I’ve been reading and trying to get some relevance code to work to see if a particular registry value exsists in HKCU. Here’s what I lst tried but I still can’t get it to work. Anyone know what I’m doing wrong? Thanks
(name of operating system = “Win2000” OR name of operating system = “WinXP” OR name of operating system = “WinXP-2003” OR name of operating system = “WinXPe” OR (name of it = “WinVista” and product type of it = nt workstation product type) of operating system OR name of operating system = “Win7”)
AND (exists value “DisablePersonalDirChange” of key (“HKEY_USERS” & (string value of select ((“SID from win32_useraccount where NAME=’” & item 1 of it & “’ and DOMAIN=’” & item 0 of it & “’”) of (preceding text of first “” of it, following text of first “” of it) of (string values of selects “UserName from win32_computersystem” of it)) of wmi) & “\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”) of native registry) AND (exists ((string values of selects “UserName from Win32_ComputerSystem” of wmi)) whose (item 0 of it = item 1 of it))
value “disablepersonaldirchange” of key “software\microsoft\windows\currentversion\policies\explorer” of current user keys (logged on users) of registry
Ben the problem I’m having is I’ve gotten what you have written to work in my analysis to pull the values of that value name but I’m also trying to eliminate the machines that don’t have it from the list so in the relevance tab I’m using
exsists value “DisablePersonalDirChange” of key (“HKU” & (component string of sid of security account (name of current user)) & “\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”) of registry