This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Registry Event Properties
The following event properties can be used with registry events in uAQL queries (event type Reg.*). In addition to the properties listed here, the common properties are applicable, too.
| Property name | uAQL Data Type | Description |
|---|---|---|
Reg.Key.Path |
String | The absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Not supported for Reg.Key.Rename. |
Reg.Key.Name |
String | The name the registry key – the last path element of the full path (e.g., ^lmhosts$). Not supported for Reg.Key.Rename. |
Reg.Parent.Key.Path |
String | The absolute path to the parent key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services$). Not supported for Reg.Key.Rename. |
Reg.Key.Path.New |
String | The new absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. |
Reg.Key.Path.Old |
String | The old absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. |
Reg.Value.Name |
String | The name of a key property (e.g., RequiredPrivileges). |
Reg.File.Name |
String | A file path (e.g., C:\TempHive.hiv). Supported for Reg.Key.Load, Reg.Key.Restore, Reg.Key.Save, or Reg.Key.Replace. |
Reg.Key.Sddl |
String | The security descriptor (SD) of a registry key. |
Reg.Key.Hive |
String | The name of the Hive (e.g., HKLM). |