✨ Fetch registry packages for Windows filesystem connections

Signed-off-by: Preslav <preslav@mondoo.com>
mondoohq · Jun 7, 2024 · 6dbe256 · 6dbe256
1 parent f63ece7
commit 6dbe256
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 7 deletions.
diff --git a/providers/os/registry/registryhandler.go b/providers/os/registry/registryhandler.go
@@ -101,3 +101,11 @@ func (r *RegistryHandler) GetRegistryItemValue(registryId string, path, key stri
 	}
 	return GetNativeRegistryKeyItem(regPath, key)
 }
+
+func (r *RegistryHandler) GetNativeRegistryKeyChildren(registryId string, path string) ([]RegistryKeyChild, error) {
+	regPath, err := r.getRegistryKeyPath(registryId, path)
+	if err != nil {
+		return nil, err
+	}
+	return GetNativeRegistryKeyChildren(regPath)
+}
diff --git a/providers/os/resources/packages/windows_packages.go b/providers/os/resources/packages/windows_packages.go
@@ -224,20 +224,15 @@ func (w *WinPkgManager) getLocalInstalledApps() ([]Package, error) {
 	}
 	packages := []Package{}
 	for _, r := range pkgs {
-		// we get all the packages, found under the pkgs paths
 		children, err := registry.GetNativeRegistryKeyChildren(r)
 		if err != nil {
 			continue
 		}
 		for _, c := range children {
-			// for each package the information is contained as items of that registry's key,
-			// so we request the items under the fully qualified path
-			items, err := registry.GetNativeRegistryKeyItems(c.Path + "\\" + c.Name)
+			p, err := getPackageFromRegistryKey(c)
 			if err != nil {
-				log.Debug().Err(err).Str("path", c.Path).Msg("could not read registry key children")
-				continue
+				return nil, err
 			}
-			p := getPackageFromRegistryKeyItems(items)
 			if p == nil {
 				continue
 			}
@@ -252,13 +247,68 @@ func (w *WinPkgManager) getInstalledApps() ([]Package, error) {
 		return w.getLocalInstalledApps()
 	}
 
+	if w.conn.Type() == shared.Type_FileSystem {
+		return w.getFsInstalledApps()
+	}
+
 	cmd, err := w.conn.RunCommand(powershell.Encode(installedAppsScript))
 	if err != nil {
 		return nil, fmt.Errorf("could not read app package list")
 	}
 	return ParseWindowsAppPackages(cmd.Stdout)
 }
 
+func (w *WinPkgManager) getFsInstalledApps() ([]Package, error) {
+	rh := registry.NewRegistryHandler()
+	defer func() {
+		err := rh.UnloadSubkeys()
+		if err != nil {
+			log.Debug().Err(err).Msg("could not unload registry subkeys")
+		}
+	}()
+	fi, err := w.conn.FileInfo(registry.SoftwareRegPath)
+	if err != nil {
+		log.Debug().Err(err).Msg("could not find SOFTWARE registry key file")
+		return nil, err
+	}
+	err = rh.LoadSubkey(registry.Software, fi.Path)
+	if err != nil {
+		log.Debug().Err(err).Msg("could not load SOFTWARE registry key file")
+		return nil, err
+	}
+	pkgs := []string{
+		"Microsoft\\Windows\\CurrentVersion\\Uninstall",
+		"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
+	}
+	packages := []Package{}
+	for _, r := range pkgs {
+		children, err := rh.GetNativeRegistryKeyChildren(registry.Software, r)
+		if err != nil {
+			continue
+		}
+		for _, c := range children {
+			p, err := getPackageFromRegistryKey(c)
+			if err != nil {
+				return nil, err
+			}
+			if p == nil {
+				continue
+			}
+			packages = append(packages, *p)
+		}
+	}
+	return packages, nil
+}
+
+func getPackageFromRegistryKey(key registry.RegistryKeyChild) (*Package, error) {
+	items, err := registry.GetNativeRegistryKeyItems(key.Path + "\\" + key.Name)
+	if err != nil {
+		log.Debug().Err(err).Str("path", key.Path).Msg("could not read registry key children")
+		return nil, err
+	}
+	return getPackageFromRegistryKeyItems(items), nil
+}
+
 func getPackageFromRegistryKeyItems(children []registry.RegistryKeyItem) *Package {
 	var uninstallString string
 	var displayName string