Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the registry LIKE path constraint to filter recursively #6448

Merged
merged 1 commit into from
May 20, 2020
Merged

Change the registry LIKE path constraint to filter recursively #6448

merged 1 commit into from
May 20, 2020

Conversation

Breakwell
Copy link
Contributor

Description

The windows registry table does not use recursive like correctly, if the '%%' is in the final part of the path it only gets the first set of subkeys.

Testing
Choose a registry key with multiple layers of subkey (I chose python) and query using recursive like:

Before

osquery> select path, name from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\%%';
+-----------------------------------------------------------+-------------+
| path                                                      | name        |
+-----------------------------------------------------------+-------------+
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7         | 2.7         |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6         | 3.6         |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7         | 3.7         |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\DisplayName | DisplayName |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\SupportUrl  | SupportUrl  |
+-----------------------------------------------------------+-------------+

After

osquery> select path, name from registry where path like 'HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\%%';
+--------------------------------------------------------------------------------------+---------------------------+
| path                                                                                 | name                      |
+--------------------------------------------------------------------------------------+---------------------------+
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7                                    | 2.7                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6                                    | 3.6                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7                                    | 3.7                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\DisplayName                            | DisplayName               |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\SupportUrl                             | SupportUrl                |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\Help                               | Help                      |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\InstallPath                        | InstallPath               |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\Modules                            | Modules                   |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\PythonPath                         | PythonPath                |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\Help\Main Python Documentation     | Main Python Documentation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\Help\Main Python Documentation\    | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\InstallPath\InstallGroup           | InstallGroup              |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\InstallPath\                       | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\InstallPath\InstallGroup\          | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\2.7\PythonPath\                        | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\Help                               | Help                      |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\Idle                               | Idle                      |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\IdleShortcuts                      | IdleShortcuts             |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures                  | InstalledFeatures         |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstallPath                        | InstallPath               |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\PythonPath                         | PythonPath                |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\DisplayName                        | DisplayName               |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\SupportUrl                         | SupportUrl                |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\Version                            | Version                   |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\SysVersion                         | SysVersion                |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\SysArchitecture                    | SysArchitecture           |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\Help\Main Python Documentation     | Main Python Documentation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\Help\Main Python Documentation\    | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\Idle\                              | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\IdleShortcuts\                     | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstallPath\                       | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstallPath\ExecutablePath         | ExecutablePath            |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstallPath\WindowedExecutablePath | WindowedExecutablePath    |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\core_pdb         | core_pdb                  |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\dev              | dev                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\Shortcuts        | Shortcuts                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\exe              | exe                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\lib              | lib                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\test             | test                      |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\doc_shortcut     | doc_shortcut              |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\doc              | doc                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\tools            | tools                     |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\tcltk            | tcltk                     |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\InstalledFeatures\pip              | pip                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.6\PythonPath\                        | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Help                               | Help                      |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Idle                               | Idle                      |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\IdleShortcuts                      | IdleShortcuts             |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures                  | InstalledFeatures         |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstallPath                        | InstallPath               |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\PythonPath                         | PythonPath                |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\DisplayName                        | DisplayName               |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\SupportUrl                         | SupportUrl                |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Version                            | Version                   |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\SysVersion                         | SysVersion                |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\SysArchitecture                    | SysArchitecture           |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Help\Main Python Documentation     | Main Python Documentation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Help\Pythonwin Reference           | Pythonwin Reference       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Help\                              | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Help\Main Python Documentation\    | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Help\Pythonwin Reference\          | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\Idle\                              | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\IdleShortcuts\                     | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstallPath\                       | (Default)                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstallPath\ExecutablePath         | ExecutablePath            |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstallPath\WindowedExecutablePath | WindowedExecutablePath    |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\dev              | dev                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\Shortcuts        | Shortcuts                 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\exe              | exe                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\lib              | lib                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\test             | test                      |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\doc_shortcut     | doc_shortcut              |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\doc              | doc                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\tools            | tools                     |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\tcltk            | tcltk                     |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\pip              | pip                       |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\InstalledFeatures\path             | path                      |
| HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.7\PythonPath\                        | (Default)                 |
+--------------------------------------------------------------------------------------+---------------------------+

@Breakwell Breakwell force-pushed the fix-recursive-registry-call branch from 85dcb1c to d82ab8d Compare May 19, 2020 09:45
@theopolis theopolis merged commit 089becf into osquery:master May 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theopolis theopolis theopolis approved these changes

Assignees
No one assigned
Labels
bug virtual tables Windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Breakwell @theopolis