RunKey and RunOnceKeys value query

(imported topic written by SecurityMG)

Hello,

Another odd result. I am now thinking something changed in version 9 that broke this. This works on Workstations, but not servers.

(names of values of it, values of it) of it of key “runonce” of keys “HKLM\software\microsoft\windows\currentversion” of registry

(names of values of it, values of it) of it of key “runonce” of keys “HKLM\software\microsoft\windows\currentversion” of native registry

(names of values of it, values of it) of it of key “runonce” of keys “HKLM\software\microsoft\windows\currentversion” of x64 registry

This does work on servers:

if (exists key “HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce” of native registry) then names of values whose (name of it is not contained by set of (“whatever”)) of key “HKLM\software\microsoft\windows\currentversion\RunOnce” of native registry else “No Key”

But I can’t get it to work with the data of value inside the Run or Runonce entry on 64bit Windows servers.

if (exists key “HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce” of native registry) then names of values whose (name of it is not contained by set of (“whatever”)) of key “HKLM\software\microsoft\windows\currentversion\RunOnce” of native registry else “No Key”

I think it is a bug !

Basically I need to query keys for the ‘value(s)’ within the name of the entries and ‘last write time of it’ and have have ‘not contained by set of “”’ in order to exclude known good stuff.

Thanks,

MG

MG

(imported comment written by SecurityMG)

OK… so this works…

(unique values of (it as string) of values of key “HKLM\software\microsoft\windows\currentversion\Run” of native registry) whose (it does not contain “whatever.exe”)

It should not need it this way on servers when it works on workstations, but this does work for values of Reg keys on Servers.

I also eliminated the fact that my agent version was the cause as it doesn’t work on 8.x and 9.x

Regards,

MG