This relevance isn’t correct.
Also, exists
already does a true/false result, so you don’t need to wrap it in IF/THEN.
exists (name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)
This is closer, but still not correct. This relevance will always return TRUE because it is missing some elements.
(name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)
This relevance will always be FALSE because it is basically asking, does the string ProfileList
end with bak
, which it doesn’t.
Putting exists
in front of it actually causes it to always return TRUE because exists FALSE
is true, which is counter intuitive, but actually useful in some cases.
What you really want is a whose clause.
exists it whose(name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)
This will always return FALSE because it
will never exist because it will always be filtered out by the whose clause.
I haven’t actually looked at the documentation to figure out how the relevance should be written, but I’d guess this is what you actually want:
exists keys whose(name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)
This would be true if any of the subkeys of ProfileList
end in bak
I’d need to know a full registry path of what you are trying to detect that will end in bak
to tell what the correct location to examine with relevance. Screenshots with any user specifics obscured would be useful, but I just looked at the link you provided and the above relevance seems correct.