I'm looking for a series of strings in a registry key

GiorgioM · December 20, 2023, 7:06am

I need to check whether the last user who used a PC is part of a list of specific users. I created a relevance using the “set of” but it doesn’t work for me.
In the registry key I have the following value:

Q: (value “LastLoggedOnUser” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” of (x32 registry; x64 registry) as string as lowercase)
A: mydom\giorgio

I need to create a relevance that checks whether the content of the key contains one of the following values: “giorgio” or “stefano” or “paolo”.

The relevance I created is the following but it always comes back to me as false even if “giorgio” is in the registry key:

Q: (exists true whose (if true then (set of (“giorgio”;“stefano”;“paolo”) contains (value “LastLoggedOnUser” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” of (x32 registry; x64 registry) as string as lowercase)) else false))
A: False

Can anyone help me?
Thank you
Giorgio

vk.khurava · December 20, 2023, 7:34am

Try this -

exists value "LastLoggedOnUser" whose (it as string as lowercase contains "giorgio" as lowercase OR it as string as lowercase contains "stefano" as lowercase OR it as string as lowercase contains "paolo" as lowercase) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (x32 registry; x64 registry)

GiorgioM · December 20, 2023, 8:38am

Hi khuvara,
Thanks for the advice it works.
But how could I do it using the “set of” ?
The reason is that the relevance would be more readable because the list of users I have to check is long so it would be more convenient to have the:
set of (“one”;“two”;“three”;…;“ten”)

ageorgiev · December 20, 2023, 10:10am

You should be able to do something like:

exists ((it as string) of value "LastLoggedOnUser" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" of (x32 registry; x64 registry), set of (“one”;“two”;“three”;…;“ten”)) whose (item 0 of it is contained by item 1 of it)

GiorgioM · December 20, 2023, 11:02am

Hi Ageorgiev,

Thank you very much.
I made a few more changes to what you suggested. The correct relevance is as follows:

exists (((it) of (following text of first “\” of (value “LastLoggedOnUser” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” of (x32 registry; x64 registry) as string as lowercase)), set of (“one”;“two”;“three”;“ten”))) whose (item 0 of it is contained by item 1 of it)

Thank you all

Giorgio