Last Write Time of Key

system · January 6, 2012, 1:46am

(imported topic written by Kvetch91)

I am trying to write an analysis that only spits out the values of the usbstor key if the last write time of that key is <86400*second from current time or last report time but I keep getting errors. There are multiple posts that just write out the usbstor key and their associated last write time but I would like to only have it list the values if it has been modified since it was last run. Would anyone know if there is a way to do this? I have been trying stuff like

if ((now - last write time of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry) < 86400 * second) then …)

Is there a way I can write the query to say something like

If last write time of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” is less than last run or reported time or if that isn’t possible less than 24hours then dump the values of the subkeys?

Thanks

Noah · January 6, 2012, 3:16am

(imported comment written by NoahSalzman)

You mean something like this:

q: if ((now - last write time of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB" of registry) > 86400 * second) then names of keys of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB" of registry else "foo"
A: ROOT_HUB
A: ROOT_HUB20
A: VID_0E0F&PID_0002
A: VID_0E0F&PID_0003
A: VID_0E0F&PID_0003&MI_00
A: VID_0E0F&PID_0003&MI_01
T: 0.386 ms

Note that I reversed the > and changed USBSTOR to make it work on my test box.

Note that that with an if statement that the value returned after THEN must be the same “type” as the value returned after “ELSE”. So, when dealing with registry keys, you have to make certain you return a text type if your ELSE is going to be text (as above).