So, my idea? Just add this part to the code?

{
RegistryKey baseKey = isUser ? RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Registry64) : RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64);
RegistryKey registryKey1 = baseKey.OpenSubKey(keyLoc);
}

Conclusion

Hopefully Microsoft is going to add the Programs entity to Device Query when they fixed it the same way they did with the 64 bits registry entity issue!

Leave a Reply

Your email address will not be published. Required fields are marked *

48  +    =  58