registry :: Velociraptor - Digging deeper!

registry

Accessor

Description

Access the registry like a filesystem using the OS APIs.

The top level path component is a list of the common hives (e.g. HKEY_USERS). The accessor creates a registry abstraction to make it appear as a filesystem where:

Top level consists of the major hives
Values appear as files, Keys appear as directories
The Default value in a key is named “@”
Since reading the registry value is very quick and efficient, the registry accessor makes the Value’s content available inside the Data attribute.
Path components that include / can be escaped using quotes, for example: HKEY_LOCAL_MACHINE\Microsoft\Windows\"http://www.microsoft.com/"

The hives can also be referenced by their abbreviated (shorthand) names:

HKLM = HKEY_LOCAL_MACHINE
HKU = HKEY_USERS
HKCU = HKEY_CURRENT_USER

The registry (or reg for short) accessor allows any filesystem functions and plugins to also work on the registry. For example, here we use the glob plugin to list keys:

SELECT *
FROM glob(
  globs="*",
  root='''HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion''',
  accessor="registry")
WHERE Name = "Run"

We can use the read_file function to read values as if they were files:

SELECT OSPath.Path AS Key,
      Data,
      Data.type AS Type,
      expand(path=read_file(accessor='registry', filename=OSPath)) AS Content
FROM glob(globs='HKU/*/Environment/*', accessor='registry')

For convenience we also have the read_reg_key plugin which is similar to using both glob and read_file together, as in the previous example. The main difference is that read_reg_key returns the key’s values as columns which makes it easier to work with them in VQL. Note that with this registry-specific plugin we do not need to specify the registry accessor, as that is the default.

SELECT *
FROM read_reg_key(root='HKEY_USERS', globs='*/Environment')

registry

Description

See also