Search for .lnk file in registry key

Content Authoring
1

Hello,

I’m trying to find a .lnk file in the registry path “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon”

I tried the following but it doesn’t work-
exists file “abc.lnk” whose (value “Userinit” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon” of native registry)

Could someone please help?

Thank you,
Jennifer

2

What does the registry key look like? Is the .lnk reference a value, or a value name?

1 Like
3

I believe it’s a file. Userinit is the key value name and we want to detect if its value data has been updated to a .lnk file.

4

Ok, then. I’m back on a PC now and can check it.

First, the key name is “Microsoft\Windows NT”, not “Microsoft\Windows”.

We can get the value of Userinit via

Q: values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: C:\Windows\system32\userinit.exe,

Mine ends with a comma. It looks to me like it could have multiple values, separated by commas. So I’ll try to split them on commas, but you may need to validate whether my assumption here is correct (do you have any with multiple files in the value?)

Q: substrings separated by "," of (it as string) of values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: C:\Windows\system32\userinit.exe
A:
T: 1573

Now I can do a couple of checks. Do any of these values end with .lnk ?

Q: exists it whose (it as lowercase ends with ".lnk") of substrings separated by "," of (it as string) of values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: False
T: 4026

If I want to find the file(s) associated with those values, I can retrieve them as well.

Q: (files (it) ) of substrings separated by "," of (it as string) of values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: "userinit.exe" "10.0.18362.1" "Userinit Logon Application" "10.0.18362.1 (WinBuild.160101.0800)" "Microsoft Corporation"
T: 10155

Now that I’ve found the file(s), I can pull any other file properties…

Q: (pathname of it, modification time of it) of (files (it) ) of substrings separated by "," of (it as string) of values "Userinit" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" of native registry
A: C:\Windows\system32\userinit.exe, ( Mon, 18 Mar 2019 22:45:22 -0600 )
T: 10468
3 Likes
5

This was exactly what I wanted! I hadn’t thought about the comma meaning it could have multiple values. Thank you so much, Jason. It worked perfectly.