Call4Cloud | MMP-C | Autopilot | Device Preparation

I can only show you the Programs Entity, you’re the one that has to Device Query it!

Patch My Pc | install & update thousands of apps

This small blog will examine how the Program entity in the Intune suite feature Device Query is a work in progress. I will update this blog every time I notice a change in the CmPivot IntunePivot DLL

1. Introduction

After noticing that the Windows Registry entity 32-bit issue was fixed, I wondered if there was more. I started digging into the IntunePivot DLL to determine if more entities rely on the Win32-bit registry key functionality. After a few seconds, I stumbled upon the ‘Program‘ entity.

Device Query Programs Entity

With this program entity that seems to be missing from the Intune Device Query GUI, I became interested in it.

Afbeelding met tekst, schermopname, Lettertype, ontwerp  Automatisch gegenereerde beschrijving

2. WMI Programs Entity

Even though the program entity is missing from the properties List, we can still execute the Programs entity device query.

Device Query programs

When we execute this device query, a command will be sent to the device to query which programs are installed.

Things become more evident when looking at the IntunePivot.Dll and searching for the program entity. The Programs entity fetches the applications installed on your device (GetProgramsFromRegistry)

Intunepivot.dll showing the getprogramsfromregistry

If we look at the output, it will list the applications installed based on the Uninstall information it got from the uninstall registry registry keys.

As you already might have guessed, the IME is a 32-bit app that defaults the query to the wow6432node!

3. 32 bits / 64 bits

If we take a look at Procmon, we will notice that this program entity only opens the 32 bits HKLM registry node (wow6432node)

Afbeelding met tekst, schermopname, Lettertype, lijn  Automatisch gegenereerde beschrijving

Guess what output we get? Again, only the 32-bit applications will be mentioned in the results. So, for example, the 64-bit version of 7-Zip will NOT be shown in the results!

When we take a closer look at the code, we will notice that it does not contain any knowledge to fetch the 64-bit registry key.

I guess Microsoft needs to implement the same fix as they did with the registry entity—this RegistryView.Registry64 fix will ensure that the program can access the 64-bit view of the registry, regardless of whether it’s running as a 32-bit or 64-bit process.

So, my idea? Just add this part to the code?

{
RegistryKey baseKey = isUser ? RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Registry64) : RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64);
RegistryKey registryKey1 = baseKey.OpenSubKey(keyLoc);
}

Conclusion

Hopefully, Microsoft will add the Programs entity to Device Query when they fix it the same way they fixed the 64-bit registry entity issue!

Leave a Reply

Your email address will not be published. Required fields are marked *

  −  3  =  1

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.