How to find a value within multiple registry keys

(imported topic written by J@BCBSSC)

First, let me say that I am extremely new to writing Fixlets and this is my first real shot at writing relevance.

I’m trying to find the following:

((it mod 2048) - (it mod 1024)) of (value “State” of key “HKU*\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing” of registry as integer) != 0

Please take careful note of “HKU*” Obviously, the * doesn’t work, but that’s effectively what I need. I can put a static string in there such as “.DEFAULT” or “S-1-5-19” and it works just fine. However, I can’t possibly know all the people who have logged into the machine, so I can’t just manually list all the possible SIDs.

I started going this direction:

(names of keys of key “HKU” of registry) whose (it does not end with “Classes”)

Which gives me an object of type “plural string” with the SID part of the key (basically the wildcard filler), but then I would need to prepend “HKU” and append “\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing” to the results. I have no idea how to do that to every element in a plural string. Even then, were I able to do that, I would have to find a way to actually look at all the key values, and… well… you can see how complicated it gets very quickly.

If someone could either point me in a better direction or push me further down the path I’ve chosen, I would be grateful.

  • J

(imported comment written by jgstew)

values “State” of keys “
Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
” of
keys of key “HKEY_USERS” of registry

values “State” whose((it mod 2048 - it mod 1024) != 0) of keys “
Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
” of
keys of key “HKEY_USERS” of registry

1 Like

(imported comment written by J@BCBSSC)

This will not work because you are ignoring the wildcard (*) instead of dealing with it. Pretending it doesn’t exist does not solve the problem.

(imported comment written by jgstew)

My solution should work. I am not ignoring the wild card.

This will return all User hives:

keys of key “HKEY_USERS” of registry

1 Like

(imported comment written by J@BCBSSC)

I found the answer elsewhere. Apparently it’s a lot more complicated than anyone thought. The worst part is that almost all of the key operations used here do not exist in any documentation that IBM provides for this product.

not

exists

1

whose
((conjunction
of
(
item

0

of

it

=

item

1

of

it
)
of
(
number of
current user keys (logged on users)
of

it
,

number of
values
"State"

whose
((
it

as
integer)
of
((
it

as
bit set)
of
(
it

as
integer)
of
concatenation
of
(
if

it

ends with

“%00%00”

then
preceding text
of
last
"%00%00"

of

it

else

if

it

ends with

“%00”

then
preceding text
of
last
"%00"

of

it

else

it
)
of
(
it

as
string)
of

it

(
it

as
bit set)
of
((
“1024”
)
as
integer))

((
“1024”
)
as
integer))
of
keys
"Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"

of
current user keys (logged on users)
of

it
)
of
(
if
x64
of
operating system
then
(x32 registry
;
x64 registry)
else
x32 registry))
and
(conjunction
of
(
item

0

of

it

=

item

1

of

it
)
of
(
number of
current user keys (logged on users)
of

it
,

number of
values
"State"

whose
((
it

as
integer)
of
((
it

as
bit set)
of
(
it

as
integer)
of
concatenation
of
(
if

it

ends with

“%00%00”

then
preceding text
of
last
"%00%00"

of

it

else

if

it

ends with

“%00”

then
preceding text
of
last
"%00"

of

it

else

it
)
of
(
it

as
string)
of

it

(
it

as
bit set)
of
((
“2048”
)
as
integer))

((
“2048”
)
as
integer))
of
keys
"Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"

of
current user keys (logged on users)
of

it
)
of
(
if
x64
of
operating system
then
(x32 registry
;
x64 registry)
else
x32 registry))

(imported comment written by jgstew)

That is too complicated, you need to try this:

values “State” of keys “Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing” of keys of key “HKEY_USERS” of registry

(imported comment written by jgstew)

Can you explain this part:

((it mod 2048) - (it mod 1024))

Assuming you can get the “State” value, what is it that you are doing to this value?