I"ve created an analysis to show all the values in the Current User Run key:
concatenation";" of (values of key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)
Problem is that some PCs are returning or blank in the analysis but when I run this query manually using QNA it returns the values in this key correctly.
You cannot query the “current user” key directly using relevance because relevance runs in the SYSTEM user context, not the CURRENT_USER context.
You can query ALL users combined run keys, like this:
(unique values of (it as string) of values whose(it as string as trimmed string != “”) of keys “Software\Microsoft\Windows\CurrentVersion\Run” of keys whose(exists key “Software\Microsoft\Windows\CurrentVersion\Run” of it) of key “HKEY_USERS” of registry)