Multi string (REG_MULTI_SZ) usage

(imported topic written by SystemAdmin)

If a registry value is a multi string, how can you get all values of it? It seems I can only return the first value using it as-is or casting it as a string.

Let’s say I have a mult-string…

Windows Registry Editor Version 5.00

HKEY_LOCAL_MACHINE\SOFTWARE\test

“data”=hex(7):76,00,61,00,6c,00,75,00,65,00,31,00,00,00,76,00,61,00,6c,00,75,\

00,65,00,32,00,00,00,76,00,61,00,6c,00,75,00,65,00,33,00,00,00,00,00

Using…

value “data” of key “HKEY_LOCAL_MACHINE\SOFTWARE\test” of registry

…I only get the first value.

-Paul

(imported comment written by SystemAdmin)

Ok, I played around with lengths and it looks like the multi string is returning the data, but the inspector is only returning up to the first null.

This seemed to work…

substrings separated by “%00” of (value “data” of key “HKEY_LOCAL_MACHINE\SOFTWARE\test” of registry as string)

Is there a better way, or is the above correct?

-Paul

(imported comment written by jessewk)

Paul,

I think your method should work fine. I actually like it a little better than the solution discussed here: http://forum.bigfix.com/viewtopic.php?pid=1902

-Jese

(imported comment written by SystemAdmin)

Using the 6.0 relevence debugger, I came across splitting by nulls after I discovered the length of it was correctly being returned (22, I believe).

My guess as to what was happening was the same as what Ben said in the other thread you mentioned. I guess this will be fixed in 7.0. It’s returning it properly in the 7.0 relevence debugger.

Paul

(imported comment written by SystemAdmin)

Just discovered a little extra part I forgot. Since it returns extra NULLs at the end, I needed the extra WHOSE clause. Otherwise you end up with a few extra blank values at the end.

-Paul

substrings separated by “%00” whose (it != “”) of (value “data” of key “HKEY_LOCAL_MACHINE\SOFTWARE\test” of registry as string)