logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Secure Boot Status

Status: Approved Submitted by Community Manager on ‎05-14-2019 10:01 AM

Description: Checks status of Secure Boot.

What The Data Shows:Secure Boot is important b/c it helps prevent malicious applications from loading at startup.

SQL: 

WITH sb1 AS
  (
  SELECT COUNT(*) AS cnt,

         1 AS one

  FROM registry

  WHERE PATH='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled'
  ),

     sb2 AS
  (
  SELECT COUNT(*) AS cnt,

         1 AS one

  FROM registry

  WHERE PATH='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled'

    AND DATA = 1 
)

SELECT 
  CASE

    WHEN sb1.cnt = 0 THEN "NON-UEFI"

    WHEN sb2.cnt = 1 THEN "ENABLED"

    WHEN sb2.cnt = 0 THEN "DISABLED"

  END SECUREBOOT_STATUS

FROM sb1

JOIN sb2 USING(one);
Comment
6 Comments
Query_Admin
Community Manager
Community Manager
‎05-14-2019 10:08 AM
‎05-14-2019 10:08 AM
Status changed to: Approved
 
NadavK
New Contributor III
‎01-07-2021 10:04 AM
‎01-07-2021 10:04 AM

Hi All,

Is this query still valid? 

Tried it on both a computer with Secure Boot Enabled and Secure Boot Disabled and I'm getting no results. 

 

Please assist :) 

jnelson
Carbon Black Employee
‎01-08-2021 09:55 AM
‎01-08-2021 09:55 AM

@NadavK thanks for pointing this out. It had been updated in the product, but not here. I have since updated this post with the new query.

 

NadavK
New Contributor III
‎01-09-2021 11:31 PM
‎01-09-2021 11:31 PM

Hi @jnelson ,

Thank you for updating this query!

Can you please explain what is the "NON-UEFI" Case means? 

I've encountered a computer that is running with UEFI + Secure Boot enabled and returns this result.

Also encountered this result on a computer that has no Secure Boot enabled.

 

Thanks!

NadavK
New Contributor III
‎01-10-2021 01:28 AM
‎01-10-2021 01:28 AM

The query within CB Response does not work properly.

 

Changed the above query to this query and it worked with no issues:

WITH sb1 AS (
  SELECT COUNT(*) AS cnt,
         1 AS one
  FROM registry
  WHERE PATH='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled'
  ),
sb2 AS (
  SELECT COUNT(*) AS cnt,
         1 AS one
  FROM registry
  WHERE PATH='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled'
    AND DATA = 1
)
SELECT CASE
    WHEN sb1.cnt = 0 THEN 'NON-UEFI'
    WHEN sb2.cnt = 1 THEN 'ENABLED'
    WHEN sb2.cnt = 0 THEN 'DISABLED'
  END SECUREBOOT_STATUS
FROM sb1
JOIN sb2 USING(one);

 

jnelson
Carbon Black Employee
‎01-10-2021 11:14 AM
‎01-10-2021 11:14 AM

@NadavK on systems with UEFI the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled should be present. In the NON-UEFI case this key is not present.

Can you please provide the content of the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\State\ and tell me what the Windows version is?

logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.