Beyond Trust Retina kept finding multiple Java findings on a Win7 system. Despite uninstalling java and hunting down any reference to Java, JDK, JRE in registry and file system I kept getting hits for multiple Oracle JAVA CPUs since Oct 2012 missing. Retina would report that it found READ,F,WB,JavaHome. From going through the various Retina scan XML files I knew it was checking the registry for these values but I had cleaned out the registry and other than some misc references to java in the various CLASS keys I knew that Retina should not be finding anything.
During another search of the registry I noticed that I did not have a wow6432node key in HKLM\software, this being a 64bit install I knew the key had to be there. I suspected that Retina was actually detecting those values in that registry node but I could not get there.
After some basic research I found that there are actually different versions of regedit on 64 bit systems. If I could not see this node I must be using the regedit.exe from the c:\windows\syswow64 which is actually the 32 bit version. For whatever reason the default redgedit on this system used the 32 bit version. I did a search on the entire C: and tried every regedit all the same results no wow6432node. That is when I remembered you can surf the registry in Powershell the same as a file system.
In Powershell:
PS C:\> cd hklm:\software
ls or dir to get contents and sure enough there was a javasoft key and a subkey for “Java Runtime Environment” and the values were for 1.6.0_21.
So now all I had to do was run:
cd back up a level or two to get out of the javasoft key the run a delete
remove-item -recurse javasoft.
After doing that a new scan showed no Java findings.
No comments:
Post a Comment