registry
========

All of the Windows registry hives.

Platform support
----------------
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. **Running a query against an unsupported platform will result in the following error:** ``no such table: registry``

- Windows

Table schema
------------

=====  ======  ===========================================================
Name   Type    Description                                                
=====  ======  ===========================================================
key    TEXT    Name of the key to search for                              
path   TEXT    Full path to the value                                     
name   TEXT    Name of the registry value entry                           
type   TEXT    Type of the registry value, or 'subkey' if item is a subkey
data   TEXT    Data content of registry value                             
mtime  BIGINT  timestamp of the most recent registry write                
=====  ======  ===========================================================

Query examples
--------------

get user SIDS. Note: path is key+name

.. code-block:: sql

   select path, key, name from registry where key = 'HKEY_USERS'; 


a SQL wildcard match; will not recurse subkeys

.. code-block:: sql

   select path from registry where key like 'HKEY_USERS\.Default\%'; 


recursing query (compare with 1 %)

.. code-block:: sql

   select path from registry where key like 'HKEY_USERS\.Default\Software\%%'; 


midfix wildcard match

.. code-block:: sql

   select path from registry where key like 'HKEY_LOCAL_MACHINE\Software\Micr%ft\%' and type = 'subkey' LIMIT 10; 


get users' current UI language. Note: osquery cannot reference HKEY_CURRENT_USER

.. code-block:: sql

   select name, type, data from registry where path like 'HKEY_USERS\%\Control Panel\International\User Profile\Languages'; 


list all of the desktop wallpapers

.. code-block:: sql

   select name, type, data from registry where path like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\%';  


same, but filtering by key instead of path

.. code-block:: sql

   select name, type, data from registry where key like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers';