Regex matching vs. registry value types

Content Authoring
1

(imported topic written by pmullins91)

Could someone please explain to me why the difference between matching in the two examples below?

Thanks!

q: type of value 
"foo" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE" of registry as string A: REG_EXPAND_SZ I: singular string   q: value 
"foo" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE" of registry as string A: c:\foo, c:\bar%00 I: singular string   q: regex 
".*,.*" = (value 
"foo" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE" of registry as string) A: False I: singular 

boolean   q: regex 
".*,.*\x00" = (value 
"foo" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE" of registry as string) A: False I: singular 

boolean   q: regex 
".*,.*" = preceding text of first 
"%00" of (value 
"foo" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE" of registry as string) A: True I: singular 

boolean

  • and -

    q: type of value
    "bar" of key
    "HKEY_LOCAL_MACHINE\SOFTWARE" of registry as string A: REG_SZ I: singular string q: value
    "bar" of key
    "HKEY_LOCAL_MACHINE\SOFTWARE" of registry as string A: c:\foo, c:\bar I: singular string q: regex
    ".,." = (value
    "bar" of key
    "HKEY_LOCAL_MACHINE\SOFTWARE" of registry as string) A: True I: singular

    boolean

2

(imported comment written by BenKus)

Hi Patrick,

I think this can be explained by:

  • REG_EXPAND_SZ values seem to always have a NULL character at the end (BigFix strings use percent encoding for special characters so a null is “%00”).
  • Regular expression rules don’t consider NULL to be accounted for with the “.”

Here are some further illustrations:

q: regex ".

,." = “C:\foo, C:\bar%00”

A: False

T: 0.325 ms

I: singular boolean

q: regex “.” = “%00”

A: False

T: 0.257 ms

I: singular boolean

You might try using the “contains” approach (or you can use the "preceding text of first “%00”… if you want)

q: “C:\foo, C:\bar%00” contains regex ".

,."

A: True

T: 0.359 ms

I: singular boolean

Ben

3

(imported comment written by pmullins91)

Thanks for following up Ben.

Per the extended regex syntax referenced in the BES help file (location of which is incorrect and has changed to

this page

), while “.” does not match a NULL character, I believe this should return true:

q: regex "\x00" = "%00"
A: False
T: 0.037 ms
I: singular boolean
 
q: "%00" contains regex "\x00"
A: False
T: 0.042 ms
I: singular boolean

Would this be related to their library or instead the understanding of the results passed back to the relevance debugger? Or am I missing the point entirely? :wink:

Thanks for the contains approach - I like that better than the regex = method.

4

(imported comment written by BenKus)

Hey pmullins,

Hmmm… well… I am not 100% sure… but if I had to guess I think that our regex inspectors are always in “text” mode and nulls terminate text strings. So looking for a null in text won’t work (but if we allowed for binary regex, it would work).

Ben

5

(imported comment written by pmullins91)

Thanks again Ben.