Registry Event Properties
The following event properties can be used with registry events in uAQL queries (event type Reg.*). In addition to the properties listed here, the common properties are applicable, too.
| Property name | uAQL Data Type | Description | Platform |
| ————————- | ————– | ——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————- | ——– |
| Reg.Key.Path | String | The absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Not supported for Reg.Key.Rename. | Win |
| Reg.Key.Name | String | The name of the registry key - the last path element of the full path (e.g., ^lmhosts$). Not supported for Reg.Key.Rename. | Win |
| Reg.Parent.Key.Path | String | The absolute path to the parent key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services$). Not supported for Reg.Key.Rename. | Win |
| Reg.Key.Path.New | String | The new absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. | Win |
| Reg.Key.Path.Old | String | The old absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. | Win |
| Reg.Value.Name | String | The name of a key property (e.g., RequiredPrivileges). | Win |
| Reg.Value.Data | String | The value is formatted to be compatible with Sysmon. **DWORD values** are formatted with a hexadecimal representation, for example: DWORD (0x00000001). **QWORD values** are shown in a range format, such as: QWORD (0x00000001-0x00000002). **Empty Strings** are denoted as: (Empty). **Binary Data** and **Multiline Strings**, including **Empty Multiline Strings**, are all represented as: Binary Data. **Regular Strings** remain unchanged. **Expandable Strings** have any percent (%) characters escaped, so %PATH% becomes %%PATH%%. | Win |
| Reg.Value.Data.Number | Number | Access to the non-formatted DWORD and QWORD registry values as number. | Win |
| Reg.Value.Data.String | String | Access to the non-formatted registry value strings. | Win |
| Reg.Value.Type | Number | The numeric value represents the data-type of the content written to the registry value. Possible values include: 0 = REG_NONE 1 = REG_SZ 2 = REG_EXPAND_SZ 3 = REG_BINARY 4 = REG_DWORD 4 = REG_DWORD_LITTLE_ENDIAN 5 = REG_DWORD_BIG_ENDIAN 6 = REG_LINK 7 = REG_MULTI_SZ 8 = REG_RESOURCE_LIST 9 = REG_FULL_RESOURCE_DESCRIPTOR 10 = REG_RESOURCE_REQUIREMENTS_LIST 11 = REG_QWORD 11 = REG_QWORD_LITTLE_ENDIAN For more details, see the [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types). | Win |
| Reg.EventType | String | The Event Type identifies the actual registry event. Possible values include: SetValue DeleteValue RenameKey DeleteKey CreateKey | Win |
| Reg.File.Name | String | A file path (e.g., C:\TempHive.hiv). Supported for Reg.Key.Load, Reg.Key.Restore, Reg.Key.Save, or Reg.Key.Replace. | Win |
| Reg.Key.Sddl | String | The security descriptor (SD) of a registry key. | Win |
| Reg.Key.Hive | String | The name of the Hive (e.g., HKLM). | Win |
| Reg.Key.Target | String | The absolute path of the registry key. Takes Reg.Key.Path.Old or Reg.Key.Path and is thus never empty. | Win |
| Reg.TargetObject | String | This property is either the full path to the registry key or the full path to the registry value. | Win |