How to create a monitor to inspect the value of a registry key

<!--[if lt IE 9]>


Comments (19)
  1. Kevin Holman says:

    Stay tuned to Jimmy Harpers blog – he is soon to publish a sample report that does exactly this!…/jimmyharper

  2. Kevin Holman says:

    Ryan – you still will want to use PS or VBscript and a propertybag…. if you need to do any complex calculations on the information you get from the registry, or need a monitor to inspect multiple keys/values…etc.  A script is still the simplest method when you need to do a lot of work.  This is just an example for when we just need something very simple, and I feel like there just arent enough examples out there of all the monitortype options.

  3. Kevin Holman says:

    Yes – that is planned for a future post.  This is 101 baby steps to get people used to creating their first monitortypes.  How to make custom monitortypes reuseable is one of my next posts.

  4. Nice demo, Kevin.  If someone wanted to make this MonitoringType more flexible and "reusable", we could expose configuration elements as input when creating the monitor(s) that will use this type, such as Regstry Path, Attribute Name, Path Type, Value and Frequency could be input during monitor creation.

  5. Kevin Holman says:

    Yikes – my bad.

    Your design is correct. I missed the concept that you want to know when the reg is missing! I need to slow down and read more sometimes! Sorry about that. I believe a single monitor like this will only work to tell you a BAD value and a MISSING value if you
    are using only a VALUE. If the entire Key hosting the value is missing, this may fail. I am not 100% sure on that, I’d have to test. In this case, I’d do two monitors – one for a missing value, and one for the incorrect value.

    If you cannot get it working – post the monitortype and monitor configuration from the XML here and we can take a look.

  6. Kevin Holman says:

    You should not be TARGETING servers with this monitor, that don’t have the registry key or value. That’s your first problem.

  7. ryan says:

    Nice Kevin.  This is probably much more efficient than my PS modules for reading the registry.  Never crossed my mind to use the builting registry provicer for anything other than simple discoveries.

  8. Andre Durval says:

    I make my own management pack to inspect a value of two registry key, but how can I create a report or a view to see all servers that have a bad value, instead of open each server in health explorer. ?!

  9. Jerry Nelson says:


    This is good stuff and very helpful for me as a noob to SCOM. Almost fits the bill for what I'm trying to accomplish, my hope is you can direct me to the steps necessary to return the discovered value to a column in the monitor view. For example: I have a software package that runs on 30 different Windows 2008 servers. Due to different system requirements some of these run different versions of an installed software package. I'm hoping to be able to get a registry probe that will check HKLMSOFTWAREProviderPackagePackageVersion and return the string value associated with that key in the format X.X.X.XXXXX

    Any ideas?

    Thanks and I am working through all your posts!

  10. cc60 says:

    Great post. Thanks

    It's possible in the System.ExpressionFilter make some like this:

    Operator: Contains

    Value: get-date -UFormat "%Y%m%d"

  11. OdgeUK says:

    Struggling with this. using it to monitor a Reg Value of Either "Stopped" or "Running" for "Current State" on some services which don’t appear as Windows Services (SCCM SMS Exec threads).

    Do you need the Values Prefix for a string match?

    I’m getting Healthy on the monitor, even on servers which don’t have the Key or Value?!

  12. OdgeUK says:

    Thanks Kevin. My Bad. I’m targeting Windows Server Operating System, and using overrides to enable this for two servers. one with the reg key present and in a status of running (so should be healthy) and another that does not have the reg key / value at
    all (which is also healthy). I am wondering if it should be "Value" instead of "Values" ? Or if I need this prefix at all when using a String for XpathQuery?

  13. OdgeUK says:

    May have misunderstood. Was expecting no Key / Value present to generate a Warning?

    This monitor will change to a Warning state if:
    •The reg value “ServerLevel” is missing.
    •The reg value exists but has no value set.
    •The reg value exists but is set to something other than the expected values.

  14. OdgeUK says:

    Great, that’s working now. Thanks for your reply Kevin. I can successfully monitor my Reg Value for a service. Healthy if = Running and Critical if NOT = Running (which covers missing value or unexpected values like "Stopping", or "Started" which should
    never exist for much more than a second or two).

    My issue was that when I used Explicit values for both Healthy ("= Running") and Critical ("= Stopped"), the monitor totally ignored anything else, including missing key, missing value or unexpected value. I was expecting the default behaviour to be a Warning
    under those conditions. Perhaps this is only when using Values and not Strings…

    How do I add meaningful Alert data in Alert Description? I want to have the output value in the Alert Description and / or Title. Do we need to have something like:

    $Data/Context/Context/DataItem/Current_State$ ?


    $Data/Context/Context/DataItem/Values$ ?

    This is the output in XML in the State Change detail:

    < DataItem type =" MOM.RegistryData " time =" 2015-04-26T19:00:05.7385374+01:00 " sourceHealthServiceId =" 8161FE81-FA5E-5187-42D1-351DFB963635 " >

    < Values >
    < Current_State VariantType =" 8 " > Running

  15. John says:

    Hey Kevin,

    I can’t seem to get this to work. Here is my code, the value I am checking is a DWORD and when it is 0 it is considered good, when it is 1 or higher it is considered bad. Here’s my code:!10894&authkey=!ADyX3DVPkUwOogw&ithint=file%2ctxt

  16. Joe says:

    For configuring the ComputerName in the Registry provider config, I had to remove the ‘Host’ in the string below:
    Changed to:

    The documentation states that the second form is used for windows-based computers.

    This was in a SCOM 2007 R2 environment, yes, I know it’s 2016… 🙂

    1. Kevin Holman says:

      Joe – if you had to remove the “host” this means you did a no-no and targeted Windows Computer.

      This is a known bad thing. My example targets windows operating system. No workflows should target Windows Computer.

  17. Andrius says:

    How do we to the same in SCOM 2012 R2? Because on 2012 R2 this tutorial breaks down at step 2: “In your custom management pack, using the Authoring Console, create a new Composite MonitorType.” <– there is no such thing there.

    1. Kevin Holman says:

      You would use the same tool as described above – which is the SCOM 2007 R2 Authoring tool –

      Or – you would use Visual studio and fragments:

Comments are closed.

Skip to main content