Relevance for capturing Users meeting certain criteria

BFConair · July 22, 2025, 1:15pm

Hello All,

I am trying to create a relevance, that is True, when a non admin has logged in /or created a SID record in ProfileList location.

Does anyone know where I am going wrong ? Any help greatly appreciated.

S-1-5-21 = Domain user
Admin_ = Admin accounts named

exists keys
whose
(
exists value “Sid”
whose
(
it as string contains “S-1-5-21”
)
of it
and
value “ProfileImagePath” of it as string does not contain “c:\users\Admin_”
)
of keys “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” of
(
native registry
)

JasonWalker · July 22, 2025, 10:30pm

when in doubt, it’s best to break up the query into smaller pieces and see which thing is not giving the results you expect

Q: keys of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
A: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
A: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
A: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1862586638-1684353032-3949902452-1001
A: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1862586638-1684353032-3949902452-1003
T: 0.520 ms

Q: values "Sid" of keys of keys  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: 010100000000000512000000
A: 0105000000000005150000000ed1046f0830656474ba6eebe9030000
A: 0105000000000005150000000ed1046f0830656474ba6eebeb030000
T: 0.358 ms

Q: values "ProfileImagePath" of keys of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: %25systemroot%25\system32\config\systemprofile%00
A: %25systemroot%25\ServiceProfiles\LocalService%00
A: %25systemroot%25\ServiceProfiles\NetworkService%00
A: C:\Users\jwalk%00
A: C:\Users\proxmox%00

The “Sid” value is a REG_BINARY that is not expressed in the SID format you’re expecting. Instead of looking at the SID value, it’s easier to look at the Name of the key:

Q: (name of it, values "ProfileImagePath" of it) of keys of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: S-1-5-18, %25systemroot%25\system32\config\systemprofile%00
A: S-1-5-19, %25systemroot%25\ServiceProfiles\LocalService%00
A: S-1-5-20, %25systemroot%25\ServiceProfiles\NetworkService%00
A: S-1-5-21-1862586638-1684353032-3949902452-1001, C:\Users\jwalk%00
A: S-1-5-21-1862586638-1684353032-3949902452-1003, C:\Users\proxmox%00
T: 0.574 ms

Q: (names whose (it starts with "S-1-5-21-") of it, values "ProfileImagePath" whose (it as string does not start with "c:\users\Admin_") of it) of keys of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: S-1-5-21-1862586638-1684353032-3949902452-1001, C:\Users\jwalk%00
A: S-1-5-21-1862586638-1684353032-3949902452-1003, C:\Users\proxmox%00
T: 0.339 ms


Q: exists (names whose (it starts with "S-1-5-21-") of it, values "ProfileImagePath" whose (it as string does not start with "c:\users\Admin_") of it) of keys of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: True
T: 0.145 ms

BFConair · July 23, 2025, 8:32am

Perfect, Thanks very much for the info and code, much appreciated.