Analysis - result REG_MULTI_SZ values

joe_cool · February 22, 2022, 10:38pm

I have created a analysis with the relevance of:
(value “PagingFiles” of key “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” of native registry)

I am getting the first result, but not subsequent. I’ve read other posts that I should be seeing
"You will get a string with all values in MULTI_SZ concatenated with %00 something like “value1%00value2%00value3%00%00”."

I’m expecting a result of 2 page files, but I’m only receiving 1. What do I need to add to get the analysis to result in all values?

Thanks,
Joe

brolly33 · February 23, 2022, 3:17pm

@joe_cool

Thanks for sharing your code so far. It is helpful if you use the code tool, </>, in the toolbar, when pasting code.

MULTI_SZ can be tricky, with the strings being Zero Separated.
You might give this a try to separate the strings in relevance

q: substrings separated by "%00" of (it as string) of value "PagingFiles" of key "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of native registry
A: ?:\pagefile.sys
A: 
A:

And it you want to drop the nulls:

q: substrings separated by "%00" whose (it != "") of (it as string) of value "PagingFiles" of key "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" of native registry
A: ?:\pagefile.sys

I only have one page file on my system and so only one result here to test with.

If the above does not solve it for you, could you sent a shot of your registry?

joe_cool · February 23, 2022, 4:28pm

Thank you for the reply. Yeah, no kidding REG_MULTI_SZ is tricky. I tried both of your suggestions and for each, I just get .

My registry looks like this:

We had an improper template get deployed to many VMs, so I was hoping to use an analysis to locate what needs to be addressed. I have another use case for HKLM\SYSTEM\CurrentControlSet\Control\Session Manager with key BootExecute REG_MULTI_SZ. That one will likely be even more complicated as there are many more values in that string.

Thanks!
Joe

SLB · February 23, 2022, 6:01pm

I have a machine with 2 drives so was able to set a page file for each to validate @brolly33’s relevance, and its returned the data ok for me.

joe_cool · February 23, 2022, 7:21pm

Ok, same result. Now attempting Fixlet Debugger. First time I’ve ever launched that. When I enter that into the QnA and try the various evaluate methods, I’m not getting any answers. Just shows Evaluation Time 0.000 ms.

Thanks,
Joe

joe_cool · February 23, 2022, 7:24pm

Ah, I see you need Q: . And bummer. I was able to query my local machine, but using API, not what I want.
E: API Request Failed: The current license does not allow the usage of BigFix Query

BelGareth · February 24, 2022, 4:50pm

Hey @joe_cool!

I took a look at this Analysis (https:// bigfix. me/analysis/details/2994592), and then applied some concatenation to it, and it’s looking pretty good.

(concatenations ", " whose(it != "") of string values of selects "InitialSize from Win32_PageFileSetting" of wmi)

16 AM

joe_cool · February 28, 2022, 4:21pm

Thanks @BelGareth. These results look good.

Thanks,
Joe