Checking for reg key in HKCU problem

(imported topic written by Kenz91)

I’ve been reading and trying to get some relevance code to work to see if a particular registry value exsists in HKCU. Here’s what I lst tried but I still can’t get it to work. Anyone know what I’m doing wrong? Thanks

(name of operating system = “Win2000” OR name of operating system = “WinXP” OR name of operating system = “WinXP-2003” OR name of operating system = “WinXPe” OR (name of it = “WinVista” and product type of it = nt workstation product type) of operating system OR name of operating system = “Win7”)

AND (exists value “DisablePersonalDirChange” of key (“HKEY_USERS” & (string value of select ((“SID from win32_useraccount where NAME=’” & item 1 of it & “’ and DOMAIN=’” & item 0 of it & “’”) of (preceding text of first “” of it, following text of first “” of it) of (string values of selects “UserName from win32_computersystem” of it)) of wmi) & “\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”) of native registry) AND (exists ((string values of selects “UserName from Win32_ComputerSystem” of wmi)) whose (item 0 of it = item 1 of it))

(imported comment written by BenKus)

Which key are you trying to look up?

Ben

(imported comment written by Kenz91)

hkcu\software\microsoft\windows\currentversion\policies\explorer\disablepersonaldirchange

It’s a value

(imported comment written by BenKus)

How about this:

value “disablepersonaldirchange” of key “software\microsoft\windows\currentversion\policies\explorer” of current user keys (logged on users) of registry

Ben

(imported comment written by Kenz91)

Ben the problem I’m having is I’ve gotten what you have written to work in my analysis to pull the values of that value name but I’m also trying to eliminate the machines that don’t have it from the list so in the relevance tab I’m using

exsists value “DisablePersonalDirChange” of key (“HKU” & (component string of sid of security account (name of current user)) & “\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”) of registry

I get 0 applicable machines when I use this.

(imported comment written by Kenz91)

Doh! Never mind “EXSISTS”