When I run this in debugger I get the correct results
names of values of key “HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts” of registry
but ofcourse, that will not work in analysis as it wouldn’t be looking at the currently logged in user…
I tried modifying the query based on another hkcu query I found here on the forum, but that relevance doesn’t seem to be working
names of values of key “HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts” of current user keys (logged on users) of registry
the agent’s running as local system, but the debugger is running as you. You need to use an action to use runascurrentuser.exe and an external script file to dump the key you want where local system can get to it.
that being said, how come we can query mapped drives in the registry for current user without running an action?
if (exists current user) then (if (exists key “Network” whose (exists key whose (exists value “RemotePath” of it) of it) of (current user keys (logged on users) of registry)) then (((name of it as string) & ": - " & (value “RemotePath” of it as string)) of keys of key “Network” of (current user keys (logged on users) of registry) as string) else “No Mapped Drives”) else “No Current User”
^^ my issue is I haven’t been able to figure out how to re-write this to work for the printerports key because I need the name value and not the data value
if (exists current user) then (if (exists key “Network” whose (exists key whose (exists value “RemotePath” of it) of it) of (current user keys (logged on users) of registry)) then (((name of it as string) & ": - " & (value “RemotePath” of it as string)) of keys of key “Network” of (current user keys (logged on users) of registry) as string) else “No Mapped Drives”) else “No Current User”
This is odd…when I try this, either from the QnA testor or as part of an analysis, I always see that there are no mapped drives, even when there are. Are you sure this is working for you? If so, what might I be doing wrong?
{quote:title=ltd2009}if (exists current user) then (if (exists key “Network” whose (exists key whose (exists value “RemotePath” of it) of it) of (current user keys (logged on users) of registry)) then (((name of it as string) & ": - " & (value “RemotePath” of it as string)) of keys of key “Network” of (current user keys (logged on users) of registry) as string) else “No Mapped Drives”) else “No Current User”
This is odd…when I try this, either from the QnA testor or as part of an analysis, I always see that there are no mapped drives, even when there are. Are you sure this is working for you? If so, what might I be doing wrong?{quote}
{quote:title=Syro}{quote:title=ltd2009}if (exists current user) then (if (exists key “Network” whose (exists key whose (exists value “RemotePath” of it) of it) of (current user keys (logged on users) of registry)) then (((name of it as string) & ": - " & (value “RemotePath” of it as string)) of keys of key “Network” of (current user keys (logged on users) of registry) as string) else “No Mapped Drives”) else “No Current User”
This is odd…when I try this, either from the QnA testor or as part of an analysis, I always see that there are no mapped drives, even when there are. Are you sure this is working for you? If so, what might I be doing wrong?