Forum Discussion

Yogeesh143's avatar
Yogeesh143
Copper Contributor
Sep 09, 2025
Solved

KQL query

I wanted to best KQL query to check registry modifications, run key value , startup items in defender 
  • Surya_Narayana's avatar
    Surya_Narayana
    Sep 11, 2025

    hi Yogeesh143​ check this out, might work 

    Since you’re asking specifically about KQL queries in Microsoft Defender (Advanced Hunting) to track registry modifications, Run key values, and startup items, here are some solid starting points you can use in the Advanced Hunting portal:

     

    Detect Registry Modifications (general)

    DeviceRegistryEvents

    | where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet"

    | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName

    | order by Timestamp desc

     

    Monitor Run Key Persistence (startup registry entries)

    DeviceRegistryEvents

    | where ActionType == "RegistryValueSet"

    | where RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

       or RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

    | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName

    | order by Timestamp desc

     

    Look for Startup Folder Modifications

    DeviceFileEvents

    | where FolderPath endswith @"\Microsoft\Windows\Start Menu\Programs\Startup"

    | project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName

    | order by Timestamp desc

    You can also extend these queries by adding filters for suspicious processes (e.g., where InitiatingProcessFileName !in~ ("explorer.exe","msiexec.exe")).

Surya_Narayana's avatar
Surya_Narayana
MCT
Sep 11, 2025

hi Yogeesh143​ check this out, might work 

Since you’re asking specifically about KQL queries in Microsoft Defender (Advanced Hunting) to track registry modifications, Run key values, and startup items, here are some solid starting points you can use in the Advanced Hunting portal:

 

Detect Registry Modifications (general)

DeviceRegistryEvents

| where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet"

| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName

| order by Timestamp desc

 

Monitor Run Key Persistence (startup registry entries)

DeviceRegistryEvents

| where ActionType == "RegistryValueSet"

| where RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

   or RegistryKey has @"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName

| order by Timestamp desc

 

Look for Startup Folder Modifications

DeviceFileEvents

| where FolderPath endswith @"\Microsoft\Windows\Start Menu\Programs\Startup"

| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName

| order by Timestamp desc

You can also extend these queries by adding filters for suspicious processes (e.g., where InitiatingProcessFileName !in~ ("explorer.exe","msiexec.exe")).

Yogeesh143's avatar
Yogeesh143
Copper Contributor
Sep 11, 2025

Thank you so much 

  • Surya_Narayana's avatar
    Surya_Narayana
    MCT
    Sep 11, 2025

    thanks. pl close the thread once you resolve 

Resources