Analysis: Returning Value data of of a registry key value

system · August 6, 2010, 1:02am

(imported topic written by ken@gracenote91)

Tried figuring it out from the docs and forum… but I guess I am just thick…

What is the simples relevance language to show the value data from the following registry key value:

On my pc I have the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

…which has a value “GINADLL” (reg_sz)

… which has data of “ATGINAHOOK.DLL”

What is the relevance that I should put into “Add Property” when I create a new analysis. In this case, if the analysis was run against my pc it should just show “ATGINAHOOK.DLL”

TIA

Ken

system · August 7, 2010, 4:21am

(imported comment written by jessewk)

value “GINADLL” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” of registry

system · August 7, 2010, 6:17am

(imported comment written by ken@gracenote91)

THANKS! I must of mistyped something cause I could have sworn I tried that!!!

Really appreciate your response

KEn

system · August 11, 2010, 10:56pm

(imported comment written by tscott91)

Any idea why this isn’t working?

value “(Default)” of key “HKEY_CLASSES_ROOT.pdf” of registry

If I use value “Content Type” of key “HKEY_CLASSES_ROOT.pdf” of registry it does but the “(Default)” is just another string value…

BenKus · August 12, 2010, 6:19am

(imported comment written by BenKus)

try:

default value of key “HKEY_CLASSES_ROOT.pdf” of registry

Ben

system · August 29, 2011, 11:56pm

(imported comment written by mmcgough91)

Ben Kus

try:

default value of key “HKEY_CLASSES_ROOT.pdf” of registry

Ben

That works well when the key path is explicit, but doesn’t work when using native registry

For example

default value of “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{ED439A64-F018-4DD4-8BA5-328D85AB09AB}” of registry

works just fine, but if I remove Wow6432Node and use

default value of “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{ED439A64-F018-4DD4-8BA5-328D85AB09AB}” of native registry

doesn’t seem to work - am I getting the syntax wrong?

jeremylam · August 30, 2011, 12:12am

(imported comment written by jeremylam)

Native registry and registry evaluate to two different things on your 64 bit system. The key you want is in the 32-bit (WOW64) branch, but using native registry will evaluate to the 64-bit branch.

system · August 30, 2011, 12:54am

(imported comment written by mmcgough91)

Right - thanks!! This works on a 64-bit system:

default value of “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{ED439A64-F018-4DD4-8BA5-328D85AB09AB}” of registry