Get User Name from Registry using Relevance and Regex

casmxg · February 21, 2025, 1:00pm

Good Morning,

I understand that BigFix already provides a User Name property OOB, but it isn’t reliable and I’d like to try an alternative.

I am able to pull the username from Windows Registry using the following relevance, but it returns DOMAIN\username. I can work with this if needed, but would like to pull only the “username” part.

values "LastLoggedOnDisplayName" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (if x64 of operating system then (x64 registry;x32 registry) else registry)

I have been researching and trying different things with Regex in relevance, but the best I can come up with so far is below. This leaves the ""

Q: matches (regex "\\.*") of "DOMAIN\username"
A: \username
T: 2994

I would like to combine the regex and registry username relevance to pull only the “username” portion (e.g. remove “DOMAIN\”). I have tried combining the above relevance statements on my own and I keep getting “the operator is not defined.” The changes depending on how I write the code. Please let me know if this is possible and/or provide your suggestions. Any guidance would be greatly appreciated.

Thank you,
_Matt

gus · February 21, 2025, 1:09pm

Hi @casmxg , you can use parenthesized parts as in this example:

Q: parenthesized parts of matches (regex "\\(.*)") of "DOMAIN\username"
A: username
T: 0.074 ms
I: plural substring

Therefore you can combine them like the following example (had to use “LastLoggedOnSAMUser” below in my example):

parenthesized parts of matches (regex "\\(.*)") of (it as string) of values "LastLoggedOnSAMUser" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (if x64 of operating system then (x64 registry;x32 registry) else registry)

casmxg · February 21, 2025, 1:25pm

Many thanks gus!

That is exactly what I needed. I was missing the “(it as string)” portion in my relevance. I appreciate your quick and helpful reply!

Regards,
_Matt

JasonWalker · February 21, 2025, 3:42pm

Note you can do this without a regex, 'following text of first "" ’ is more efficient than a regex match.

Also there are some other values you might want to consider from this same key; the “Display Name” may have a friendly-name instead of a user account name (mine is set up that way). You might check on ‘LastLoggedOnUser’ or ‘LastLoggedOnSAMUser’ depending on your needs:

q: (name of it, it, following text of first "\" of (it as string) | it as string) of values ("LastLoggedOnDisplayName";"LastLoggedOnUser";"LastLoggedOnSAMUser") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (x64 registries; x32 registries)
A: LastLoggedOnDisplayName, Jason Walker, Jason Walker
A: LastLoggedOnUser, MYDOMAIN\jason.walker, jason.walker
A: LastLoggedOnSAMUser, MYDOMAIN\jason.walker, jason.walker