Registry Inspection Question

system · November 30, 2010, 12:47am

(imported topic written by hmkjr91)

Hello,

Is it possible to return the “Name”(s) of the “values” under a particluar registry key? For example - I have key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”. Under this key, there are a list of string values that consist of 3 pieces of information - Name, Type and Data. I can successfully reference the “Data” piece of all of the entries with:

Q: values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry

partial answer list:

A: “C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe”

A: “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”

A: “C:\Program Files\Microsoft Office Communicator\communicator.exe” /fromrunkey

The answers are the “Data” values associated with the “Names” of the values. What I cannot seem to reference are the list of “Names” (or “Types”) for these values. For example, the Name (and Type) associated with the first item in the answers list above is “IMSS”. How can I reference the “Name” (and “Type”) column of the registry??

I have attached a partial screenshot.

Thanks!

wmehardt · November 30, 2010, 1:04am

(imported comment written by Bill.Ehardt)

Are you looking for something like this?

q: ((name of it, it, type of it) of values of it) of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of native registry

A: VMware Tools, “C:\Program Files\VMware\VMware Tools\VMwareTray.exe”, REG_SZ

A: VMware User Process, “C:\Program Files\VMware\VMware Tools\VMwareUser.exe”, REG_SZ

T: 0.519 ms

I: plural ( string, registry key value, registry key value type )

system · November 30, 2010, 3:13pm

(imported comment written by hmkjr91)

Great! Thanks so much.

system · December 2, 2010, 4:19pm

(imported comment written by hmkjr91)

Hello,

I have a follow up question.

I have this question that works:

Q: if exists (values of key “HKEY_LOCAL_MACHINE\SYSTEM\Setup” of registry as string) whose (it = “”) then true else false

A: True

T: 0.279 ms

I get an error on this:

Q: if exists (values of key “HKEY_LOCAL_MACHINE\SYSTEM\Setup” of registry as string) whose (name of it = “OsLoaderPath”) then true else false

E: The operator “name” is not defined.

What I would ultimately like to do is something like this:

Q: if exists (values of key “HKEY_LOCAL_MACHINE\SYSTEM\Setup” of registry as string) whose (name of it = “OsLoaderPath” and it = “” and type of it = “REG_SZ”) then true else false

E: The operator “name” is not defined.

Any help with syntax would be greatly appreciated.

Thanks much

wmehardt · December 2, 2010, 7:47pm

(imported comment written by Bill.Ehardt)

For the first error you can do it either way, something like:

exists value “OsLoaderPath” of key “HKLM\System\setup” of registry

or

exists value whose (name of it = “OsLoaderPath”) of key “HKLM\System\setup” of registry

and for the last one

exists value whose (name of it = “OsLoaderPath” AND it = “” AND type of it = “REG_SZ”) of key “HKEY_LOCAL_MACHINE\SYSTEM\Setup” of registry