registry

All of the Windows registry hives.

Table schema

Name Type Description
key TEXT Name of the key to search for
path TEXT Full path to the value
name TEXT Name of the registry value entry
type TEXT Type of the registry value, or ‘subkey’ if item is a subkey
data TEXT Data content of registry value
mtime BIGINT timestamp of the most recent registry write

Query examples

get user SIDS. Note: path is key+name

select path, key, name from registry where key = 'HKEY_USERS';

a SQL wildcard match; will not recurse subkeys

select path from registry where key like 'HKEY_USERS\.Default\%';

recursing query (compare with 1 %)

select path from registry where key like 'HKEY_USERS\.Default\Software\%%';

midfix wildcard match

select path from registry where key like 'HKEY_LOCAL_MACHINE\Software\Micr%ft\%' and type = 'subkey' LIMIT 10;

get users’ current UI language. Note: osquery cannot reference HKEY_CURRENT_USER

select name, type, data from registry where path like 'HKEY_USERS\%\Control Panel\International\User Profile\Languages';

list all of the desktop wallpapers

select name, type, data from registry where path like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\%';

same, but filtering by key instead of path

select name, type, data from registry where key like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers';