You wish to use the Registry Scanner to locate registry keys and values on target systems within your network.
Obtaining useful and accurate results from the Registry Scanner is dependent on the correct usage of the Include Pattern(s) and Exclude Pattern(s). The Usage and Available Wildcards below provide important information on how the Registry Scanner operates, how to use the correct series of patterns, and some examples to get you searching quickly or to troubleshoot issues with existing searches. We advise reviewing the Custom Scanner Best Practices article and thoroughly testing scans on a few machines before scanning your entire environment.
- Patterns are not case sensitive.
- In all cases involving registry key searches, a trailing "\" is necessary. Failure to include the trailing "\" will often result in unexpected results, including null results.
- Searches are confined to the HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, and HKEY_USERS hives. It is not possible to search HKEY_CURRENT_USER or HKEY_CURRENT_CONFIG.
- Registry scans do not scan the data or type of a value, only the name of a key or value. When a key is scanned, however, all values, types, and data are returned in the result. When a value is scanned, the type and data is returned.
- Before scanning your environment, test the scan thoroughly on a few machines. Patterns are designed to increase the efficiency of searches, resulting in better performance for all users. Because of the power inherent in the patterns, it is possible to do the exact opposite of that and create searches that are inefficient, reduce performance, and cause significant performance issues for you and your users.
* matches zero or more characters, can be used for keys and values:
- HIVE\Path\*bar will return value results for foobar, fubar, F00bar, bar, etc.
- HIVE\Path\foo* will return value results for foo, foobar, foolish, foo42, food, etc.
- HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\*\Passport Test\ will search any key (but not subkeys) between \Internet Settings\ and \Passport Test\
- HIVE\key\*\*\*\Path64 will search for all path64 values in HIVE\key\subkey\subkey\subkey\ but not in HIVE\key\subkey\subkey\
? matches a single character:
- HIVE\Path\?bar will return value results for 1bar, sbar, 2bar, qbar, but not fubar, foobar, or 42bar.
- HIVE\Path\f??bar will return value results for foobar but not fubar.
\**\ is used to indicate the current key and all subkeys:
Searches for the value fubar in HKLM\SYSTEM\CurrentControlSet\Services\W32Time and all subkeys of HKLM\SYSTEM\CurrentControlSet\Services\W32Time.
Searches the W32Time key and all subkeys and all values in those keys.
Searches for the value fubar in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\<keys>\<subkeys>
but not HKLM\SYSTEM\CurrentControlSet\Services\W32Time\
Searches for any values starting in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\<key>\<subkey>\<subkey>
but not in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\<key>\<subkey>\
Exclude Pattern(s) work the same way as Include Pattern(s).
When performing large searches, performance can be significantly improved by excluding large parent keys and all or some of their subkeys.
There are three common issues when you receive null or unexpected results from a registry scan:
1. Omitting the trailing "\" when performing a key search or including the "\" when doing a value search.
2. Searching for data rather than keys or values. For example, searching for "inf" in the key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion will return null results. To return the data for "inf" you would search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ which would return the "DevicePath" value and the data of %SystemRoot%\inf
3. Including the hive name in the Include pattern(s):
1. Find all known values in a key:
Find the uninstall string in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2. Find a value in an unknown location:
Find any value with the name "Viagra" in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\<keys>\
3. Find a particular key in multiple possible locations, excluding a specific instance:
Find all instances of a particular SID in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
4. Find a particular value:
Find all ProductName value data in possible multiple keys.
5. Find specific information for installed software versions in an unknown key:
You want to find the current version of Java and the Java version running on a browser, but don't know the key it is located in, but can exclude certain keys.