Querying registry permissions

(imported topic written by Julia_C)

Hello every one,

I trying to detect reg permissions and i have a problem with my relevance :frowning:

(account name of trustee of it & " - " & (if (generic all permission of it) then “Full Control” else “”) & (if (generic read permission of it) then “Read” else “”) & (if (generic write permission of it) then “Write” else “”) ) of entries whose (generic all permission of it OR generic read permission of it OR generic write permission of it)of dacls of security descriptors of keys (expand environment string of"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix") of registry

Just no result when i run it in Q\A

Need help here, thanks,

Julia

(imported comment written by NoahSalzman)

Are you sure you are using the “generic all…” inspectors correctly to get the results you want? I’m not familiar with how those work so I’m not entirely sure what you are trying to do.

You are going to get a blank result, as you experienced, if the key you are inspecting does not have the generic all, generic read, and generic write permissions set to true.

Here is a bit of troubleshooting that (might?) help:

q:
(account name
of
trustee
of

it

&

" - "

&
(
if
(generic all permission
of

it
)
then

“Full Control”

else

“”
)
&
(
if
(generic read permission
of

it
)
then

“Read”

else

“”
)
&
(
if
(generic write permission
of

it
)
then

“Write”

else

“”
) )
of
entries
whose
(
true
)
of
dacls
of
security descriptors
of
keys (expand environment string
of
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes"
)
of
registry

A:
Users -

A:
Users -

A:
Administrators -

A:
Administrators -

A:
SYSTEM -

A:
SYSTEM -

A:
CREATOR OWNER -

T:
8.626 ms

I:
plural string