osquery-1/specs/windows/registry.table

table_name("registry")
description("All of the Windows registry hives.")
schema([
    Column("key", TEXT, "Name of the key to search for", additional=True),
    Column("path", TEXT, "Full path to the value", index=True),
    Column("name", TEXT, "Name of the registry value entry"),
    Column("type", TEXT, "Type of the registry value, or 'subkey' if item is a subkey"),
    Column("data", TEXT, "Data content of registry value"),
    Column("mtime", BIGINT, "timestamp of the most recent registry write"),
])
implementation("system/windows/registry@genRegistry")
examples([
  "select path, key, name from registry where key = 'HKEY_USERS'; -- get user SIDS. Note: path is key+name",
  "select path from registry where key like 'HKEY_USERS\\.Default\\%'; -- a SQL wildcard match; will not recurse subkeys",
  "select path from registry where key like 'HKEY_USERS\\.Default\\Software\\%%'; -- recursing query (compare with 1 %)",
  "select path from registry where key like 'HKEY_LOCAL_MACHINE\\Software\\Micr%ft\\%' and type = 'subkey' LIMIT 10; -- midfix wildcard match",
  "select name, type, data from registry where path like 'HKEY_USERS\\%\\Control Panel\\International\\User Profile\\Languages'; -- get users' current UI language. Note: osquery cannot reference HKEY_CURRENT_USER",
  "select name, type, data from registry where path like 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpapers\\%';  -- list all of the desktop wallpapers",
  "select name, type, data from registry where key like 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpapers'; -- same, but filtering by key instead of path",
])
Adding the windows registry virtual table (#2356) 2016-08-16 19:37:53 +00:00			`table_name("registry")`
			`description("All of the Windows registry hives.")`
			`schema([`
Allow querying Windows Registry by 'path' column (#3270) 2017-05-11 17:29:59 +00:00			`Column("key", TEXT, "Name of the key to search for", additional=True),`
			`Column("path", TEXT, "Full path to the value", index=True),`
Adding the windows registry virtual table (#2356) 2016-08-16 19:37:53 +00:00			`Column("name", TEXT, "Name of the registry value entry"),`
Refactoring Windows Registry table to be more like the file table (#3073) 2017-03-17 19:47:11 +00:00			`Column("type", TEXT, "Type of the registry value, or 'subkey' if item is a subkey"),`
Adding the windows registry virtual table (#2356) 2016-08-16 19:37:53 +00:00			`Column("data", TEXT, "Data content of registry value"),`
			`Column("mtime", BIGINT, "timestamp of the most recent registry write"),`
			`])`
			`implementation("system/windows/registry@genRegistry")`
			`examples([`
Add examples of Windows registry virtual table (#3597) 2017-08-23 00:28:56 +00:00			`"select path, key, name from registry where key = 'HKEY_USERS'; -- get user SIDS. Note: path is key+name",`
Move build system to BUCK fbshipit-source-id: 8ffef5e6a393ac67ce56dcb74845402e43d964a0 2018-09-21 18:54:31 +00:00			`"select path from registry where key like 'HKEY_USERS\\.Default\\%'; -- a SQL wildcard match; will not recurse subkeys",`
			`"select path from registry where key like 'HKEY_USERS\\.Default\\Software\\%%'; -- recursing query (compare with 1 %)",`
			`"select path from registry where key like 'HKEY_LOCAL_MACHINE\\Software\\Micr%ft\\%' and type = 'subkey' LIMIT 10; -- midfix wildcard match",`
			`"select name, type, data from registry where path like 'HKEY_USERS\\%\\Control Panel\\International\\User Profile\\Languages'; -- get users' current UI language. Note: osquery cannot reference HKEY_CURRENT_USER",`
			`"select name, type, data from registry where path like 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpapers\\%'; -- list all of the desktop wallpapers",`
			`"select name, type, data from registry where key like 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpapers'; -- same, but filtering by key instead of path",`
Adding the windows registry virtual table (#2356) 2016-08-16 19:37:53 +00:00			`])`