Search for Registry Key given part of the name

Hi,
I need to look for the presence of certain registry keys under:
“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” The sids share a pattern in naming but are not all the same. I need to search for part of the SID name and return a T or F value. Something like:
"exists key who contains “S-1-5-21-0123456789-1234567890-2345678901”
I have tried:
Q:value of “ProfileImagePath” of keys “SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” of keys whose (name of it starts with “S-1-5-21-0123456789-1234567890-2345678901”) of key “HKLM” of native registry as string
E: The operator “value” is not defined.

Hi @jasonrw, does this meet your needs?

Q: exists keys whose (name of it is "S-1-5-18") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: True
T: 0.297 ms
I: singular boolean

Q: values "ProfileImagePath" of keys whose (name of it is "S-1-5-18") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: %25systemroot%25\system32\config\systemprofile%00
T: 0.188 ms
I: plural registry key value

Hello,

This is what I tried.
Q:exists keys whose (name of it is “S-1-5-21”) of keys “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” of native registry
A: False
T: 0.413 ms

The key: S-1-5-21-0123456789-1234567890-2345678901-1001" exists on my test machine but it is not found.
Thanks!

Given that it is not the entire SID you’re searching for, then modify ‘is’ to ‘starts with’ as in:

exists keys whose (name of it starts with "S-1-5-21") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry

-Gus

1 Like

Completely agree with @gus

The reason your original query failed is because there is no key with the exact name "S-1-5-21" under the ProfileList path. All actual profile keys start with "S-1-5-21" but contain additional SID parts.

I reproduced this on my device and confirmed the logic step-by-step:

//Check if a well-known SID exists (Exact Match):
Q: exists keys whose (name of it is "S-1-5-20") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: True
T: 7.574 ms

// List all profile SIDs that begin with `S-1-5-`:
Q: names of keys whose (name of it starts with "S-1-5-") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: S-1-5-18
A: S-1-5-19
A: S-1-5-20
A: S-1-5-21-1893938050-575629652-5522801-1129700
A: S-1-5-21-1893938050-575629652-5522801-1319852
A: S-1-5-21-1893938050-575629652-5522801-1329356
A: S-1-5-21-1893938050-575629652-5522801-1336382
A: S-1-5-21-1893938050-575629652-5522801-597741
A: S-1-5-21-932548634-1059350607-2898515770-1000
A: S-1-5-21-932548634-1059350607-2898515770-1002
A: S-1-5-21-932548634-1059350607-2898515770-500
T: 7.097 ms

//Check if exact key `"S-1-5-21"` exists:
Q: exists keys whose (name of it is "S-1-5-21") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: False
T: 4.121 ms

//Try listing `"S-1-5-21"` by exact name:
Q: names of keys whose (name of it is "S-1-5-21") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
T: 2.683 ms

// List all keys that start with `"S-1-5-21"`:
Q: names of keys whose (name of it starts with "S-1-5-21") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: S-1-5-21-1893938050-575629652-5522801-1129700
A: S-1-5-21-1893938050-575629652-5522801-1319852
A: S-1-5-21-1893938050-575629652-5522801-1329356
A: S-1-5-21-1893938050-575629652-5522801-1336382
A: S-1-5-21-1893938050-575629652-5522801-597741
A: S-1-5-21-932548634-1059350607-2898515770-1000
A: S-1-5-21-932548634-1059350607-2898515770-1002
A: S-1-5-21-932548634-1059350607-2898515770-500
T: 1.753 ms

//Check if a specific SID exists:
Q: exists keys whose (name of it is "S-1-5-21-1893938050-575629652-5522801-1129700") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
A: True
T: 0.416 ms

That worked! Thanks!

This is great. Thanks. Would it be possible to display the value of “ProfileImagePath” that would be attached to the found SIDs?

“Value of “ProfileImagePath” as string of keys whose…”

@jasonrw does this meet your needs?

(names of it, values "ProfileImagePath" of it) of keys whose (name of it starts with "S-1-5-21") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry
1 Like

Here we go:

//if you are only intrested in profileimagepath then:
Q: if exists keys whose (name of it is "S-1-5-21-1893938050-575629652-5522801-1129700") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry then value "ProfileImagePath" of keys whose (name of it is "S-1-5-21-1893938050-575629652-5522801-1129700") of keys "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry as string else "N/A"
A: C:\Users\svcwk%00
T: 2.100 ms

//you can also get both of them
Q: if exists key "S-1-5-21-1893938050-575629652-5522801-1129700" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry and exists value "ProfileImagePath" of key "S-1-5-21-1893938050-575629652-5522801-1129700" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry then ((name of it as string & " || " & value "ProfileImagePath" of it as string) of key "S-1-5-21-1893938050-575629652-5522801-1129700" of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of native registry as string) else "N/A"
A: S-1-5-21-1893938050-575629652-5522801-1129700 || C:\Users\svcwk%00
T: 0.424 ms
2 Likes

I think this is just a matter of referring to value "x" of key instead of value of "x" of key
Try

values "ProfileImagePath" of keys "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of keys whose (name of it starts with "S-1-5-21-0123456789-1234567890-2345678901") of key "HKLM" of native registry as string
1 Like

That works great. Thank you.

Fantastic! Thank you, appreciated.

I think I get what you mean. Just translating that into relevance is tricky for me.

1 Like