Hi I am trying to get the values associated to a windows reg

Question

Hi I am trying to get the values associated to a windows registry subkey for example `select from registry where key= HKEY CURRENT USER Software Microsoft Windows CurrentVersion and name like Run ` To check the values of `HKEY CURRENT USER Software Microsoft Windows CurrentVersion Run` but having a subkey as `type` `data` is empty and does not include values stored in that subkey

fritz · Answer

< Nacho Rivera> you need to descend into the various directories below CurrentVersion if you want to read their contents

fritz · Answer

When you see values that are empty it is because you are seeing folders not actual keys

fritz · Answer

fritz · Answer

`Run` `RunOnce` and `RunNotification` are the parent key directories vs the actual subkeys or values

fritz · Answer

Recursive searching on the registry is not the best but you can accomplish it with workarounds at times in this case it is fine because these directories do not contain subdirectories If you wanted the contents of all keys in all three of those directories you could run something like ```SELECT path name type data mtime FROM registry WHERE path LIKE HKEY CURRENT USER Software Microsoft Windows CurrentVersion Run ```

fritz · Answer

Additionally you should take note of the error produced when querying the HKCU hive `W1124 13 44 00 364002 5608 registry cpp 528 CURRENT USER hives are not queryable by osqueryd query HKEY USERS with the desired users SID instead`

fritz · Answer

If you are querying these things using a fleet manager osqueryd you will need to rework your query to instead query the users hive