1. PDQ Deploy & Inventory Help Center
  2. Community
  3. PDQ Inventory
 

Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Registry scan to find HKCU\Software\CryptoLocker is not working?

Avatar
Andrew Berryman

I'm trying to create a scan profile to find the registry key of HKCU\Software\CryptoLocker, but I can't get it to return any results. My test PC has an entry for it. I've added a scan profile and attached the screen shot. But when I scan my test PC, it doesn't return anything.




crypto.png
crypto2.png
0

Comments

5 comments
Date Votes
  • Avatar
    Shane Corellian
    Remember that HKEY_CURRENT_USER is relative. When you scan this hive the current user is the local system (since that is the context of inventory scans). The registry scanner is meant to scan thr HKLM, HKU and HKCR hives.
    0
  • Avatar
    Andrew Berryman

    True, but if it's under HKCU\Software, then it's also under HKU\Software

     

     

    0
  • Avatar
    Shane Corellian

    Hi Andrew,

    From an MS KB the HKEY_USERS key "Contains all the actively loaded user profiles on the computer..."

    Here is an example. I created a registry key called UserKey in the HKCU\Software key for the user Al.Swearegen. When that user profile was loaded then I could find this via a registry scan. The SID for Al.Swearengen ends with -1128.

    ProfileLoaded.png

    When I logged Al.Swearengen off and rescanned the data I needed went away, since that profile was no longer loaded.

    ProfileNotLoaded.png

    Even when HKEY_USERS is specified you can't just specify HKEY_USERS\Software because that path doesn't exist. The Software key is sub-key under the different SID keys. This means that to find this (when that user hive was loaded) I had to have my Inventory Scanner look under the root of HKEY_USERS for everything. As a result that one scanner added 16,000+ rows of data to my database (for just one computer).

    We would definitely recommend not using Inventory for this particular task for two reasons. 1) Your data will only be as accurate as the currently loaded user profiles (hives) and 2) The amount of data in the DB could render the database virtually unusable.

    Is there a file that you could scan for that would help you determine the same thing? If so, I would recommend using a file scanner.

    0
  • Avatar
    Andrew Berryman

    That makes sense. Thanks

    0
  • Avatar
    Paul Appleby

    I was trying to do something similar to the OP (I think) I needed to know if any of our PCs had the Reg key HKCU\Software\Google\update\network\secure (a marker for Latenbot infections).  So I created a scanner with HKEY_USERS and then *\Software\Google\Update\network\**\.  This gave me the data I wanted after I created a collection that showed any PC that had the Reg path HKCU\Software\Google\Update\network\secure.  For testing purposes I created the keys and some bogus values on my PC since I suspected the key did not exist on any machines. 

    0