registry¶
All of the Windows registry hives.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: registry
- Windows
Table schema¶
Name | Type | Description |
---|---|---|
key | TEXT | Name of the key to search for |
path | TEXT | Full path to the value |
name | TEXT | Name of the registry value entry |
type | TEXT | Type of the registry value, or ‘subkey’ if item is a subkey |
data | TEXT | Data content of registry value |
mtime | BIGINT | timestamp of the most recent registry write |
Query examples¶
get user SIDS. Note: path is key+name
select path, key, name from registry where key = 'HKEY_USERS';
a SQL wildcard match; will not recurse subkeys
select path from registry where key like 'HKEY_USERS\.Default\%';
recursing query (compare with 1 %)
select path from registry where key like 'HKEY_USERS\.Default\Software\%%';
midfix wildcard match
select path from registry where key like 'HKEY_LOCAL_MACHINE\Software\Micr%ft\%' and type = 'subkey' LIMIT 10;
get users’ current UI language. Note: osquery cannot reference HKEY_CURRENT_USER
select name, type, data from registry where path like 'HKEY_USERS\%\Control Panel\International\User Profile\Languages';
list all of the desktop wallpapers
select name, type, data from registry where path like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\%';
same, but filtering by key instead of path
select name, type, data from registry where key like 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers';