Filtering Returned Registry Strings in Query

I’m querying Windows systems for unquoted path strings in a certain registry location.

The query I’m using is

q: values “ImagePath” whose (it as string as lowercase contains "C:" as lowercase) of keys of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of ( x64 registries; x32 registries )

I’d like to return only results that aren’t in quotes. For instance, the results from the above query returns

A: “C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe”%00
A: C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe%00

And I’d like to only return the second line or any line that does not start with a double quote. I imagine it’s a simple thing but I haven’t been able to find an example that I can alter to fit so far.

How about

values "ImagePath" whose (it as string as lowercase contains "C:\" as lowercase and it as string does not start with "%22") of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of registry

HKLM\SYSTEM does not have a 32-bit redirection, so you don’t have to check both x32 and x64 registries. As far as I recall, that only comes into play when looking at HKLM\Software and maybe HKEY_CLASSES_ROOT.

Jason - That works great. Thanks so much!

Glad it helps.

If it’s not clear, looking for “%22” is checking for the doublequote character. This is called “percent-encoding”. Based on the ASCII table (http://www.asciitable.com/), hexadecimal character 22 is the doublequote symbol.

Some other common percent-encodings we’d use are “%25” for the percent character (%), and “%0d%0a” to check for the combination of “Carriage Return” and “Line Feed”, the end-of-line marker for DOS / Windows text files. Percent-encodings are always represented by a percent sign followed by 2 hexadecimal characters. In representing website URLs we often also use “%20” to represent a space character in filenames.

Once again, thanks Jason. The information you’ve provided has been very useful.