From 5293a5276dad37a6ba68d16ac9d9d30cc2ded17b Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Fri, 8 May 2026 11:53:10 -0400 Subject: [PATCH 1/5] Resolved #307 Resolved #308 - Updated documentation based on implementation docs and clarified when an item should be created --- oval-schemas/windows-definitions-schema.xsd | 9 ++++++- .../windows-system-characteristics-schema.xsd | 24 ++++++++++++++++++- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd index 59a3885..54b603f 100644 --- a/oval-schemas/windows-definitions-schema.xsd +++ b/oval-schemas/windows-definitions-schema.xsd @@ -3931,6 +3931,8 @@ The ntuser test is used to check metadata associated with Windows ntuser.dat files. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a ntuser_object and the optional state element specifies the ntuser data to check. + + To ensure consistent results across OVAL interpreters, application developers should refer to documentation in the ntuser_item when implenting this test. ntuser_test @@ -4035,11 +4037,13 @@ This element describes a registry key normally found in the HKCU hive to be tested. + Note: The key not existing on the target does not impact the overall existence of the ntuser_item. This element describes the name of a value of a registry key. + Note: The name not existing on the target does not impact the overall existence of the ntuser_item. @@ -4062,16 +4066,18 @@ The logged_on element describes if the user account is currently logged on to the computer. + This can be determined by comparing the SID’s against those populated in HKEY_USERS - The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. + The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow values, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. The enabled element describes if the user account is enabled or disabled. + Note: For domain users, if a domain controller is not available, this will not return data. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data. @@ -4088,6 +4094,7 @@ This element describes the filepath of the ntuser.dat file. + The existance of each ntuser.dat file determines the overall ntuser_item existence. diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index 6ff9177..c0bf2e9 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1629,6 +1629,22 @@ The windows ntuser_item specifies information that can be collected from a particular ntuser.dat file. +To ensure consistent results across OVAL interpreters, the following implementation methods are recommended. Note that there may be other technical ways to obtain the data, which vendors may choose to implement. +1. Finding Human User Profiles + a. Obtain a list of User Profiles from the following registry key, where each subkey is a profile that may be included in scope for this test + i. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList + b. Determine which user profiles are from ‘human’ users + i. Exclude profiles for LocalService, Network service etc.. by excluding subkeys in the format of S-1-5-<number*gt; + ii. Exclude profiles for Per-Service SIDs by excluding subkeys in the format of S-1-5-80-<number*gt;-<number*gt;-<number*gt;-<number*gt;-<number*gt; + iii. Include Local and Domain User SIDs by including subkeys match the format of S-1-5-21-<number*gt;-<number*gt;-<number*gt;-<number*gt; + c. Obtain ntuser filepath from the ProfileImagePath value of 'human' profiles +2. Creating ntuser items +If the filepath obtained from the ProfileImagePath exists on the target system, create a ntuser_item with a status of 'exists' +3. Gathering per user registry key data + a. If a user is logged in, their ntuser.dat file will be locked and the OVAL interpreter will not be able to read it, the OVAL interpreter will need to obtain that data from HKEY_USERS\<sid_of_logged_in_user> + b. If a user is not logged in, the OVAL interpreter will need to obtain the data directly from the users ntuser.dat file. + Note: There are many different methods depenending on programming language to parse ntuser.dat files, and each OVAL interpreter may choose their own methods. + If no other programming language native methods are available, it is advised not to load the ntuser.dat file directly from its original location, as it will lock the file and prevent that user from logging into Windows. The file will need to be copied/renamed to a temporary location and then loaded, used and unloaded and removed. @@ -1637,6 +1653,7 @@ This element describes a registry key normally found in the HKCU hive to be tested. + Note: The key not existing does not impact the overall existence of the ntuser_item. @@ -1644,6 +1661,7 @@ This element describes the name of a registry key. If the xsi:nil attribute is set to true, then the item being represented is the higher level key. Using xsi:nil here will result in a status of 'does not exist' for the type, and value entities since these entities are not associated with a key by itself. + Note: The name not existing does not impact the overall existence of the ntuser_item. @@ -1656,6 +1674,7 @@ The username entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". + Note: When gathering the built-in Guest and build-in Administrator, they may not resolve and may need to have the ComputerName prepended to it. @@ -1666,16 +1685,18 @@ The logged_on element describes if the user account is currently logged on to the computer. + This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS - The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. + The last_logon data, which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow values, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. The enabled element describes if the user account is enabled or disabled. + Note: For domain users, if a domain controller is not available, this will not return data. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data. @@ -1692,6 +1713,7 @@ This element describes the filepath of the ntuser.dat file. + The existance of each ntuser.dat file determines the overall ntuser_item existence. From 078c27be13de30663f296142ef9a3fef4bc73aa4 Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Wed, 13 May 2026 09:43:03 -0400 Subject: [PATCH 2/5] Updated #307 and #308, removed mandate for item creation, added new behavior Also updated --- oval-schemas/windows-definitions-schema.xsd | 24 ++++++++++++----- .../windows-system-characteristics-schema.xsd | 26 ++++++++++--------- 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd index 54b603f..c83f11d 100644 --- a/oval-schemas/windows-definitions-schema.xsd +++ b/oval-schemas/windows-definitions-schema.xsd @@ -4037,13 +4037,11 @@ This element describes a registry key normally found in the HKCU hive to be tested. - Note: The key not existing on the target does not impact the overall existence of the ntuser_item. This element describes the name of a value of a registry key. - Note: The name not existing on the target does not impact the overall existence of the ntuser_item. @@ -4066,18 +4064,19 @@ The logged_on element describes if the user account is currently logged on to the computer. - This can be determined by comparing the SID’s against those populated in HKEY_USERS + This can be determined by comparing the SID’s against those populated in HKEY_USERS. - The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow values, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. + The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow registry values from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. + For more information, refer to https://learn.microsoft.com/en-us/troubleshoot/windows-server/support-tools/scripts-to-retrieve-profile-age The enabled element describes if the user account is enabled or disabled. - Note: For domain users, if a domain controller is not available, this will not return data. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data. + Note: For domain users, if a domain controller is not available, this will not return data, and should be reported with a status of 'not collected'. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data. @@ -4094,7 +4093,6 @@ This element describes the filepath of the ntuser.dat file. - The existance of each ntuser.dat file determines the overall ntuser_item existence. @@ -4191,6 +4189,20 @@ + + + For 'key_and_name_exist', items are only created when an ntuser.dat file includes the key and name provided in the ntuser object. + For 'every_ntuser', items are created for each relavent ntuser.dat found on the system. This option will prevent false negatives in instances where each ntuser.dat file must contain the required key/name/value in order to pass, but the file is lacking the key/name required to normally satisfy the creation of an ntuser item. + + + + + + + + + + diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index c0bf2e9..eceb0fb 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1638,13 +1638,11 @@ ii. Exclude profiles for Per-Service SIDs by excluding subkeys in the format of S-1-5-80-<number*gt;-<number*gt;-<number*gt;-<number*gt;-<number*gt; iii. Include Local and Domain User SIDs by including subkeys match the format of S-1-5-21-<number*gt;-<number*gt;-<number*gt;-<number*gt; c. Obtain ntuser filepath from the ProfileImagePath value of 'human' profiles -2. Creating ntuser items -If the filepath obtained from the ProfileImagePath exists on the target system, create a ntuser_item with a status of 'exists' -3. Gathering per user registry key data +2. Gathering per user registry key data a. If a user is logged in, their ntuser.dat file will be locked and the OVAL interpreter will not be able to read it, the OVAL interpreter will need to obtain that data from HKEY_USERS\<sid_of_logged_in_user> b. If a user is not logged in, the OVAL interpreter will need to obtain the data directly from the users ntuser.dat file. Note: There are many different methods depenending on programming language to parse ntuser.dat files, and each OVAL interpreter may choose their own methods. - If no other programming language native methods are available, it is advised not to load the ntuser.dat file directly from its original location, as it will lock the file and prevent that user from logging into Windows. The file will need to be copied/renamed to a temporary location and then loaded, used and unloaded and removed. + If no other programming language native methods are available, it is advised not to load the ntuser.dat file directly from its original location, as it will lock the file and prevent that user from logging into Windows. @@ -1653,7 +1651,6 @@ This element describes a registry key normally found in the HKCU hive to be tested. - Note: The key not existing does not impact the overall existence of the ntuser_item. @@ -1661,7 +1658,6 @@ This element describes the name of a registry key. If the xsi:nil attribute is set to true, then the item being represented is the higher level key. Using xsi:nil here will result in a status of 'does not exist' for the type, and value entities since these entities are not associated with a key by itself. - Note: The name not existing does not impact the overall existence of the ntuser_item. @@ -1674,7 +1670,6 @@ The username entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". - Note: When gathering the built-in Guest and build-in Administrator, they may not resolve and may need to have the ComputerName prepended to it. @@ -1689,14 +1684,21 @@ - - The last_logon data, which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow values, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. - - + + The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow registry values from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. + For more information, refer to https://learn.microsoft.com/en-us/troubleshoot/windows-server/support-tools/scripts-to-retrieve-profile-age + + + + + The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as Ansible over SSH or Windows RM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. + This can be determined by gathering the Software\Microsoft\Windows\CurrentVersion\Explorer\UserSigned value for the given ntuser.dat profile, 1 = true and 0 = false. + + The enabled element describes if the user account is enabled or disabled. - Note: For domain users, if a domain controller is not available, this will not return data. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data. + Note: For domain users, if a domain controller is not available, this will not return data, and should be reported with a status of 'not collected'. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data. From 734c23effd60ac4fe50911ef9aaeed0430bce2dd Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Wed, 13 May 2026 09:48:33 -0400 Subject: [PATCH 3/5] Removed accidental commit related to issue #306 --- oval-schemas/windows-system-characteristics-schema.xsd | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index eceb0fb..3701617 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1688,13 +1688,7 @@ The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow registry values from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0. For more information, refer to https://learn.microsoft.com/en-us/troubleshoot/windows-server/support-tools/scripts-to-retrieve-profile-age - - - - The user_has_signed_into_explorer element describes if the user account has ever interactively logged into Windows Explorer. This is important as User GPO's are applied when a user logs into Windows Explorer, and are not applied for non-interactive logins such as Ansible over SSH or Windows RM. Those non-interactive logins may cause false positives, and content authors may want to filter them out. - This can be determined by gathering the Software\Microsoft\Windows\CurrentVersion\Explorer\UserSigned value for the given ntuser.dat profile, 1 = true and 0 = false. - - + The enabled element describes if the user account is enabled or disabled. From 63fce367e9e5572d524256959447273d1c657ec8 Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Wed, 13 May 2026 12:34:34 -0400 Subject: [PATCH 4/5] Added MS documentation on HKEY_USERS --- oval-schemas/windows-system-characteristics-schema.xsd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index 3701617..7974973 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1680,7 +1680,8 @@ The logged_on element describes if the user account is currently logged on to the computer. - This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS + This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS\<SID> + HKEY_USERS: Contains all the actively loaded user profiles on the computer. https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users From 84f08b12ef2a40973dfecba184d8361498dcbad2 Mon Sep 17 00:00:00 2001 From: Jack Vander Pol Date: Thu, 14 May 2026 08:49:33 -0400 Subject: [PATCH 5/5] Added note on other API usage, to ensure the suggestion of HKEY_USERS is not mandated --- oval-schemas/windows-definitions-schema.xsd | 4 +++- oval-schemas/windows-system-characteristics-schema.xsd | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd index c83f11d..e4f38f3 100644 --- a/oval-schemas/windows-definitions-schema.xsd +++ b/oval-schemas/windows-definitions-schema.xsd @@ -4064,7 +4064,9 @@ The logged_on element describes if the user account is currently logged on to the computer. - This can be determined by comparing the SID’s against those populated in HKEY_USERS. + This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS\<SID> + HKEY_USERS: Contains all the actively loaded user profiles on the computer. https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users + This data can also be obtained by other various Windows API's such as a combination of win32_logonsession and win32_loggedonuser, but the specifics are beyond the scope of OVAL documentation. diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd index 7974973..6517e1b 100644 --- a/oval-schemas/windows-system-characteristics-schema.xsd +++ b/oval-schemas/windows-system-characteristics-schema.xsd @@ -1682,7 +1682,8 @@ The logged_on element describes if the user account is currently logged on to the computer. This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS\<SID> HKEY_USERS: Contains all the actively loaded user profiles on the computer. https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users - + This data can also be obtained by other various Windows API's such as a combination of win32_logonsession and win32_loggedonuser, but the specifics are beyond the scope of OVAL documentation. +