diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd
index 59a3885..54b603f 100644
--- a/oval-schemas/windows-definitions-schema.xsd
+++ b/oval-schemas/windows-definitions-schema.xsd
@@ -3931,6 +3931,8 @@
The ntuser test is used to check metadata associated with Windows ntuser.dat files. It extends the standard TestType as defined in the oval-definitions-schema and
one should refer to the TestType description for more information. The required object element references a ntuser_object and the optional state element specifies the ntuser
data to check.
+
+ To ensure consistent results across OVAL interpreters, application developers should refer to documentation in the ntuser_item when implenting this test.
ntuser_test
@@ -4035,11 +4037,13 @@
This element describes a registry key normally found in the HKCU hive to be tested.
+ Note: The key not existing on the target does not impact the overall existence of the ntuser_item.
This element describes the name of a value of a registry key.
+ Note: The name not existing on the target does not impact the overall existence of the ntuser_item.
@@ -4062,16 +4066,18 @@
The logged_on element describes if the user account is currently logged on to the computer.
+ This can be determined by comparing the SID’s against those populated in HKEY_USERS
- The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0.
+ The last_logon data which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow values, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0.
The enabled element describes if the user account is enabled or disabled.
+ Note: For domain users, if a domain controller is not available, this will not return data. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data.
@@ -4088,6 +4094,7 @@
This element describes the filepath of the ntuser.dat file.
+ The existance of each ntuser.dat file determines the overall ntuser_item existence.
diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd
index 6ff9177..c0bf2e9 100644
--- a/oval-schemas/windows-system-characteristics-schema.xsd
+++ b/oval-schemas/windows-system-characteristics-schema.xsd
@@ -1629,6 +1629,22 @@
The windows ntuser_item specifies information that can be collected from a particular ntuser.dat file.
+To ensure consistent results across OVAL interpreters, the following implementation methods are recommended. Note that there may be other technical ways to obtain the data, which vendors may choose to implement.
+1. Finding Human User Profiles
+ a. Obtain a list of User Profiles from the following registry key, where each subkey is a profile that may be included in scope for this test
+ i. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
+ b. Determine which user profiles are from ‘human’ users
+ i. Exclude profiles for LocalService, Network service etc.. by excluding subkeys in the format of S-1-5-<number*gt;
+ ii. Exclude profiles for Per-Service SIDs by excluding subkeys in the format of S-1-5-80-<number*gt;-<number*gt;-<number*gt;-<number*gt;-<number*gt;
+ iii. Include Local and Domain User SIDs by including subkeys match the format of S-1-5-21-<number*gt;-<number*gt;-<number*gt;-<number*gt;
+ c. Obtain ntuser filepath from the ProfileImagePath value of 'human' profiles
+2. Creating ntuser items
+If the filepath obtained from the ProfileImagePath exists on the target system, create a ntuser_item with a status of 'exists'
+3. Gathering per user registry key data
+ a. If a user is logged in, their ntuser.dat file will be locked and the OVAL interpreter will not be able to read it, the OVAL interpreter will need to obtain that data from HKEY_USERS\<sid_of_logged_in_user>
+ b. If a user is not logged in, the OVAL interpreter will need to obtain the data directly from the users ntuser.dat file.
+ Note: There are many different methods depenending on programming language to parse ntuser.dat files, and each OVAL interpreter may choose their own methods.
+ If no other programming language native methods are available, it is advised not to load the ntuser.dat file directly from its original location, as it will lock the file and prevent that user from logging into Windows. The file will need to be copied/renamed to a temporary location and then loaded, used and unloaded and removed.
@@ -1637,6 +1653,7 @@
This element describes a registry key normally found in the HKCU hive to be tested.
+ Note: The key not existing does not impact the overall existence of the ntuser_item.
@@ -1644,6 +1661,7 @@
This element describes the name of a registry key. If the xsi:nil attribute is set to true, then the item being represented is the
higher level key. Using xsi:nil here will result in a status of 'does not exist' for the type, and value entities since these entities are not
associated with a key by itself.
+ Note: The name not existing does not impact the overall existence of the ntuser_item.
@@ -1656,6 +1674,7 @@
The username entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a
result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in
the form: "domain\user name". For local users use: "computer name\user name".
+ Note: When gathering the built-in Guest and build-in Administrator, they may not resolve and may need to have the ComputerName prepended to it.
@@ -1666,16 +1685,18 @@
The logged_on element describes if the user account is currently logged on to the computer.
+ This can be determined by comparing the SIDs collected from the ProfileList against those populated in HKEY_USERS
- The last_logon data, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0.
+ The last_logon data, which can be obtained from the LocalProfileLoadTimeHigh and LocalProfileLoadTimeLow values, converted to days and then rounded down to the nearest integer (floor function). If the account is determined to be currently logged in, this date should be reported as 0.
The enabled element describes if the user account is enabled or disabled.
+ Note: For domain users, if a domain controller is not available, this will not return data. If using this data for a filter to include enabled accounts, it’s recommended to exclude accounts that are have been determined to be disabled, vs including ones that are enabled, as the later may filter out accounts for which the domain controller could not return data.
@@ -1692,6 +1713,7 @@
This element describes the filepath of the ntuser.dat file.
+ The existance of each ntuser.dat file determines the overall ntuser_item existence.