Reading registry values

Nagaraj · July 9, 2025, 2:10pm

In my case the DWORD value is different like below,
key= BOH_Service and value=0x00000050(1),

If I use the relevance like below mean, I can get value as true. But If I use the string value "(name of it = “UserList” AND value “BOH_Service” of it as string as version = “50”) " mean it is showing false

exists key whose (name of it = “UserList” AND value “BOH_Service” of it as string as version = “1”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts” of native registry

Is there any other option to modify and get the validation as value 50 Instead of 1?

Thanks,
Nagaraj.

JasonWalker · July 9, 2025, 6:55pm

That…doesn’t make sense to me.

value=0x00000050(1) - this should be indicating the hexadecimal and decimal values. i.e. the 0x00000050 is a hexadecimal value equal to decimal value 80.

I’m not sure exactly what you’re seeing, can you post a screenshot of what you’re looking for?

Nagaraj · July 9, 2025, 7:42pm

Hi @JasonWalker

The actual value look like below
value=0x00000048(72)

Thanks,
Nagaraj.

orbiton · July 9, 2025, 8:40pm

Please share registry key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

As I understand from the following documentation - https://superuser.com/questions/1365614/hide-administrator-account-from-windows-login-screen -you are trying to look for computers which decided to hide user - BOH_Service, am I correct?

JasonWalker · July 9, 2025, 10:19pm

I don’t have those keys on my system but I think you could try some of the following as references:

q: 72 as hexadecimal
A: 48
T: 0.236 ms
I: singular string

q: 72 as hexadecimal = "48"
A: True
T: 0.196 ms
I: singular boolean

q: exists values "BOH_Service" whose (it as integer = 72) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" of native registry
A: False
T: 0.151 ms
I: singular boolean

q: exists values "BOH_Service" whose (it as integer as hexadecimal = "48") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" of native registry
A: False
T: 0.063 ms
I: singular boolean

Nagaraj · July 10, 2025, 11:15am

Hi @orbiton

Thanks for your updates and response and the actual Registry key is under below path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\

But the value showing as hexadecimal, so I was tried @JasonWalker relevance and it is good for me as I expected results.

Thanks
Nagaraj.