I’m querying Windows systems for unquoted path strings in a certain registry location.
The query I’m using is
q: values “ImagePath” whose (it as string as lowercase contains "C:" as lowercase) of keys of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of ( x64 registries; x32 registries )
I’d like to return only results that aren’t in quotes. For instance, the results from the above query returns
A: “C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe”%00
A: C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe%00
And I’d like to only return the second line or any line that does not start with a double quote. I imagine it’s a simple thing but I haven’t been able to find an example that I can alter to fit so far.
How about
values "ImagePath" whose (it as string as lowercase contains "C:\" as lowercase and it as string does not start with "%22") of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of registry
HKLM\SYSTEM does not have a 32-bit redirection, so you don’t have to check both x32 and x64 registries. As far as I recall, that only comes into play when looking at HKLM\Software and maybe HKEY_CLASSES_ROOT.
Jason - That works great. Thanks so much!
Glad it helps.
If it’s not clear, looking for “%22” is checking for the doublequote character. This is called “percent-encoding”. Based on the ASCII table (http://www.asciitable.com/), hexadecimal character 22 is the doublequote symbol.
Some other common percent-encodings we’d use are “%25” for the percent character (%), and “%0d%0a” to check for the combination of “Carriage Return” and “Line Feed”, the end-of-line marker for DOS / Windows text files. Percent-encodings are always represented by a percent sign followed by 2 hexadecimal characters. In representing website URLs we often also use “%20” to represent a space character in filenames.
Once again, thanks Jason. The information you’ve provided has been very useful.