Registry Event Properties
The following event properties can be used with registry events in uAQL queries (event type Reg.*). In addition to the properties listed here, the common properties are applicable, too.
| Property name | uAQL Data Type | Description |
|---|---|---|
Reg.Key.Path |
String | The absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Not supported for Reg.Key.Rename. |
Reg.Key.Name |
String | The name the registry key – the last path element of the full path (e.g., ^lmhosts$). Not supported for Reg.Key.Rename. |
Reg.Parent.Key.Path |
String | The absolute path to the parent key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services$). Not supported for Reg.Key.Rename. |
Reg.Key.Path.New |
String | The new absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. |
Reg.Key.Path.Old |
String | The old absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename. |
Reg.Value.Name |
String | The name of a key property (e.g., RequiredPrivileges). |
Reg.File.Name |
String | A file path (e.g., C:\TempHive.hiv). Supported for Reg.Key.Load, Reg.Key.Restore, Reg.Key.Save, or Reg.Key.Replace. |
Reg.Key.Sddl |
String | The security descriptor (SD) of a registry key. |
Reg.Key.Hive |
String | The name of the Hive (e.g., HKLM). |
Reg.Key.Target |
String | The absolute path of the registry key. Takes Reg.Key.Path.Old or Reg.Key.Path and is thus never empty. |