Inspec Registry issues due to 32bit Ruby

[trickyearlobe]

Description

64 bit ChefClient ships with a 64 bit Ruby and behaves correctly when accessing the registry
64 bit ChefDK ships with a 32 bit Ruby and behaves incorrectly when accessing the registry

When a 32 bit process tries to access certain parts of the registry on 64 bit windows the access is transparently redirected to another location. Microsoft call this "Registry Reflection". For example:-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\... gets redirected to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\...

This causes both chef-client runs and Inspec to access the wrong branch of the registry when using ChefDK. For Inspec in particular, a large number of inspec tests incorrectly report compliance failures during profile development.

The problem for Chef client runs is partially referenced in Chef documentation at https://docs.chef.io/resource_registry_key.html

The problem is not currently referenced in the Inspec documentation.

ChefDK Version

2.0.26 and 1.5.0

Platform Version

Windows 2012R2 x86_64

Possible fix

Upgrade ChefDK to a 64 bit Ruby

Replication Case

Use regedit to create a REG_SZ key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon with a value '0'

Create an inspec profile containing a control like this:-

title 'Problem with Registry Keys'

control 'WinLogon' do
  impact 0.7
  title 'AutoLogin'
  desc 'Check the AutoLogin property'
  describe registry_key('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon') do                  # The actual test
    it { should have_property 'AutoAdminLogon' }
    its('AutoAdminLogon') { should eq '0' }
  end
end

Execute it locally with inspec exec my_test_profile and see it fail
Execute it locally with a 64bit ruby and see it pass.

Execute it against the local machine over WinRM (which launches a remote 64 bit process) and see it pass inspec exec -t winrm://user:pass@localhost

Proving the point with pure ruby/powershell

Inspec shells out to Powershell to get registry entries. We can do the same.
Run the following Ruby code using the ChefDK 32 bit ruby and repeat with a 64 bit ruby

key='HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'
results = `powershell Get-Item('Registry::#{key}')`
puts results

Note the difference in values/properties returned.

Results from ChefDK 32bit Ruby

Returns 5 values/properties from the redirected key

PS C:\Users\Administrator\repos\scripts> C:\opscode\chefdk\embedded\bin\ruby.exe .\regtest.rb


    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion


Name                           Property
----                           --------
Winlogon                       Userinit              : userinit.exe
                               Shell                 : explorer.exe
                               VMApplet              : SystemPropertiesPerformance.exe /pagefile
                               DefaultDomainName     :
                               PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16}
                               DefaultUserName       :


PS C:\Users\Administrator\repos\scripts>

Results from 64 bit Ruby

Returns 23 values/properties from the real key

PS C:\Users\Administrator\repos\scripts> C:\Ruby23-x64\bin\ruby.exe .\regtest.rb


    Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion


Name                           Property
----                           --------
Winlogon                       Userinit               : C:\Windows\system32\userinit.exe,
                               LegalNoticeText        :
                               Shell                  : explorer.exe
                               LegalNoticeCaption     :
                               DebugServerCommand     : no
                               ForceUnlockLogon       : 0
                               ReportBootOk           : 1
                               VMApplet               : SystemPropertiesPerformance.exe /pagefile
                               AutoRestartShell       : 1
                               PowerdownAfterShutdown : 0
                               ShutdownWithoutLogon   : 0
                               Background             : 0 0 0
                               PreloadFontFile        : SC-Load.All
                               PasswordExpiryWarning  : 5
                               CachedLogonsCount      : 10
                               WinStationsDisabled    : 0
                               PreCreateKnownFolders  : {A520A1A4-1780-4FF6-BD18-167343C5AF16}
                               DisableCAD             : 1
                               scremoveoption         : 0
                               ShutdownFlags          : 19
                               AutoLogonSID           : S-1-5-21-991527187-3615549189-1026282882-1001
                               LastUsedUsername       : vagrant
                               AutoAdminLogon         : 0


PS C:\Users\Administrator\repos\scripts>

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.