registry

All of the Windows registry hives.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: registry

  • Windows

Table schema

Name

Type

Description

key

TEXT

Name of the key to search for

path

TEXT

Full path to the value

name

TEXT

Name of the registry value entry

type

TEXT

Type of the registry value, or ‘subkey’ if item is a subkey

data

TEXT

Data content of registry value

mtime

BIGINT

timestamp of the most recent registry write

Query examples

get user SIDS. Note: path is key+name

select path, key, name from registry where key = 'HKEY_USERS';

a SQL wildcard match; will not recurse subkeys

select path from registry where key like 'HKEY_USERS\.Default\%';

recursing query (compare with 1 %)

select path from registry where key like 'HKEY_USERS\.Default\Software\%%';

midfix wildcard match

select path from registry where key like 'HKEY_LOCAL_MACHINE\Software\Micr%ft\%' and type = 'subkey' LIMIT 10;

get users’ current UI language. Note: osquery cannot reference HKEY_CURRENT_USER

select name, type, data from registry where path like 'HKEY_USERS\%\Control Panel\International\User Profile\Languages';

list all of the desktop wallpapers

select name, type, data from registry where path like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\%';

same, but filtering by key instead of path

select name, type, data from registry where key like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers';