Need to write an agent

Hello, I need to write an agent that checks several Windows registry settings, and possibly send it off to a server (for compliancy reports). Does anyone know if this already exists, or possibly can give me some hints to which direction i should look?

I'm very new to Rust, but they say there's no better way to learn then to do it :wink:

If you're looking to write a service then I would recommend the windows-service crate.

Do you want to run a check for deviances on request/at intervals or do you want to do live monitoring? There's the winreg crate crate which I believe is the canonical go-to crate for using the windows registry. There's also the registry crate which I used because there was something about it I found more convenient for one project, but I don't recall what it was.

If I recall correctly neither of winreg nor registry can handle live monitoring of the registry (but you should definitely double-check that). If you need this you can use the (windows crate)[https://crates.io/crates/windows] and call RegNotifyChangeKeyValue.

I will warn, however, that the windows crate has a few rough edges here and there, though it is improving pretty rapidly.

If you don't need live monitoring, and just want to run checks at certain intervals or at request, and the scope is known of the keys/values are somewhat limited, you might be able to get away with using the figment-winreg crate. It would allow you to specify the registry keys as a struct hierarchy, and fetch them using the figment crate. Basically:

#[derive(Debug,Deserialize, PartialEq)]
struct SomeSubKey {
  name: String,
  age: u32
}

#[derive(Debug,Deserialize, PartialEq)]
struct RootKey {
  #[serde(rename = "SubKey")]
  subkey: SomeSubKey,
  anotherstring: String
}

fn some_function() {
  // ...

  let fig = Figment::new().merge(
    RegistryProvider::new(HKEY_CURRENT_USER, r"Some\Registry\Path")
      .fail_strategy(FailStrategy::Skip)
  );

  let data: RootKey = fig.extract().unwrap();
  println!("Data: {:?}", data);

   // .. compare the registry values in data and data.subkey against known-good values
}
1 Like

hello @blonk thank you for taking the time to explain this to me :slight_smile:

at this moment we use a tool called Velociraptor (https://docs.velociraptor.app). Its a tool for security research etc. What we do is, we have a set of keys that should have value's to make windows more secure.
So Key X should have value Y. We use the velociraptor client to report the actual value. It reports these to a server that puts this value in a database. on the other end we have a webgui that makes piecharts of all these checks. If key X has value Z then we say "this value is not good and thus the system is less secure".

The Velociraptor client wasn't build for this. So while its possible, its not a very robust solution. So i am trying to learn Rust, to hopefully make a client/server that is specifically made for this :slight_smile: I want to opensource this tool because i feel the world could benefit from such tool as opensource. There are already such tools, but they are expensive or hard to use.

so the project will consist of a client part that checks some values and reports these back to the server (once a day is enough). But then i also need a way for the server to tell the client "these are the keys you need to check and report back". I am thinking gRPC would be the correct way to go for this? The server should then store this data in a database (but i think postgresql would do well enough) and have a webgui for reporting (but ive done some reading about arctix and tokio and so). I think this webgui part is the easiest :slight_smile:

okay so, i tried the figment-winreg crate but i couldn't get it to work. the winreg crate i get working :slight_smile:

so i am thinking.. maybe i could import the regs to check as a json file, loop through it, output all the checks as json again and then send them off to the server by API or something :slight_smile:

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.