This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.
Registry Event Properties
The following event properties can be used with registry events in uAQL queries (event type Reg.*
). In addition to the properties listed here, the common properties are applicable, too.
Property name | uAQL Data Type | Description | Platform |
---|---|---|---|
Reg.Key.Path |
String | The absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$ ). Not supported for Reg.Key.Rename . |
Win |
Reg.Key.Name |
String | The name of the registry key – the last path element of the full path (e.g., ^lmhosts$ ). Not supported for Reg.Key.Rename . |
Win |
Reg.Parent.Key.Path |
String | The absolute path to the parent key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services$ ). Not supported for Reg.Key.Rename . |
Win |
Reg.Key.Path.New |
String | The new absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$ ). Only supported for Reg.Key.Rename . |
Win |
Reg.Key.Path.Old |
String | The old absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$ ). Only supported for Reg.Key.Rename . |
Win |
Reg.Value.Name |
String | The name of a key property (e.g., RequiredPrivileges ). |
Win |
Reg.Value.Data |
Number or String | The content written to the registry value. | Win |
Reg.Value.Type |
Number | The numeric value representing the data-type of the content written to the registry value. Possible values: 0 = REG_NONE, 1 = REG_SZ, 2 = REG_EXPAND_SZ, 3 = REG_BINARY, 4 = REG_DWORD, 4 = REG_DWORD_LITTLE_ENDIAN, 5 = REG_DWORD_BIG_ENDIAN, 6 = REG_LINK, 7 = REG_MULTI_SZ, 8 = REG_RESOURCE_LIST, 9 = REG_FULL_RESOURCE_DESCRIPTOR, 10 = REG_RESOURCE_REQUIREMENTS_LIST, 11 = REG_QWORD, 11 = REG_QWORD_LITTLE_ENDIAN (cf. Microsoft documentation). |
Win |
Reg.File.Name |
String | A file path (e.g., C:\TempHive.hiv ). Supported for Reg.Key.Load , Reg.Key.Restore , Reg.Key.Save , or Reg.Key.Replace . |
Win |
Reg.Key.Sddl |
String | The security descriptor (SD) of a registry key. | Win |
Reg.Key.Hive |
String | The name of the Hive (e.g., HKLM ). |
Win |
Reg.Key.Target |
String | The absolute path of the registry key. Takes Reg.Key.Path.Old or Reg.Key.Path and is thus never empty. |
Win |