000037018 - Confirming upgrade of the RSA NetWitness Endpoint / Insights Agent from the registry

Document created by RSA Customer Support Employee on Dec 17, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037018
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.4.x / Insights 11.1.x-11.2.x
Platform: Windows
IssueVerification using SCCM or other tools that bulk push out updates may be difficult to verify that they have been performed successfully. Since the agent rolls back failed upgrades, the version number in the registry should still show the old agent version. Hence, targeting the DisplayVersion and InstallDate registry values may yield information about the agent.
CauseThe causes for agent failure to install have multiple reasons and are not necessary for this article's discussion.
ResolutionUsing SCCM or another software solution, verify the output of the following registry keys:
  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63AC4523-5F19-42F0-BC43-97C8B5373589}\DisplayVersion
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63AC4523-5F19-42F0-BC43-97C8B5373589}\InstallDate

The first value will have a version number in the following format:

Use this to verify the version of the agent

The second value will have an install date in the following format: 20180610

Use this to verify the installation date of the agent in conjunction with its reported version number

Taken together, it becomes possible to verify if an agent upgrade succeeded or failed as these values would rollback to their previous entries if an installation fails. Note this applies to upgrades mainly; for fresh installs, a separate registry key located in the services directory called ServerSS is useful to determine if the agent checked in to the server after installation.

User-added image
NotesTo the Uninstall registry location, it is identical between the original ECAT agent, and the Insights agent, although the values will be different in some cases. The two values used in this article do not change, so both can be treated the same for testing if an upgrade succeeded or failed.