I am trying to search entire registry structure to get registry key path of a value name that contains “cisco” but in relelvance it does not give me any results. Below options i tried but no luck
values whose (name of it contains “Cisco”) of keys of keys “/” of registries
values whose (name of it contains “Cisco”) of keys of keys “HKCU\SOFTWARE” of native registries
values whose (name of it contains “Cisco”) of keys of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer” of native registries
But i do get the desired result with providing specific registry path as mentioned below and it can be different on all endpoints so i want to search entire registry that should give me exact key path.
values whose (name of it contains “Cisco”) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32” of native registry
There is no built-in inspector to search the registry. You could instead create an Action to execute something like ‘reg.exe find’, save the results to a text file, and search the text results in an Analysis.
i had checked manually for the key but it did not searched and returned as not found. But later when checked randomly on few known keys i was able to to trace it. But it was whole lot of manual task. So not sure if searching it and putting it in any output file can give me the results.
Be very careful when searching the entire registry (Or the entire file system), anything that takes time. I had a co-worker that created a registry searching task that took longer than the polling period, causing systems to never complete their evaluation. The polling time was 1 hours, we recently increased it to two hours to avoid issues like that.
I was able to execute this task by simply keeping it as it is, key will be updated in this path “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32” and just add the disable value data. even if it is not present it will create the key and the status is changing from Enable to disable.
Thanks a lot everyone for their valuable suggestions.