Attention
Zercurity has been acquired by JumpCloud.
This documentation will no longer be maintained or updated. You can read more about the acquisition, or signup to JumpCloud today.
registry¶
All of the Windows registry hives.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: registry
- Windows
Table schema¶
Name | Type | Description |
---|---|---|
key | TEXT | Name of the key to search for |
path | TEXT | Full path to the value |
name | TEXT | Name of the registry value entry |
type | TEXT | Type of the registry value, or ‘subkey’ if item is a subkey |
data | TEXT | Data content of registry value |
mtime | BIGINT | timestamp of the most recent registry write |
Query examples¶
get user SIDS. Note: path is key+name
select path, key, name from registry where key = 'HKEY_USERS';
a SQL wildcard match; will not recurse subkeys
select path from registry where key like 'HKEY_USERS\.Default\%';
recursing query (compare with 1 %)
select path from registry where key like 'HKEY_USERS\.Default\Software\%%';
midfix wildcard match
select path from registry where key like 'HKEY_LOCAL_MACHINE\Software\Micr%ft\%' and type = 'subkey' LIMIT 10;
get users’ current UI language. Note: osquery cannot reference HKEY_CURRENT_USER
select name, type, data from registry where path like 'HKEY_USERS\%\Control Panel\International\User Profile\Languages';
list all of the desktop wallpapers
select name, type, data from registry where path like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\%';
same, but filtering by key instead of path
select name, type, data from registry where key like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers';