Search entire Registry with specific Value name

I am trying to search entire registry structure to get registry key path of a value name that contains “cisco” but in relelvance it does not give me any results. Below options i tried but no luck

  1. values whose (name of it contains “Cisco”) of keys of keys “/” of registries
  2. values whose (name of it contains “Cisco”) of keys of keys “HKCU\SOFTWARE” of native registries
  3. values whose (name of it contains “Cisco”) of keys of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer” of native registries

But i do get the desired result with providing specific registry path as mentioned below and it can be different on all endpoints so i want to search entire registry that should give me exact key path.

values whose (name of it contains “Cisco”) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32” of native registry

There is no built-in inspector to search the registry. You could instead create an Action to execute something like ‘reg.exe find’, save the results to a text file, and search the text results in an Analysis.

How different can the key be? Is it totally random, or one of a finite and known set?

If the latter, something along the lines of

q: (pathname of parent key of it, name of it, it) of values whose (name of it contains "test") of keys ("hklm\software\trn"; "hklm\software\trn\test"; "hklm\software\test\trn") of native registry
A: HKEY_LOCAL_MACHINE\software\trn, test, 1
A: HKEY_LOCAL_MACHINE\software\trn\test, test, 0
A: HKEY_LOCAL_MACHINE\software\test\trn, test, 0
A: HKEY_LOCAL_MACHINE\software\test\trn, bigtest, 1000000
I: plural ( string, string, registry key value )

might do the trick

there is no specific path to this value, it can be found any where in the registry. And i dont have any details where the value can be found.

i had checked manually for the key but it did not searched and returned as not found. But later when checked randomly on few known keys i was able to to trace it. But it was whole lot of manual task. So not sure if searching it and putting it in any output file can give me the results.

Be very careful when searching the entire registry (Or the entire file system), anything that takes time. I had a co-worker that created a registry searching task that took longer than the polling period, causing systems to never complete their evaluation. The polling time was 1 hours, we recently increased it to two hours to avoid issues like that.

Check whether running ‘reg query’ manually can find what you’re looking for. If it does we can help you to write a task around it.

1 Like

I was able to execute this task by simply keeping it as it is, key will be updated in this path “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32” and just add the disable value data. even if it is not present it will create the key and the status is changing from Enable to disable.

Thanks a lot everyone for their valuable suggestions.