Registry Analysis With Multiple Values

(imported topic written by Steve73)

Hi,

I’m writing an analysis to retrieve results of a desktop audit.

The audit results are stored in the registry on the local PC under a specific key for each user.

If more than 1 user logs onto the same PC it stores their results in a seperate key named after their username.

I’m having trouble formatting the retrieval of the information.

Most of the values are fine, but one if causing me a problem (MappedDrive)

A value for each mapped drive will be created under the key for each user…the more mapped drivers you have the more values are written (i.e. mappeddrive 1, mappeddrive 2, etc…)

My relevance is below…

((name of it, value “BusinessUnit” of it, value “BusinessDepartment” of it, value “BusinessCostCenter” of it, value “ManagersName” of it, value “OfficeLocation” of it, value “OfficeFloor” of it, value “DateAccepted” of it, (values whose (name of it as string as lowercase contains “mappeddrive” of it) of it)) of it whose (exists value “DateAccepted” of it) of (it;keys of it; keys of keys of it) as string) of key “HKEY_LOCAL_MACHINE\SOFTWARE\InfoCollector” of registry

results are thus:

USERNAME1, BUSINESSUNIT1,BUSINESSDEPARTMENT1, COSTCENTRE1, MANAGER, BUILDING1, Second Floor, 5 Sep 2014, ( G:,\xx\xxxx )

USERNAME1, BUSINESSUNIT1,BUSINESSDEPARTMENT1, COSTCENTRE1, MANAGER, BUILDING1, Second Floor, 5 Sep 2014, ( S:,\xx\xxxx\xxxx )

USERNAME1, BUSINESSUNIT1,BUSINESSDEPARTMENT1, COSTCENTRE1, MANAGER, BUILDING1, Second Floor, 5 Sep 2014, ( T:,\xx\xxxx\xxxx )

USERNAME2, BUSINESSUNIT2,BUSINESSDEPARTMENT2, COSTCENTRE2, MANAGER2, BUILDING2, First Floor, 5 Sep 2014, ( X:,\xx\xxxx )

So, for the mapped drive results it creates a complete new line for each individual mapped drive they may have instead of creating the below:

USERNAME1, BUSINESSUNIT1,BUSINESSDEPARTMENT1, COSTCENTRE1, MANAGER, BUILDING1, Second Floor, 5 Sep 2014, ( G:,\xx\xxxx ), ( S:,\xx\xxxx\xxxx ), ( T:,\xx\xxxx\xxxx )

Do you know how I might achieve this? (i.e. concatenating the mapped drive values and not creating a new result line for multiple mapped drive?

Hope this makes sense

Cheers

Steve

1 Like

(imported comment written by Steve73)

Figured it out.

For reference:

(((name of it, value “BusinessUnit” of it, value “BusinessDepartment” of it, value “BusinessCostCenter” of it, value “ManagersName” of it, value “OfficeLocation” of it, value “OfficeFloor” of it, value “DateAccepted” of it, concatenation ", " of unique values of (((values whose (name of it as string as lowercase contains “mappeddrive”) of it)) as string)) of it whose (exists value “DateAccepted” of it) of (it;keys of it; keys of keys of it) of key “HKEY_LOCAL_MACHINE\SOFTWARE\InfoCollector” of registry))

Cheers

Steve