Introduction

One of the method's that Raynet One allows you to extend it's inventory capabilities is through custom inventory scripts.  The following Python script gathers a devices ReleaseId registry string value and UBR registry dword value from it's "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\" and "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\" registry keys. 

Script

REG_KEY = r"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"

def get_registry_value(reg_key, value_name, reg_view="64"):
cmd = f'reg query "{reg_key}" /v {value_name} /reg:{reg_view}'
PythonConnector.debug(f"Running: {cmd}")
lines = PythonConnector.run(cmd, True)

for line in lines:
parts = line.strip().split()
if len(parts) >= 3 and parts[0].lower() == value_name.lower():
return parts[-1]
return None

def main():
PythonConnector.info("Starting registry inventory script")

release_id_64 = get_registry_value(REG_KEY, "ReleaseId", "64")
ubr_64 = get_registry_value(REG_KEY, "UBR", "64")
release_id_32 = get_registry_value(REG_KEY, "ReleaseId", "32")
ubr_32 = get_registry_value(REG_KEY, "UBR", "32")

PythonConnector.info(f"[64-bit] {REG_KEY} -> ReleaseId: {release_id_64}, UBR: {ubr_64}")
PythonConnector.info(f"[32-bit] {REG_KEY} -> ReleaseId: {release_id_32}, UBR: {ubr_32}")

item = PythonConnector.create_item("WindowsReleaseInfo", "WindowsReleaseInfo", True)
PythonConnector.add_property("Evidence", "PY", item)
PythonConnector.add_property("RegistryPath", REG_KEY, item)
PythonConnector.add_property("ReleaseId_x64", release_id_64 or "N/A", item)
PythonConnector.add_property("UBR_x64", ubr_64 or "N/A", item)
PythonConnector.add_property("ReleaseId_x86", release_id_32 or "N/A", item)
PythonConnector.add_property("UBR_x86", ubr_32 or "N/A", item)
PythonConnector.add_item(item)

PythonConnector.info("Windows release info successfully added to inventory")

main()

Staged Results