Nate Bondurant
12/01/2021, 10:19 PMpuffycid
12/02/2021, 12:07 AMregistry
table in regards to the issue about recursion
But it provides another table to query all the registry files and could be used to solve the issues aboveseph
12/02/2021, 12:09 AMpuffycid
12/02/2021, 12:22 AMregistry
or new one?
i think adding it in the registry
or new one could be useful
the current registry
table is limited to logged in accounts (and specific registry files)
so its not able to query registry files of accounts not logged in which is kind of major limitation?
so adding a new table may be better?
i think raw registry parsing can also avoid any possible rootkits/malware installed on a system that can potentially intercept/interfere with registry api calls? when using osquery to investigate malicious activity
in addition, raw registry parsing provides a way to parse data that the registry api is not able to such as Amache.
there are many EDR/security/forensic/IR tools out there that can parse raw registry files
i think it would be great if osquery also had that capability
either through an implementation written from scratch or using a library
(just my two cents)