Clarification on Wildcards in REGISTRY_KEY #255
Comments
|
Hey Demian, I think the wildcard can refer to both, subkeys and values. I think intuitively that makes sense, like a * in filesystems can mean both, files and subdirectories, but I agree that this might cause confusion. I think WindowsControlPanelFilePaths is wrong, looking at the provided url, https://msdn.microsoft.com/en-us/library/windows/desktop/hh127454(v=vs.85).aspx , I don't think this artifact will collect anything useful on any of the listed OSs. Thanks for pointing this out! |
|
Thanks for the quick answer! I'll handle it like this, then :-) I don't 100% agree that this is intuitive though: My understanding was that the type of REGISTRY_KEY already means "All the values in this key" as opposed to REGISTRY_VALUE, which specifies exactly one value within a key. The wildcard in the path seems redundant at least. If we are looking at a key which has values as well as subkeys, what is the wildcard at the end supposed to mean? "Export all the values of this key and all the values of the subkeys"? Then one could argue it should be |
This depends how you perceive a Windows Registry key
|
Hi everyone,
this is probably covered by #23, but since I'm working on an extractor for artifacts, I'd like to understand how wildcards are used in the artifacts:
Many of the REGISTRY_KEY artifacts have a
\*at the end. My understanding is that this means a subkey. This is strange, because some of the defined registry paths (e.g. the Autorun "Run"-Keys inWindowsRunKeys) clearly do not have subkeys, but still are given with a\*at the end. Although not all of them do, for exampleWindowsControlPanelFilePaths.Can you clarify if a wildcard at the end of a REGISTRY_KEY path means "All subkeys" or "All values in this key" or both?
Thanks!
Demian
The text was updated successfully, but these errors were encountered: