Documentation

Contents
Contents
Contents
Contents

Registry Event Properties

The following event properties can be used with registry events in uAQL queries (event type Reg.*). In addition to the properties listed here, the common properties are applicable, too.

Property name uAQL Data Type Description
Reg.Key.Path String The absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Not supported for Reg.Key.Rename.
Reg.Key.Name String The name the registry key – the last path element of the full path (e.g., ^lmhosts$). Not supported for Reg.Key.Rename.
Reg.Parent.Key.Path String The absolute path to the parent key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services$). Not supported for Reg.Key.Rename.
Reg.Key.Path.New String The new absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename.
Reg.Key.Path.Old String The old absolute path of the registry key (e.g., ^HKLM\\SYSTEM\\.*ControlSet.*\\Services\\lmhosts$). Only supported for Reg.Key.Rename.
Reg.Value.Name String The name of a key property (e.g., RequiredPrivileges).
Reg.File.Name String A file path (e.g., C:\TempHive.hiv). Supported for Reg.Key.Load, Reg.Key.Restore, Reg.Key.Save, or Reg.Key.Replace.
Reg.Key.Sddl String The security descriptor (SD) of a registry key.

Leave a Reply

Your email address will not be published. Required fields are marked *