Query registry value contents using "contains"

Content Authoring
1

Hi All,

I am trying to determine if a string registry value contains a substring (based off an old post on the forum) using this relevance:

exists key whose (exists value “ImagePath” whose (it as string contains “ProgramData”) of it) of key “HKLM\SYSTEM\CurrentControlSet\Services\WinDefend” of registry

Even though the reg value contains a path that has “ProgramData” in it as a substring, it always returns “False”. The reg key value looks like this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend … value of course is “ImagePath” and its contents are “C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe”. The value type is REG_EXPAND_SZ if that could be affecting it (not sure how it could).

What am I doing wrong, any help much appreciated…

2

When in doubt, retrieve the value and look at it.

What does this yield?

(value "ImagePath" of it as string) of key of key "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" of registry

In fact, that was helpful for me to spot the mistake…by rearranging to just “retrieve” the value rather than “testing” the value, I see you’re looking for a subkey beneath WinDefend. Try

(values "ImagePath" of it as string) of keys "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" of registry
1 Like
3

@JasonWalker, gave you the reasoning already but if you want code in your structure:

exists key "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" whose (exists value "ImagePath" whose (it as string contains "ProgramData") of it) of registry

4

Thank you @JasonWalker… the first one above for anyone that’s reading returns “Singular expression refers to nonexistent object.”. The second one returns the full string contained by the reg value. I have to admit I am still a little confused on the proper order of compound expressions like this, need to ponder it for a while. The “ageorgiev” answer below does what I need it to do. Appreciate the response immensely.

5

Thank you ageogiev… that worked like butter! :slight_smile:

6

Right, that’s the behavior I expected on the first query. I built that by taking your original, and just moving your whose() clause to the front so instead of filtering it would just display the value on which you were trying to filter. I wanted to show how to rearrange your query to find the problem.

The second query was how to find the “real” thing.

Here’s a bit more detail to explain where the problems were.

The whole statement

(value "ImagePath" of it as string) of key of key "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" of registry

The first step retrieves a registry key

key "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" of registry

If the key exists, it is returned; if it does not exist, one would get a “Singular Expression” error. We could avoid the error and instead return an empty result if we used the plural keys rather than key

The next step, given that key, looks for another key beneath it -

key of key "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" of registry

If there is no key beneath “WinDefend”, or more than one key beneath it, we would get another “Singular Expression” error. There might be only one key beneath it, WinDefend\Parameters, and if that’s the case we return that key and continue.

Finally

(value "ImagePath" of it as string) of key of key "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" of registry

If we’ve made it this far, it’s trying to find an “ImagePath” value beneath `WinDefend\Parameters". Even if the service had only one subkey (Parameters), the Parameters subkey won’t have an ImagePath value beneath it (the value is at WinDefend\ImagePath, not WinDefend\Parameters\ImagePath). This expression will again throw the “Singular Expression” error because ImagePath does not exist. We could avoid the error and instead get an empty result if we used the plural ‘values of keys’ instead of ‘value of key’.