Looking for ".bak" in registry

Content Authoring
1

Hey guys

Looking to find any computers with profile issue in windows. We can track this by looking in the registry. I wrote the code but its always reporting “true” i don’t have a “.bak” profile on my machine so i’m assuming somethings wrong with my logic.

Here is what I got

if exist (name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry) then true else false

Is there anyways to have this report all entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList ?

Here is the issue in more detail (if you want some context)
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/user-profile-status-set-to-backup/3b665aa4-3c49-4e65-9fe1-446e61f39c19

2

This relevance isn’t correct.

Also, exists already does a true/false result, so you don’t need to wrap it in IF/THEN.

exists (name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)

This is closer, but still not correct. This relevance will always return TRUE because it is missing some elements.

(name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)

This relevance will always be FALSE because it is basically asking, does the string ProfileList end with bak, which it doesn’t.

Putting exists in front of it actually causes it to always return TRUE because exists FALSE is true, which is counter intuitive, but actually useful in some cases.

What you really want is a whose clause.

exists it whose(name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)

This will always return FALSE because it will never exist because it will always be filtered out by the whose clause.

I haven’t actually looked at the documentation to figure out how the relevance should be written, but I’d guess this is what you actually want:

exists keys whose(name of it ends with "bak") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)

This would be true if any of the subkeys of ProfileList end in bak

I’d need to know a full registry path of what you are trying to detect that will end in bak to tell what the correct location to examine with relevance. Screenshots with any user specifics obscured would be useful, but I just looked at the link you provided and the above relevance seems correct.

1 Like
3

awesome,

thank you for the detailed information!

I will try this out and let you know how it works out.

1 Like
4

This may just be confusing, or helpful, or both:

The relevance NULL is equivalent to TRUE whose(FALSE)

Q: TRUE whose(FALSE)
E: Singular expression refers to nonexistent object.

Q: exists TRUE whose(FALSE)
A: False
I: singular boolean

Q: exists TRUE whose(TRUE)
A: True
I: singular boolean

Q: exists FALSE whose(TRUE)
A: True
I: singular boolean

Q: exists FALSE whose(FALSE)
A: False
I: singular boolean

Q: exists "this"
A: True
I: singular boolean

Q: exists "this" whose(FALSE)
A: False
I: singular boolean

Q: NULL
E: Singular expression refers to nonexistent object.

Q: exists NULL
A: False
I: singular boolean

Q: exists NULL whose(TRUE)
A: False
I: singular boolean

A whose statement after a NULL does not get evaluated because it already doesn’t exist. It can’t exist less than it already does. When you have something that always exists, like a literal string or TRUE and you have a whose statement that filters out all possibilities like whose(FALSE) then you end up with no results, or NULL

This is effectively equivalent to TRUE whose(FALSE):

Q: "This Definitely Exists" whose("Definitely" = "False")
E: Singular expression refers to nonexistent object.
5

Yes, like this:

unique values of names of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of (native registry; x32 registry)