Good day, i use this statement below to display the value inside that key.
(values “DependOnService” of it) of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation” of native registry as string
It works well but if the value of that key contains this format as shown below (each line):
Bowser
MRxSmb20
NSI
The analysis only return the first line called “Bowser”. How do I make it to display all 3 lines from the analysis output? Please advise. Thanks.
I’m away from a console at the moment but I think there’s probably something helpful in our in-box Fixlets for SMB at Disabling smbv1 using BigFix fixlet
Thanks Jason for comments. I am aware how to set it using this command in the fixlet. However, I need to see the end results from the analysis to ensure 3 values are displayed. Since these values are created in a separate line, it only return the first line.
waithidden “{pathname of system folder}\reg.exe” add “HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation” /v DependOnService /t REG_MULTI_SZ /d Bowser\0MRxSmb20\0NSI /f
Viewing this in the Fixlet Debugger you can see how the string is built, and then split it. REG_MULTI_SZ values are delimited by the null character ("%00") and terminated by two null characters ("%00%00").
q: (values "DependOnService" of it) of keys "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation" of native registry
A: Bowser%00MRxSmb20%00NSI%00%00
I: plural registry key value
There are a few keys that changed from REG_SZ to REG_MULTI_SZ or to REG_EXPAND_SZ depending on Windows version. This isn’t one of them, as far as I know ‘DependOnService’ has always been a REG_MULTI_SZ, but I like this general form for checking the type and iterating it…
q: (if type of it = "REG_MULTI_SZ" then substrings separated by "%00" of preceding texts of lasts "%00%00" of (it as string) else (it as string)) of values "DependOnService" of keys "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation" of native registry
A: Bowser
A: MRxSmb20
A: NSI
I: plural stringThanks Jason,
If I use this use below, it reports only Bowser even the results “Bowser%00MRxSmb20%00NSI%00%00” due to the “20%” sign inside the string.
q: (values “DependOnService” of it) of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation” of native registry
A: Bowser%00MRxSmb20%00NSI%00%00
I: plural registry key value
===========
If I used this second one below, it reports as “Multiple results” as expected which is great. Only time I see all results when I put a cursor over. See screenshot provided. Is there a way to present all results into a single output instead of reporting “multiple results”?
q: (if type of it = “REG_MULTI_SZ” then substrings separated by “%00” of preceding texts of lasts “%00%00” of (it as string) else (it as string)) of values “DependOnService” of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation” of native registry
A: Bowser
A: MRxSmb20
A: NSI
I: plural string
You could concatenate them into a single result
q: concatenation ";" of (if type of it = "REG_MULTI_SZ" then substrings separated by "%00" of preceding texts of lasts "%00%00" of (it as string) else (it as string)) of values "DependOnService" of keys "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation" of native registry
(You’ll need to fix all the doublequotes to “normal quotes” though, I’m typing on my phone right now)
Jason, thank you! I was looking for a good way to handle this with multiple matches from a registry key search in an analysis. Works perfectly.