This looks through registry on all disks to determine the hostname for cases where multiple disks are mounted
name: Windows.Registry.Bulk.ComputerName
description: |
This looks through registry on all disks to determine the hostname for cases where multiple disks are mounted
author: Angry-bender
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: TargetDrive
description: |
The path to to the drive that holds the SYSTEM registry hive.
default: "C:"
- name: HiveLocation
default: '\\windows\\system32\\config\\system'
description: "Loction of target hive"
- name: KeyValue
default: "/*/Control/ComputerName/ComputerName/ComputerName"
description: "Loction of target key"
- name: AllDrives
description: Search all drives?
type: bool
default: Y
sources:
- query: |
LET Drive <= pathspec(parse=TargetDrive, path_type="ntfs")
-- get all drives
LET ntfs_drives = SELECT
OSPath AS Drive,
OSPath + HiveLocation AS SystemHive
FROM glob(globs="/*", accessor="ntfs")
WHERE log(message="Processing " + SystemHive)
LET RegParse(Drive,SysHivePth) =
SELECT Drive, Name, FullPath, url(parse=FullPath).Fragment AS Value, Mtime, Data.value AS Key FROM foreach(
row={
SELECT * FROM Drive
},
query={
SELECT *
FROM glob(
globs=url(scheme="file",
path=SysHivePth,
fragment=KeyValue),
accessor="raw_reg")
})
SELECT * FROM if(condition=AllDrives,
then={
SELECT * FROM foreach(
row={
SELECT * FROM ntfs_drives
},
query={
SELECT *
FROM RegParse(
Drive=Drive,
SysHivePth=SystemHive)
})
},
else={
SELECT *
FROM RegParse(
Drive=Drive,
SysHivePth = Drive + HiveLocation)
})