uberAgent

Registry Event Properties

July 9, 2024

Contributed by:

The following event properties can be used with registry events in uAQL queries (event type Reg.*). In addition to the properties listed here, the common properties are applicable, too. | Property name | uAQL Data Type | Description | Platform | | ———————– | —————- | ——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————- | ——– | | Reg.Key.Path | String | The absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Not supported for Reg.Key.Rename. | Win | | Reg.Key.Name | String | The name of the registry key - the last path element of the full path (e.g., ^lmhosts$). Not supported for Reg.Key.Rename. | Win | | Reg.Parent.Key.Path | String | The absolute path to the parent key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services$). Not supported for Reg.Key.Rename. | Win | | Reg.Key.Path.New | String | The new absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. | Win | | Reg.Key.Path.Old | String | The old absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. | Win | | Reg.Value.Name | String | The name of a key property (e.g., RequiredPrivileges). | Win | | Reg.Value.Data | Number or String | The content written to the registry value. | Win | | Reg.Value.Type | Number | The numeric value representing the data-type of the content written to the registry value. Possible values: 0 = REG_NONE, 1 = REG_SZ, 2 = REG_EXPAND_SZ, 3 = REG_BINARY, 4 = REG_DWORD, 4 = REG_DWORD_LITTLE_ENDIAN, 5 = REG_DWORD_BIG_ENDIAN, 6 = REG_LINK, 7 = REG_MULTI_SZ, 8 = REG_RESOURCE_LIST, 9 = REG_FULL_RESOURCE_DESCRIPTOR, 10 = REG_RESOURCE_REQUIREMENTS_LIST, 11 = REG_QWORD, 11 = REG_QWORD_LITTLE_ENDIAN (cf. [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types)). | Win | | Reg.File.Name | String | A file path (e.g., C:\TempHive.hiv). Supported for Reg.Key.Load, Reg.Key.Restore, Reg.Key.Save, or Reg.Key.Replace. | Win | | Reg.Key.Sddl | String | The security descriptor (SD) of a registry key. | Win | | Reg.Key.Hive | String | The name of the Hive (e.g., HKLM). | Win | | Reg.Key.Target | String | The absolute path of the registry key. Takes Reg.Key.Path.Old or Reg.Key.Path and is thus never empty. | Win |

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Registry Event Properties

July 9, 2024

Contributed by:

July 9, 2024

Contributed by:

Registry Event Properties

In this article