Problem querying dword value

Usage and Config
1

hi
i have this registry record

image
image845×172 8.52 KB

i would like to search for all computers that has this data value set to 1. dword = 1

i did this :

image
image1018×459 17.1 KB

which behaves just fine. if i put the dword value to 1, i get true, and if i put the dword to 0 i get false

i did an analysis like this :

image
image806×570 30.7 KB

image
image801×571 21.3 KB

but for some reason, i get all the computers in my organization as relevant to this analysis
what am i doing wrong?

2

An analysis can contain many properties, so the clients don’t check the value returned by the property and then only becoming relevant if that is true.

The clients first check the relevance clause(s) and if the relevance evluates to TRUE then the properties are evaluated.

For example, your property above is looking at the Windows registry, so will only give results on a Windows computer, so you might have relevance of
windows of operating system
to stop it evaluating on Macs, Linux boxes etc.

2 Likes
3

ok. i understand that, but i don’t understand how to fix my situation

4

oh wait, sorry
i think i got it

5

What would you like to happen? Or what are you trying to do? :slight_smile:

As explained above, and as you’ve currently configured the analysis, it is expected that all computers in the organization are relevant to the analysis since you set the relevance of the analysis to true.

6

thank you
now i need to adjust my analysys
i need to lookup a specific value in a reg_sz, but in wildcard

i have this registry path :

image
image1338×543 78.6 KB

i need to lookup the data of AccountTrack (highlighted) through all of them
so if i do this :
image
image1035×333 9.09 KB

i am able to query the first “step”, but what’s the syntax for the next step? a search within a search :slight_smile:

7

I’ll try to help, but first a couple of Forum usage tips -

  • You might have better results starting a new thread. This thread is already marked as Answered so some people may not open and see the new question.

  • The screenshots are very helpful, but it’s also helpful to copy & paste the relevance text and registry paths as text. I’m reading on my phone, and retyping all of that path is a lot more error-prone than if I could copy & paste the path.

That said, for a registry search like this you can use the ‘keys of keys’ property where the name of the subkey is not known. Here it would be something like

values "AccountTrackUsage" of keys "PrinterDriverData" of keys of keys "Software\Microsoft\path-to-servers-something-printers" of user keys of logged on users

`user keys of logged on users’ will get you to the path of HKEY_USERS\SID, so the “path-to-servers” will be start with Software\Microsoft