Registry Event Properties
The following event properties can be used with registry events in uAQL queries (event type Reg.*
). In addition to the properties listed here, the common properties are applicable, too.
| Property name | uAQL Data Type | Description | Platform |
| ————————- | ————– | ——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————- | ——– |
| Reg.Key.Path
| String | The absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$
). Not supported for Reg.Key.Rename
. | Win |
| Reg.Key.Name
| String | The name of the registry key - the last path element of the full path (e.g., ^lmhosts$
). Not supported for Reg.Key.Rename
. | Win |
| Reg.Parent.Key.Path
| String | The absolute path to the parent key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services$
). Not supported for Reg.Key.Rename
. | Win |
| Reg.Key.Path.New
| String | The new absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$
). Only supported for Reg.Key.Rename
. | Win |
| Reg.Key.Path.Old
| String | The old absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$
). Only supported for Reg.Key.Rename
. | Win |
| Reg.Value.Name
| String | The name of a key property (e.g., RequiredPrivileges
). | Win |
| Reg.Value.Data
| String | The value is formatted to be compatible with Sysmon. **DWORD values** are formatted with a hexadecimal representation, for example: DWORD (0x00000001)
. **QWORD values** are shown in a range format, such as: QWORD (0x00000001-0x00000002)
. **Empty Strings** are denoted as: (Empty)
. **Binary Data** and **Multiline Strings**, including **Empty Multiline Strings**, are all represented as: Binary Data
. **Regular Strings** remain unchanged. **Expandable Strings** have any percent (%) characters escaped, so %PATH%
becomes %%PATH%%
. | Win |
| Reg.Value.Data.Number
| Number | Access to the non-formatted DWORD
and QWORD
registry values as number. | Win |
| Reg.Value.Data.String
| String | Access to the non-formatted registry value strings. | Win |
| Reg.Value.Type
| Number | The numeric value represents the data-type of the content written to the registry value. Possible values include: 0
= REG_NONE 1
= REG_SZ 2
= REG_EXPAND_SZ 3
= REG_BINARY 4
= REG_DWORD 4
= REG_DWORD_LITTLE_ENDIAN 5
= REG_DWORD_BIG_ENDIAN 6
= REG_LINK 7
= REG_MULTI_SZ 8
= REG_RESOURCE_LIST 9
= REG_FULL_RESOURCE_DESCRIPTOR 10
= REG_RESOURCE_REQUIREMENTS_LIST 11
= REG_QWORD 11
= REG_QWORD_LITTLE_ENDIAN For more details, see the [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types). | Win |
| Reg.EventType
| String | The Event Type identifies the actual registry event. Possible values include: SetValue DeleteValue RenameKey DeleteKey CreateKey | Win |
| Reg.File.Name
| String | A file path (e.g., C:\TempHive.hiv
). Supported for Reg.Key.Load
, Reg.Key.Restore
, Reg.Key.Save
, or Reg.Key.Replace
. | Win |
| Reg.Key.Sddl
| String | The security descriptor (SD) of a registry key. | Win |
| Reg.Key.Hive
| String | The name of the Hive (e.g., HKLM
). | Win |
| Reg.Key.Target
| String | The absolute path of the registry key. Takes Reg.Key.Path.Old
or Reg.Key.Path
and is thus never empty. | Win |
| Reg.TargetObject
| String | This property is either the full path to the registry key or the full path to the registry value. | Win |