How to write relevancy for an expandable string value that ends in %00

system · July 2, 2010, 1:01am

I’m trying to write a relevancy which looks for a particular expandable string value registry entry (REG_EXPAND_SZ). When I call for the value of in qna it reports as “xxC2CPRD1%00” using this : value “servername” of key “HKEY_LOCAL_MACHINE\SOFTWARE\AgentX” of registry as string. When I physically look at it in the registry it’s listed as “xxC2CPRD1”.

I’ve tried :

(name of operating system = “WinXP”) AND (value “servername” of key “HKEY_LOCAL_MACHINE\SOFTWARE\AgentX” of registry = “xxC2CPRD1”) OR (value “servername” of key “HKEY_LOCAL_MACHINE\SOFTWARE\AgentX” of registry = “xxC2CPRD1%00”) and no results come back. Any suggestions? Thank you!

leewei · July 2, 2010, 4:02am

(imported comment written by Lee Wei)

Registry Key Value that you are returning is actually an object and not of string data type.

An expanded string type is the registry is indeed null terminated.

I would try:

(name of operating system = “WinXP”) AND (value “servername” of key “HKEY_LOCAL_MACHINE\SOFTWARE\AgentX” of registry as string = “xxC2CPRD1%00”)

system · July 2, 2010, 5:57pm

(imported comment written by DotA)

Thank you so much, I knew someone on this forum would have the answer!! It works beautifully now.