Extended signature operators

Available from 9.2.2. The scan operations during which extended XML signature definitions are used are performed based on the processing instructions that are contained in the signature catalog. In computer languages, expressions consist of two types of components: operands and operators. Operands are the objects that are manipulated and operators are the symbols that represent specific actions. Operands and operators can be either scalar or vector.

The following definitions apply to operators and operands in the context of the signature catalog:

scalar operand: Returns a value in string format. An operand cannot have children. For example, the RegKeyValue scalar operand returns the value of the specified registry key.
scalar operator: Performs an operation on other operators and operands and returns results in string format. An operator can have children. For example, the AND operator, returns true or false as a result.
vector operand: Returns results as a set of strings. An operand cannot have children. For example, the FindFilePathEx operand, returns a set of file paths.
vector operator: Performs an operation on other operators and operands and returns results as a set of strings. An operator can have children. For example, the Vector operator, returns a set of strings that contain the results of all its children.

The structure of the signature catalog

Table 1. The structure of the signature catalog
Operands and operators	Function and supported attributes
Action	Specifies the action to be performed depending on the result of the Condition element. Attributes: onValue The value that causes the action to be performed. This attribute is required. do Specifies the operation to be performed. This attribute is required. The supported value is `SKIP`, which interrupts the signature or the iterator instance evaluation and prevents it from being returned in the output.
Condition	Verifies if the specified condition is met. It contains one or more Action elements, which specify the action to be performed depending on the result of the Condition element. Attributes: withVariable Specifies the name of the variable whose condition is to be verified. This attribute is required.
MultipleInstance	Groups information to identify a software product that might be installed in several instances on the same workstation. It contains 1 Iterator and 1 Instance element. Attributes: None Multiple instance - iterator on INSTALL_PATH `<MultipleInstance> <Iterator name="INSTALL_PATH"> <FindFilePathEx name=""/> </Iterator> <Instance> <Variable name="IS_INSTALLED"><!-- RULE --> </Variable> <Condition withVariable="IS_INSTALLED"> <Action onValue="false" do="SKIP"/> </Condition> </Instance> </MultipleInstance>` Multiple instance - iterator on a vector with calculation (options) of INSTALL PATH later on `<MultipleInstance> <Iterator name="ITER_VAR"> </Iterator> <Instance> <Variable name="IS_INSTALLED"><!-- RULE --> </Variable> <Variable name="INSTALL_PATH"><!-- RULE --> </Variable> <Condition withVariable="IS_INSTALLED"> <Action onValue="false" do="SKIP"/> </Condition> </Instance> </MultipleInstance>`
Variable	Is a container for a single value that is expressed as a string whose return value is given by the result of a set of operators and operands. Attributes: name Specifies the name of the variable. It is unique in the containing signature scope. This attribute is required. export Specifies if the output of the variable is to be exported. Supported values are `true` and `false`. The default value is `true`. This attribute is optional.

Core expressions


Operands and operators	Function and supported attributes
And	Performs a logical AND operation between the results of all its children. If one of the operations returns false, the whole operation is set to false without performing further evaluation on the remaining children. At least one child is required. Properties: Result type: scalar [`true` \| `false`] Expression type: operator Example: `<And> ....scalar operators and operands returning a Boolean value </And>`
Clip	Returns a substring that is a range of consecutive characters from a string, starting with the character whose index is specified as startIndex and ending with the character whose index is specified as endIndex. Properties: Result type: scalar Expression type: operand Example: For example: the substring `234` is returned when: `<Clip inputString="123456789" startIndex="1" endIndex="3"/>` Attributes: inputString Specifies the string to be cropped. startIndex Specifies the index of the character in the input string that the substring should start with. An index of 0 refers to the first character of the input string. endIndex Specifies the index of the character in the input string that the substring should end with. An index of 0 refers to the last character of the input string. Note: It is recommended to use the new operator StringSlice whose range is wider than that of Clip because StringSlice supports negative indexes in Python syntax.
Compare	Compares two expressions based on the value of the relation attribute. The result is `true` if the expression is satisfied, `false` if the expression is not satisfied. Properties: Result type: scalar Expression type: operator Example: `<Compare relation="relation" type="type" > <Expression 1/> <Expression 2/> </Compare>` Attributes: relation Specifies the relation to be evaluated. The supported values are as follows: `eq` - equal to `ne` - not equal to `gt` - greater than `ge` - greater than or equal to `lt` - less than `le` - less than or equal to type Specifies the format of the expressions to be compared. The supported values are as follows: `version` - Compares two versions. The version is expressed by no more than four numbers that are separated by periods or commas. `integer` - Compares two integers. `string` - Compares two strings. `cistring` - Compares two case-insensitive strings. `boolean` - The comparison is to be performed between two Boolean values. `hex` - Compares two unsigned 4-byte hexadecimal integers. The 0x prefix is optional.
Concat	Returns a concatenation of the expressions. Properties: Result type: scalar Expression type: operator Example: `<Concat [separator="separator"] [ifEmpty="{add\|skip}"] > <Expression 1/> <Expression 2/> ... </Concat>` Attributes: separator Specifies the separator to insert between two expressions. This attribute is optional. The default value is an empty string. ifEmpty Specifies if the separator must be added if the expression to concatenate is empty. This attribute is optional. Supported values are as follows: `skip` If the string is empty, the separator is not added. This is the default value. `add` If the string is empty, the separator is added.
Contains	Checks if the string contains a string. Properties: Result type: scalar [{true\|false}] Expression type: operand Example: `<Contains inputString="example_string" searchedString= "example_string_to_search" position = ["start" \| "end" \| "contains"]/>` Attributes: inputString Specifies string to search in. searchedString Specifies string to search. position Specifies where to search. `start` Checks if the searched string is at the beginning. `end` Checks if searched string is at the end. `contains` Checks if searched string is somewhere in the original string.
FileInfoCompare	Returns the information that is specified in the field attribute. Properties: Result type: scalar [{true\|false}] Expression type: operand Example: `<FileInfoCompare absolutePath="absolute_path" field="field" value="value" relation="relation" [mustExist="{true\|false}"] />` Attributes: absolutePath Specifies the absolute path to the file to evaluate. field Compares two files by one of the values that are supported, which are as follows: `size` `inode` (UNIX™ only) `atime` - the date the file was accessed in UNIX™ time stamp format. `ctime` - the date the file was created in UNIX™ time stamp format. `mtime` - the date the file was modified in UNIX™ time stamp format. relation Specifies the relation to be evaluated. value Specifies the value to compare with. mustExist Indicates that the specified file must exist. This attribute is optional. The default value is `false`. If this attribute is set to `true` and the specified file does not exist, the current signature is not evaluated.
FileExists	Returns a Boolean value that indicates if the specified file exists. Properties: Result type: scalar [`true` \| `false`] Expression type: operand Example: `<FileExists absolutePath="absolute_path" />` Attributes: absolutePath Specifies the absolute path to the file to be searched.
Not	Performs a logical NOT operation on the result of its one child. Only one child is allowed. Properties: Result type: scalar [`true` \| `false`] Expression type: operator Example: `<Not> .... a single scalar operator or operand returning a Boolean value </Not>`
PathExists	Returns a Boolean value that indicates if the specified path exists. Properties: Result type: scalar Expression type: operand Example: `<PathExists absolutePath="absolute_path" />` Attributes: absolutePath Specifies the absolute path to be searched.
Or	Performs a logical OR operation between the results of all its children. If one of the operations returns "true", the whole operation is set to "true" without performing further evaluation on the remaining children. At least one child is required.
Substring	Searches through a string that contains multiple lines of text and returns the lines of a string that contain the search text. Properties: Result type: vector Expression type: operand Example: `<Substring inputString="input_string_to_search" searchedString= "string_to_search_for"/>` Attributes: inputString Input string that contains multiple lines. searchedString The string that is searched for.
Vector	Returns a vector that contains the union of all its children, duplicates are included. If you specify a filter, the result contains only the strings that match the pattern. filter: Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported.
VectorAt	Returns the vector element for the specified position. Properties: Result type: scalar Expression type: operator Example: `<VectorAt index="index_number"> ... any number of scalar/vector operator/operand </VectorAt>` Attributes: index Specifies the wanted vector position. The first vector element has position "1".
VectorToScalar	Converts a vector to its scalar representation. You must convert a vector to scalar because only scalars can be compared.

File system expressions


Operands and operators	Function and supported attributes
FindFilePathEx	Searches for the specified file in the specified locations. The result is a vector of all the paths where at least one entry that matches the specified file is found. The operand searches either the cache or the file system depending on the settings that are defined for the file system scanner. To have the operand search the file system, set the maxDataAge attribute to zero in the configuration file. An extra filter can be set to refine the file search. Such a filter can contain a file system scanner query, which is applied to the found file. If the filter returns a true condition, the directory for the file is returned, otherwise it is not returned. Properties: Result type: vector Expression type: operand Example: `< FindFilePathEx name="file_name"[filter="query_filter"] [recursive="{true\|false}"] [appendFileName="{true\|false}"]/>` Attributes: name Specifies the file mask to be searched. This attribute is required. appendFileName Specifies if the results contain the file name. This attribute is optional. The supported values are as follows: `true` `false` filter Specifies a file system query.
FileInfoMatch	Searches for a file with the specified name and attributes in the specified locations. The result is `true` if at least one matching file is found. Properties: Result type: scalar Expression type: operand Example: `<FileInfoMatch [rootPath="root_path"] [recursive="{true\|false}"] name="file_name" field="field" values="values" />` Attributes: rootPath Specifies the path where the search is to be performed. The default value is /. Wildcards () (?) are supported. The path is indicated according to the following syntax: `media_type::]drive:path` where `media_type` Specifies the media type and can assume the following values: $local Includes local disks. This is the default value. $remote Includes remote disks $other On Windows™ systems, includes other disk types, such as CDROM, DVD. On UNIX™ systems, this value is not supported and is expressed with the `$local` value. $all Includes all disks that are listed above. If the `media_type` variable is not specified, the `$local` value is assumed, therefore, if you want to scan disks other than local, specify a value for the `media_type` variable. `drive` Specifies the drives to be excluded. You can indicate one or more specific drives or you can use the `$local`, `$remote`, `$other`, and `$all` values. In this case, all drives in the specified category are excluded from the search. This variable is optional on UNIX™ operating systems. `path` Specifies the path to be excluded. Wildcards () and (?) are supported. This attribute is optional. recursive Specifies if the search is to be performed in the specified path and in all its subdirectories. Supported values are `true` and `false`. The default value is `true`. This attribute is optional. name Specifies the file name to be searched. This attribute is required. Wildcards (*) and (?) are supported. field Compares two files by one of the values that are supported, which are as follows: `size` `inode` (UNIX™ only) `atime` - the date the file was accessed in UNIX™ time stamp format. `ctime` - the date the file was created in UNIX™ time stamp format. `mtime` - the date the file was modified in UNIX™ time stamp format. values Specifies one or more values for the attribute that is specified in the field attribute. If more than one value is specified, the items are concatenated by using the Unicode control character "Private Use 1" with ASCII code 0x0091. date Returns the creation, access, and modification dates of the file.
ReadFile	Returns in string form the text from a file on the system. Properties: Result type: scalar Expression type: operand Example: `<ReadFile path="path_to_file" [trim="{true\|false}"][fileType="{native\|utf8}"]/>` Attributes: Path Specifies the path to the file. trim Indicates if new line special characters must be removed from the content of the file. The default is `false`. fileType Indicates the type of file. The default is `native`.

Native registry expressions


Operands and operators	Function and supported attributes
AixProductInfo	Returns any information about the supported AIX® operating systems. Properties: Result type: scalar Expression type: operand Example: `<AixProductInfo code="product_code" field="{name\|version\|vendor\|description\|installDir}" [mustExist="{true\|false}"] />` Attributes: code Specifies the product code that uniquely identifies an AIX® ODM package. The product code can be retrieved only by using the AixProductList operand. For more information about this operand, see AixProductList. field Specifies the information to be retrieved. Supported values are as follows: `name` `version` - The version is expressed by no more than four numbers that are separated by periods or commas. `vendor` `description` `installDir` mustExist Specifies whether to stop the operand evaluation if the specified file does not exist. Supported values are `true` and `false`. The default value is `false`. This attribute is optional. If this attribute is set to `true` and the specified file does not exist, the current signature is not evaluated. If the attribute is `false` and the specified file does not exist, the return value is an empty string.
AixProductList	Returns the set of AIX® ODM package codes. The codes that are returned can be used with the AixProductExists and AixProductInfo operands. Properties: Result type: vector Expression type: operand Example: `<AixProductList [filter="filter_expression"] [type="type"] />` Attributes: type Applies a filter based on the product type. This attribute is optional. Supported values are as follows: `any` Returns both products and any subproducts. This is the default value. `product` Returns only products. filter Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.
HpProductInfo	Returns the requested information, if available. Properties: Result type: scalar Expression type: operand Example: `<HpProductInfo code="product_code" field="{name\|version\| vendor\|installDir}"/>` Attributes: code Specifies the product and subproduct code that uniquely identifies an HP-UX package. The product and subproduct code can be retrieved only by using the HpProductList operand. For more information about this operand, see HpProductList. This attribute is optional. field Specifies the information to be retrieved. Supported values are as follows: `name` `version` - The version is expressed by no more than four numbers that are separated by periods or commas. `vendor` `installDir`
HpProductList	Returns the set of HP-UX package codes. The codes that are returned can be used with the HpProductExists and HpProductInfo operands. Properties: Result type: vector Expression type: operand Example: `<HpProductList [filter="filter_expression"] [type="type"] />` Attributes: type Applies a filter based on the product type. This attribute is optional. Supported values are as follows: `any` Returns both products and any subproducts. This is the default value. `product` Returns only products. `subproduct` Returns only subproducts. filter Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.
RpmProductExists	Indicates if the specified package is installed. Properties: Result type: scalar [true \| false] Expression type: operand Operating system: supported on Linux™ and AIX Example: `<RpmProductExists code="product_code" />` Attributes: code Specifies the product code that uniquely identifies an RPM package. The product code can be retrieved by using the RPMProductList operand. For more information about this operand, see RpmProductList. The product code can also be listed with the `rpm -qa` command. The command returns all available codes that identify RPM packages. The codes can either define the package architecture or not; for example: kernel-2.6.32-358.el6.x86_64 or kernel-2.6.32-358.el6.
RpmProductList	Returns the set of RPM package codes. The codes that are returned can be used with the RpmProductExists and RpmProductInfo operands. Properties: Result type: vector Expression type: operand Operating system: supported on Linux™ and AIX Example: `<RpmProductList [filter="filter_expression"] [type="type"] />` Attributes: filter Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional. type Applies a filter based on the product type. This attribute is optional. Supported values are as follows: `any` Returns both products and any subproducts. This is the default value. `product` Returns only products.
SunProductInfo	Returns the requested information, if available. Properties: Result type: scalar Expression type: operand Operating system: supported Oracle Solaris operating environments Example: `<SunProductInfo code="produt_code" field="{name\|version\|displayVersion\|vendor\|installDir}"/>` Attributes: code Specifies the product code that uniquely identifies an Oracle Solaris package. The product code can be retrieved only by using the SunProductList operand. For more information about this operand, see SunProductList. field Specifies the information to be retrieved. Supported values are as follows: `name` Returns the name of the product. `version` Returns the product version and revision number, for example 3.7.2101. `displayVersion` Returns the product version and revision number, for example 3.7.2101, REV=0.98.08.26. `vendor` Returns the name of the vendor. `installDir` Returns the topmost installation directories.
SunProductList	Returns the set of Sun Solaris package codes. The codes that are returned can be used with the SunProductExists and operands. Properties: Result type: vector Expression type: operand Operating system: supported Sun Solaris operating environments Example: `<SunProductList [filter="filter_expression"] [type="type"] />` Attributes: type Applies a filter based on the product type. This attribute is optional. Supported values are as follows: `any` Returns both products and any subproducts. This is the default value. `product` Returns only products. filter Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.
Win32ProgramInfo	Returns the requested information, if available. Properties: Result type: scalar Expression type: operand Operating systems: all supported Windows™ operating systems Example: `<Win32ProgramInfo code="product_code" field="{name\|description\|version\|vendor\|installDir\|uninstData}"/>` Attributes: code Specifies the product code that uniquely identifies a Win32 program. The program code can be retrieved only by using the Win32ProgramList operand. For more information about this operand, see Win32ProgramList. field Specifies the information to be retrieved. Supported values are as follows: `name` Returns the patch name. `description` Returns the patch description. `version` Returns the product version. The version is expressed by no more than four numbers that are separated by periods or commas. `vendor` Returns the product vendor. `installDir` Returns the product installation directory. `uninstData` Returns the product uninstallation command.
Win32ProgramList	Returns the set of packages installed. The codes that are returned can be used with the Win32ProgramExists and Win32ProgramInfo operands. Properties: Result type: vector Expression type: operand Operating systems: all supported Windows™ operating systems Example: `<Win32ProgramList [filter="filter_expression"] [type="type"] />` Attributes: type Applies a filter based on the product type. This attribute is optional. Supported values are as follows: `any` Returns both products and any subproducts. This is the default value. `product` Returns only products. filter Specifies the filter criteria to be applied to the search. The asterisk (*) and question mark (?) wildcards are supported. This attribute is optional.

Registry operands


Operands and operators	Function and supported attributes
PackageInfoEqual	Returns true if an item with the same name, version, and vendor exists in the specified registry. Properties: Result type: scalar [true \| false] Expression type: operand Example: `<PackageInfoEqual provider="{any \| ismp \| os}" code="product_code" value="name_version_vendor" />` Attributes: provider Specifies the installation database to be searched. Supported values are as follows: `any` Specifies that the search is performed on the operating system installation database and then on the ISMP installation database. `OS` Specifies that the search is performed on the operating system installation database. `ismp` Specifies that the search is performed on the ISMP installation database. code Specifies the product code that uniquely identifies the product. value Comprises the concatenation of the name, version, and vendor strings for the product. Separate each string with a blank space; empty strings can be omitted.
PackageInfoMatch	Returns true if an item with the same name, version, and vendor exists in any registry. Properties: Result type: scalar [true \| false] Expression type: operand Operating systems: all supported operating systems Example: `<PackageInfoMatch vendor="product vendor" name="product name" version="product version" />` Attributes: vendor Specifies the product vendor. name Specifies the name of the product. version Specifies the product version number. The wildcard (*) is supported.

Windows™ registry expressions


Operands and operators	Function and supported attributes
RegKeyExists	Indicates whether the specified key exists. Properties: Result type: scalar [true \| false] Expression type: operand Example: `<RegKeyExists key="key" [section="{32\|64\|32or64\|64or32}"]/>` Attributes: key Specifies the full registry key name in registry_key\registry_subkey format. section Specifies the attribute that indicates which section of the registry the search is to be performed on. This is the parameter introduced to make sure that the scanner functions correctly on 64-bit systems. Its values are: `32` The search is only performed on the 32-bit part of the registry. `64` The search is only performed on the 64-bit part of the registry. `32or64` The search is performed on the 32-bit part first, then on the 64-bit part of the registry. `64or32` The search is performed on the 64-bit part first, then on the 32-bit part of the registry. Default value is `32`.
RegKeyList	Searches the Windows™ registry under the key that is specified in the root attribute, and returns a list of keys that are in the registry under the root key. If the subKeys attribute is set to `false`, only the values in the root key are returned. Properties: Result type: vector Expression type: operand Example: `<RegKeyList root="root_key" [section="{32\|64\|32or64\|64or32}"] [subKeys="{true\|false}"]/>` Attributes: root Specifies the full registry key name in registry_key\registry_subkey format. section Specifies the attribute that indicates which section of the registry the search is to be performed on. (This is the parameter introduced to make sure that the scanner runs correctly under 64-bit systems. Its values are: `32` The search is only performed on the 32-bit part of the registry. `64` The search is only performed on the 32-bit part of the registry. `32or64` The search is performed on the 32-bit part first, then on the 64-bit part of the registry. `64or32` The search is performed on the 64-bit part first, then on the 32-bit part of the registry. Default value is `32`. subKeys Specifies if subkeys must be returned. The default value is `false`.
RegKeyValue	Returns the current value for the specified registry key. When the registry key is a REG_DWORD entry, the key attribute returns a decimal value. Properties: Result type: scalar Expression type: operand Example: `<RegKeyValue entry="entry" key="key" [section="{32\|64\|32or64\|64or32}"] [mustExist="{true\|false}"]/>` Attributes: key Specifies the full registry key name in registry_key\registry_subkey format. entry Specifies the name of the value that is contained in the key. To retrieve the value of registry entries that are named `"(Default)"`, you must specify a null value for the entry attribute, for example `entry=""`. section Specifies the attribute that indicates which section of the registry the search is to be performed on. This is the parameter introduced to make sure that the scanner runs correctly on 64-bit systems. Its values are: `32` The search is only performed on the 32-bit part of the registry. `64` The search is only performed on the 32-bit part of the registry. `32or64` The search is performed on the 32-bit part first, then on the 64-bit part of the registry. `64or32` The search is performed on the 64-bit part first, then on the 32-bit part of the registry. Default value is `32`. mustExist Specifies whether to stop the operand evaluation if the specified key does not exist. Supported values are `true` and `false`. The default value is `false`. This attribute is optional. If this attribute is set to `true` and the specified key does not exist, the current signature is not evaluated. If this attribute is set to `false` and the specified key does not exist, an empty string is returned.
RegKeyValueContains	Specifies whether the specified registry key contains the specified value. Properties: Result type: scalar [true \| false] Expression type: operand Example: `<RegKeyValueContains entry="entry" key="key" value="value" [section="{32\|64\|32or64\|64or32}"] [mustExist="{true\|false}"]/>` Attributes: key Specifies the full registry key name in registry_key\registry_subkey format. entry Specifies the name of the value that is contained in the key. value Specifies the value that must be contained in the entry. section Specifies the attribute indicating which section of the registry the search should be performed on. This is the parameter introduced to make sure that the scanner runs correctly on 64-bit systems. Its values are: `32` The search is only performed on the 32-bit part of the registry. `64` The search is only performed on the 32-bit part of the registry. `32or64` The search is performed on the 32-bit part first, then on the 64-bit part of the registry. `64or32` The search is performed on the 64-bit part first, then on the 32-bit part of the registry. Default value is `32`. mustExist Specifies whether to stop the operand evaluation if the specified key does not exist. Supported values are `true` and `false`. The default value is `false`. This attribute is optional. If this attribute is set to `true` and the specified key does not exist, the current signature is not evaluated. If this attribute is set to `false` and the specified key does not exist, an empty string is returned.
RegKeyValueEqual	Indicates if the specified registry key value is equal to the specified key. key Specifies the full registry key name in registry_key/registry_subkey format. entry Specifies the name of the value that is contained in the key. value Specifies the value to be compared. When the registry key that is specified in the entry attribute is a REG_DWORD entry, enter a decimal value in the value attribute.
RegKeyVersionCompare	Compares the specified registry key value with the specified version based on the value of the relation attribute. Properties: Result type: scalar [`true` \| `false`] Expression type: operand Example: `<RegKeyVersionCompare key="key" entry="entry" relation="relation" value="value" [section="{32\|64\|32or64\|64or32}"] [mustExist="{true\|false}"]/>` Attributes: key Specifies the full registry key name in `registry_key\registry_subkey` format. entry Specifies the name of the value that is contained in the key. relation Specifies the relation to be evaluated. Supported values are as follows: `eq` - equal to `ne` - not equal to `gt` - greater than `ge` - greater than or equal to `lt` - less than `le` - less than or equal to value Specifies the version to be compared. Note: When the registry key that is specified in the entry attribute is a REG_DWORD entry, enter a decimal value in the value attribute. The supported value is version. The version is expressed by up to four numbers that are separated by periods or commas. Note: When the registry key that is specified in the entry attribute is a REG_BINARY entry in the value field, enter a string that looks exactly like the "data" field when you are viewing the field in the registry editor. This string must be of a series of two-digit numbers that are separated by spaces, for example, "01 01" "10 11 10". section Specifies the attribute that indicates which section of the registry the search is to be performed on. This is the parameter introduced to make sure that the scanner runs correctly on 64-bit systems. Its values are: `32` The search is only performed on the 32-bit part of the registry. `64` The search is only performed on the 64-bit part of the registry. `32or64` The search is performed on the 32-bit part first, then on the 64-bit part of the registry. `64or32` The search is performed on the 64-bit part first, then on the 32-bit part of the registry. The default value is `32`. mustExist Specifies whether to stop the operand evaluation if the specified key does not exist. Supported values are `true` and `false`. The default value is `false`. This attribute is optional. If this attribute is set to `true` and the specified key does not exist, the current signature is not evaluated.