Exclude results from multiple registry values

(imported topic written by SecurityMG)

I am trying to exclude several values from a Run Key query. This query works great (other than duplicates)

(Names of values of it, values of it, last write times of it) of keys whose (it as string does not contain " or ) of key “HKLM\software\microsoft\windows\currentversion\Run” of native registry

Results look like this:

A: Program1, C:%25AppData%25\Local\Temp\program1.exe, ( Wed, 29 May 2013 12:49:54 -0500 )

A: Program2, C:\ProgramData\PGM\program2.exe, ( Wed, 29 May 2013 12:49:54 -0500 )

A: Program3, C:\Program Files\PGM\program3.exe, ( Wed, 29 May 2013 12:49:54 -0500 )

I don’t care which to filter off, but values would be best for Web Reports as the “:” is a great filter of results for “contains :”

If program1 and program2 are good and excluded, the results should only show program3.exe

Anyone have any ideas ?

not had any luck with - of keys whose (names of values of it !=“program1”) of key …

Thanks,

MG

(imported comment written by BrianPGreen)

I’m not totally sure what you want, but it seems like you want to filter based on the “names of values of it” part of the relevance. In that case, does something like this work?

(Names whose ( it does not contain “Program1” ) of values of it, values of it, last write times of it) of keys whose of key “HKLM\software\microsoft\windows\currentversion\Run” of native registry

(imported comment written by SecurityMG)

It is not working in QnA

And a typo…should be name of values of it,…

(Names whose (it does not contain “Test”) of names of values of it, values of it, last write times of it) of keys whose of key “HKLM\software\microsoft\windows\currentversion\Run” of native registry

and whose of key is not right…

nor

(Names whose (it does not contain “Test”) of names of values of it, values of it, last write times of it) of key “HKLM\software\microsoft\windows\currentversion\Run” of native registry

This works:

(names of values of it, values of it, last write times of it) of it of key “HKLM\software\microsoft\windows\currentversion\Run” of registry

But not this:

((Names whose (it does not contain “Test”)) of (names of values of it, values of it, last write times of it) of it) of key “HKLM\software\microsoft\windows\currentversion\Run” of registry

(imported comment written by BrianPGreen)

Sorry, I meant to type:

(names whose ( it does not contain “Program1” ) of values of it, values of it, last write times of it) of keys of key “HKLM\software\microsoft\windows\currentversion\Run” of native registry

Does that work?

(imported comment written by SecurityMG)

All that comes up is TRUE, so no it does not work and why i think there is a bug as like you I thought this would work. On other keys i am getting several duplicates.

Also - This would work for subkeys, not the Run or RunOnce Key as there are no ‘Keys of Key’ - And you get duplicates.

But this worked

(names whose ( it does not contain “Program1” ) of values of it, values of it, last write times of it) of key “HKLM\software\microsoft\windows\currentversion\run” of registry

MG