Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

indent_rulexml.exe: A tool to quickly format inventory rule xml into human readable data

Created: 14 Feb 2011 • Updated: 14 Feb 2011
Ludovic Ferre's picture
+2 2 Votes
Login to vote

Patch Management uses xml to define inventory rules that are used by the Inventory Rule agent to verify whether a given update is applicable or installed (with the well named IsInstalled and IsApplicable inventory rules).

These inventory rules can be retrieved from the SQL database (the live in the Inv_Inventory_rule table) or via the NS console. However the xml string can be quite lengthy and rather hard to understand as illustrated here:

<detection version="6.2"><installed><expression><and><expression check="vuln"><or><expression><and><expression><regkeyversion versionstatus="SAME" x64="true"><entry>CSDVersion</entry><key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</key><version>256</version></regkeyversion></expression><expression><fileversion versionstatus="HIGHER_OR_SAME" x64="true"><filepath name="win32k.sys"><path>%windir%\system32\</path></filepath><version>5.2.3790.3212</version></fileversion></expression></and></expression><expression><and><expression><regkeyversion versionstatus="SAME" x64="true"><entry>CSDVersion</entry><key>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</key><version>512</version></regkeyversion></expression><expression><fileversion versionstatus="HIGHER_OR_SAME" x64="true"><filepath name="win32k.sys"><path>%windir%\system32\</path></filepath><version>5.2.3790.4375</version></fileversion></expression></and></expression></or></expression></and></expression></installed></detection>
<detection version="6.2"><installed><expression><and><expression check="vuln"><and><expression><regkeyexists x64="true"><key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB978262~31bf3856ad364e35~amd64~~6.0.1.0</key></regkeyexists></expression></and></expression></and></expression></installed></detection>
<detection><installed><expression><and><expression><regkeyversion versionstatus="HIGHER_OR_SAME" x64="true"><key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040480900063D11C8EF10054038389C\InstallProperties</key><entry>DisplayVersion</entry><version>11.0.0000.0</version></regkeyversion></expression><expression><regkeyversion versionstatus="LOWER" x64="true"><key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040480900063D11C8EF10054038389C\InstallProperties</key><entry>DisplayVersion</entry><version>11.0.8173.0</version></regkeyversion></expression></and></expression></installed></detection>
<detection version="6.2"><installed><expression><and><expression check="upd"><regkeyvalue><key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\kb980195</key><entry>Installed</entry><value>1</value></regkeyvalue></expression></and></expression></installed></detection>

indent_rulexml aims to take such string and to output the interesting inventory rule data out in a human readable format, as shown here:

EXPR {
	AND {
		EXPR {
			OR {
				EXPR {
					AND {
						EXPR {
							SAME
							CSDVersion
							HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows
							256
						}
						EXPR {
							HIGHER_OR_SAME
							win32k.sys
							%windir%\system32\
							5.2.3790.3212
						}
					}
				}
				EXPR {
					AND {
						EXPR {
							SAME
							CSDVersion
							HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows
							512
						}
						EXPR {
							HIGHER_OR_SAME
							win32k.sys
							%windir%\system32\
							5.2.3790.4375
						}
					}
				}
			}
		}
	}
}

This output was produced by calling indent_rulexml64 (the linux 64-bit version of the tool) and by pasting the first inventory rule xml listed above and pressing enter.

Another way to use the tool would be to save the rule xml into a file and to redirect the file content to stdin (using 'indent_rulexml.exe < input_file').

The output can be picked up from the console (it work well with linux but cmd.exe is not so good on Windows or redirected to a file using '>'.

Here is the output from the other 3 inventory rule xml listed above:

EXPR {
	AND {
		EXPR {
			AND {
				EXPR {
					HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB978262~31bf3856ad364e35~amd64~~6.0.1.0
				}
			}
		}
	}
}
EXPR {
	AND {
		EXPR {
			HIGHER_OR_SAME
			HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040480900063D11C8EF10054038389C\InstallProperties
			DisplayVersion
			11.0.0000.0
		}
		EXPR {
			LOWER
			HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040480900063D11C8EF10054038389C\InstallProperties
			DisplayVersion
			11.0.8173.0
		}
	}
}
EXPR {
	AND {
		EXPR {
			HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\kb980195
			Installed
			1
		}
	}
}