Many times when troubleshooting vulnerabilities I find the entry " Should reboot before repairing a_particular_vul returned: 1" in the vulscan.log. It does not appear that this is necessarily related to items in the PendingFileRenameOperations key of the registry. What is LANDesk looking at when determining this value?
I found the answer. LANDesk writes a "needs reboot" flag in the registry under HKLM\Software\LANDesk\ManagementSuite\WinClient\VulscanReboot
Actually vulscan uses that key for special circumstances. Mostly to prevent patches from installing twice. The normal key that is looked at to determine if a reboot is needed is:
This is a Windows standard location that tracks files that need to be replaced on reboot because they could not be replaced during the patch, application install or what have you.
Hi Tanner, when does the key VulscanReboot get cleared out? I have written a custom def to write a key to VulscanReboot, after patching it, it prompt for the snooze/reboot after patch, with no pendingfilerenameoper... key. Which is what I want it to do. But after reboot and rescan that key is still in VulscanReboot.
We use a special kind of registry key that is automatically deleted by Windows when the machine reboots. Something like this: MSDN: RegCreateKeyEx
Look about halfway down at the REG_OPTION_VOLATILE option.
Please note: I cannot say for sure that this is the method that is used by LANDesk. We just employ a similar functionality to cause the registry key to go away after a reboot.