How to create a monitor for existence of a registry key

There are many examples of using a discovery for a new class or extended class, based on a registry key.

What if – you just want to monitor for a specific registry key – and turn your agents to a warning or critical state if it is missing? 


Consider the scenario:

CompanyX stamps the registry with Company specific information, like server owner, group, production level, criticality, etc..  They do this by creating a registry key on all systems as part of the build process.  They create this key as HKLM\SOFTWARE\CompanyX, and then have several subkeys and values present.  Perhaps, they use some of this information to populate groups in OpsMgr even. 

In the above scenario, the existence of this Registry key becomes critical to monitoring operations.  Therefore – we should ensure that all agents have this key, and alert when a server is introduced without it, or if the key is accidentally deleted.


One common method to do this is to create a simple generic timed script two-state monitor, which will output propertybags indicating the existence of the key or not, and flip monitor state based on the payload in the propertybag.  While this solves the need…. as monitoring workflows like this aggregate – we end up with a LOT of timed scripts, and the total of these script running can have a negative impact on performance.  Also – it requires that you write and debug a VBScript that performs your logic.  This article will describe a method using native OpsMgr modules to accomplish this task without using scripts.


Open the authoring console, and create a new empty management pack.  I called mine ExampleMP.

The idea is to create a monitor for this.  However – every monitor is based on a MonitorType.  There are many MonitorTypes to choose from when creating a monitor that come with the product, like “Basic Service Monitor, Event Timer Reset, Event Manual Reset, etc..”

Since there is no existing MonitorType for “look for the existence of a registry key” we get to create one!

Select “Type Library” and then “Monitor Types”.  Right click > New > Composite Monitor Type.

This will be a composite monitor type because it will contain potentially multiple moduletypes, like datasource, probe, and condition detection.

Give the MonitorType a name (this will be the MonitorType ID).  I chose “ExampleMP.RegExistsMonitorType

On the General tab – give the MonitorType a display name.  I chose “Custom - Check Existence of RegKey Monitor Type

On the States tab – we need to define the state names we want.  This can be anything.  For this example, I will choose “RegKeyExists” and RegKeyMissing”:


On the Member modules tab:  We need to add 3 things for this example.  A datasource to the registry data we need, and two condition detections (one for good (RegKeyExists) and one for bad (RegKeyMissing). 

Click Add, and find the “Microsoft.Windows.RegistryProvider” Data Source.  In the ModuleID – this can be anything you want.  Most people just type DS (for DataSource).  I will type in “RegDS” for mine because I like to be different:


We used the Microsoft.Windows.RegistryProvider because this was a good existing Data Source module that has the ability to inspect the registry and has a schedule timer module as well.  To read about all the available modules, check out the TechNet Module Types Reference

On the RegDS Configuration – we have several items we need to input.

For ComputerName – change the default text to:  “$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$”  (no quotes)  This is a variable which will tell the workflow to connect to the local computer’s registry where it is running.  Described HERE

For AttributeName – this is just a text name to give the attribute of our Reg Key, I will call mine “CompanyXRegExists”.  Described HERE

For Path – this is the path to the custom reg key.  HKLM is assumed – so you will need to add “SOFTWARE\CompanyX”.  Described HERE

For PathType – this is “0” for a key, and “1” for a value.  We are using a key so ours will be “0”.  Described HERE

For Attribute Type – we will use 0 again – for Boolean (true or false).  There options are described HERE

For Frequency – we should input 86400 (this is seconds = 1 day). 

For testing in small labs you can set this to be more frequent, just be careful in production with aggressive monitoring on short frequencies.



That completes our datasource!  Next up – add two condition detections.

On the Member Modules tab, click Add, and add the System.ExpressionFilter.  Give our condition detection an ID at the bottom.  I will use “CDExists” for this one.


This condition detection type of System.ExpressionFilter is just a simple filter to be able to add conditional criteria to the output of our monitor type.

For the Expression of this Condition Detection, hit Configure.  Select “Insert”.  For the Parameter name – we need the name of the attribute we used in the data source.  We used “CompanyXRegExists” so type that in here… but it MUST be prefaced with “Values/” so the final line to be added is “Values/CompanyXRegExists”.  Set this to “Equals” and “true”.  Click OK twice to accept our CD.



Now, back on the Member Modules tab, add another Condition Detection of the same type, but call this one “CDMissing”.  We will configure this one identical to the above – but will set the Expression to “Values/CompanyXRegExists” and “Equals” and “false”.



On the Regular tab, we need to define the order or operations for each state.  On the “RegKeyExists” we want the DataSource first, then the Condition Detection for “exists”, then output the module data.



Do the same thing for the RegKeyMissing state, but use the other condition detection for missing:




Click OK, and our MonitorType is done!


Phew!  That is complicated if you haven't had much experience with the authoring console.  The more you work with it, and the more you get used to typical operations and module types to choose from, the more it will make sense.

So – we have created our MonitorType.  Now we just need to create the monitor that will use this.  That part is a LOT easier.

Select the Health Model pane of the Authoring Console.

Select Monitors.  Right click > New > Custom Unit Monitor.

Give the Monitor an ID.  I chose “ExampleMP.CompanyXRegExistsMonitor

Give the Monitor a good Display Name.  I chose “Custom - Monitor for Existence of Company X Registry

For the Target, I need this to run on all my Windows Servers, so I like to use “Microsoft.Windows.Server.OperatingSystem” (Windows Server Operating System).

For the Parent MonitorNEVER accept the default.  You always need to choose Availability, Configuration, Performance, or Security.  Since this is really a Configuration issue, I choose System.Health.ConfigurationState:


On the Configuration tab – we need to select a MonitorType for this monitor to use.  Click “Browse for a Type” and select the MonitorType we previously created.

On the Health tab – we need to define each operational state:


On the Alert tab – you can optionally create an alert when this monitor is in a warning Health state, and configure those typical items.

Click OK, and we are done!

You can now import this MP into your test/dev management group, and begin testing.  First – save your MP to a file for backup purposes.  Then, from the authoring console > Tools > Export MP to Management Group > Select your Dev MG, and the auth console with import this directly into it for quick testing.

You should see any Windows Server Operating System object that is missing that registry key, turn to a warning state.  This should be very clear in health explorer:




I have attached my XML for reference


Comments (19)

  1. John Bradshaw says:

    Wow! That was a lot of work just to copy what you have done. Thx for the effort in putting it all together.

    Above in the Target section, "Microsoft.Windows.Server.OperatingSystem" was chosen.

    This will by default ENable the monitor for each discovered server (Is that correct?)

    So, once the MP is imported, is it just a matter of finding the monitor under the Authoring tab and using Overrides to target specific servers?


    John Bradshaw

  2. Kevin Holman says:

    My example is enabled and targeting the Windows Server OS…. if you want this scoped to a subset of computers – the BEST practice is to create a class for those computers (based on something that makes them unique) and then targeting that class.

    Second option is to create the monitor as disabled by default, then enabling it via overrides for a group.

  3. Anonymous says:

    I previously wrote about the new agent control panel applet with SCOM 2012 here: http://blogs.technet

  4. Frank says:

    I am not very familiar with the authoring console – would the following apply to the same process:

    Monitoring for regkey autoadminlogon = 1 instead of default 0
    We have cases where developers are setting server autologons. Passwords in clear text/bad situation and account lockouts every 90 days are wasting a lot of time. Would like to proactively alert for these and set reg keys back to 0 if a user changes them to

    Thanks much.

  5. priyatham says:

    @kevin – In my environment we need to get an alert if a server goes into pending reboot state.Could you please suggest the idea

  6. SB says:

    Keving, this is not working for me. I have used this to check for existence of registry key – SYSTEMCurrentControlSetControlSession ManagerPendingFileRenameOperations. However it is not working, always showing as keymissing even when exists. In health
    explorer, when I recalculate monitor, nothing happens. Can you please help and suggest how to troubleshoot this.

  7. Kevin Holman says:

    Recalculate will NEVER work for 99% of monitors. That button shouldn’t exist – it will only work for specially written monitors with an on demand probe action.

    Post your monitortype XML.

  8. SB says:

    Thanks Kevin, I am pasting the monitortype XML below :



    SYSTEMCurrentControlSetControlSession ManagerPendingFileRenameOperations










  9. SB says:

    Kevin, Unable to post the xml here in readable format. Please suggest

  10. Kevin Holman says:

    it was plenty readable.

    You need to read through the post again. You have not set pathtype correctly. You set it to "0" which means Key. However, PendingFileRenameOperations is not a reg key – it is a reg value.

  11. SB says:

    Thanks Kevin. I will make the change and re test.

  12. SB says:

    It is still not working, Kevin. Perhaps I am still doing something wrong, if you have time can you please review the xml pasted below. I se pathtype to 1 and checking to see if it contains string pendingfilerenameoperations, set it to keyexists. Also I
    am noticing that when I flush the agent so it loads the new MP with the change, monitor is always showing this condition – Context:

    The monitor has been initialized for the first time or it has exited maintenance mode

  13. SB says:


    SYSTEMCurrentControlSetControlSession Manager






  14. Kevin Holman says:

    You should stop making too many changes. You should have ONLY changed pathtype. Not attributetype. You should have left that to Boolean and left the expression alone.

  15. SB says:

    Thanks Kevin ! Works like a charm now….

  16. Anthony says:

    Hi Kevin, I’m trying to follow this using VS 2013 + VSAE, I don’t see "Select “Type Library” and then “Monitor Types”. Right click > New > Composite Monitor Type."

  17. Yatin says:

    Kevin, does this article also apply to SCOM2012R2?
    If so, I am stuck at the step in this article that says “Select “Type Library” and then “Monitor Types”. Right click > New > Composite Monitor Type.” I simply cannot find this option to create a Composite Monitor Type.
    Kindly help, as i am looking for generating alerts based on the presence or absence of an Registry Key on a windows computer.

    1. Kevin Holman says:

      It does – but the SCOM 2007 R2 authoring console is a separate advance authoring tool.

      If you want to make life easier – go look at my MP fragments for this.

  18. Paul Arbogast says:

    How does this work in SCOM 2016, I do not see the Type Library to be able to create this

Skip to main content