Registry Search
Use Registry search to search for registry keys, names, or data that are potentially related to malware and other threats.
Registry search requires the following details:
|
Field |
Description |
|---|---|
|
Key |
Searches for key instances that match the value provided |
|
Name |
Searches for name instances that match the value provided |
|
Data |
Searches for data instances that match the value provided, based on these criteria:
|
Note:
A registry search investigation can include up to 128 search criteria.
Endpoint Sensor searches for threats in the Computer\HKEY_CURRENT_USER hive by enumerating the SIDs under HKEY_USERS\[SID], and then searching for specific locations.
For example, if the following registry key is specified:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes
Endpoint Sensor searches the following matching objects:
HKEY_USERS\.default\software\microsoft\windows\currentversion \themes HKEY_USERS\(NT AUTHORITY/LOCAL SERVICE)s-1-5-19\software \microsoft\windows\currentversion\themes HKEY_USERS\(NT AUTHORITY/NETWORK SERVICE)s-1-5-20\software \microsoft\windows\currentversion\themes HKEY_USERS\s-1-5-21-329068152-1770027372-1177238915-1003 \software\microsoft\windows\currentversion\themes HKEY_USERS\(VM_XP003/Administrator)s-1-5-21-329068152- 1770027372-1177238915-500\software\microsoft\windows \currentversion\themes HKEY_USERS\(NT AUTHORITY/SYSTEM)s-1-5-18\software\microsoft \windows\currentversion\themes
