Registry Search

Use Registry search to search for registry keys, names, or data that are potentially related to malware and other threats.

Registry search requires the following details:
Table 1. Registry Search Requirements

Field

Description

Key

Searches for key instances that match the value provided

Name

Searches for name instances that match the value provided

Data

Searches for data instances that match the value provided, based on these criteria:
  • Contains

  • Does not contain

  • Exact match

Note:

A registry search investigation can include up to 128 search criteria.

Endpoint Sensor searches for threats in the Computer\HKEY_CURRENT_USER hive by enumerating the SIDs under HKEY_USERS\[SID], and then searching for specific locations.

For example, if the following registry key is specified:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes

Endpoint Sensor searches the following matching objects:

HKEY_USERS\.default\software\microsoft\windows\currentversion
\themes

HKEY_USERS\(NT AUTHORITY/LOCAL SERVICE)s-1-5-19\software
\microsoft\windows\currentversion\themes

HKEY_USERS\(NT AUTHORITY/NETWORK SERVICE)s-1-5-20\software
\microsoft\windows\currentversion\themes

HKEY_USERS\s-1-5-21-329068152-1770027372-1177238915-1003
\software\microsoft\windows\currentversion\themes

HKEY_USERS\(VM_XP003/Administrator)s-1-5-21-329068152-
1770027372-1177238915-500\software\microsoft\windows
\currentversion\themes

HKEY_USERS\(NT AUTHORITY/SYSTEM)s-1-5-18\software\microsoft
\windows\currentversion\themes