Nacho Rivera
11/24/2021, 4:05 PMselect * from registry where key='HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion' and name like '%Run%'
To check the values of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
, but having a subkey as type
, data
is empty, and does not include values stored in that subkey ...fritz
11/24/2021, 6:38 PMfritz
11/24/2021, 6:42 PMfritz
11/24/2021, 6:44 PMosquery> SELECT key,name,type,data,mtime FROM registry WHERE key = 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion' AND name LIKE '%Run%';
W1124 13:44:00.364002 5608 registry.cpp:528] CURRENT_USER hives are not queryable by osqueryd; query HKEY_USERS with the desired users SID instead
+-------------------------------------------------------------+-----------------+--------+------+------------+
| key | name | type | data | mtime |
+-------------------------------------------------------------+-----------------+--------+------+------------+
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion | Run | subkey | | 1637471399 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion | RunNotification | subkey | | 1634648734 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion | RunOnce | subkey | | 1637777695 |
+-------------------------------------------------------------+-----------------+--------+------+------------+
fritz
11/24/2021, 6:44 PMfritz
11/24/2021, 6:45 PMRun
,RunOnce
, and RunNotification
are the parent key directories, vs the actual subkeys or valuesfritz
11/24/2021, 6:48 PMSELECT path,name,type,data,mtime FROM registry WHERE path LIKE 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\%Run%\%%';
fritz
11/24/2021, 6:49 PMW1124 13:44:00.364002 5608 registry.cpp:528] CURRENT_USER hives are not queryable by osqueryd; query HKEY_USERS with the desired users SID instead
fritz
11/24/2021, 6:50 PM