A question came up on how to search a registry key branch for a specific key or value. There is no "descendants of " inspector, but you can approximate it if you know how many levels you want to search…
For instance, if you want to search for a value name “test” in the BigFix registry key, you can do this:
q: (name of it, it) of values whose (name of it as lowercase contains “test”) of (it;keys of it; keys of keys of it; keys of keys of keys of it) of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix” of registry
This will search 3 levels deep, to search 4 levels deep, add a “;keys of keys of keys of keys of it” in the parenthesis.
Note that it is hard to return a full “registry key path” because the registry APIs from Microsoft don’t really make this information accessible. Note also that this approach can get very slow if you check many levels deep and there is a big registry “tree”. For instance searching “HKLM\Software” for 3 levels deep will be a CPU intensive operation that will take a while.
Here are some other examples:
Search for a reg key with “test” in the keyname and search 3 keys deep from the BigFix reg key (true/false):
q: exists it whose (name of it as lowercase contains “settings”) of (it;keys of it; keys of keys of it; keys of keys of keys of it) of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix” of registry
Search for a reg value with “testdata” in the value data and search 3 keys deep from the BigFix reg key (return name/value pair):
q: (name of it, it) of values whose (it as string as lowercase contains “testdata”) of (it;keys of it; keys of keys of it; keys of keys of keys of it) of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix” of registry
You can return the name of the key by moving the whose clause around:
q: names of (it;keys of it; keys of keys of it; keys of keys of keys of it) whose (exist value whose (it as string as lowercase contains “testdata”) of it) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix” of registry
You cannot return the full path. This is a capability we have tried to support for years, but it is not feasible for technical reasons. See the extended discussion here:
I found this relevance works great for returning a single value from a branch, but I am trying to return multiple values that exist under the same branch deeper than one layer.
e.g.
ProductName
SerialNumber
etc.
etc.
I know how to return multiple values for for each branch if it is the parent of the branches being queried (same as the Installed Applications - Windows retrieved property).
(value “ProductName” of it, value “SerialNumber” of it) of it whose (exists value “ProductName” of it AND exists value “SerialNumber” of it) of (it;keys of it; keys of keys of it; keys of keys of keys of it) of key “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix” of registry