Running a registry based query

Question

&nbsp;Hello,we have some computers which we need to find out the specific registry value in order to be able to update their OS.The path:&nbsp;HKEY_LOCAL_MACHINE\software\policies\Microsoft\Windows\WindowsUpdate\AUThe value (Dword): NoAutoUpdateI want to find out which computers that are onboarded to defender for endpoint has this registry set to "1"/On.Thanks for help&nbsp;

david caddick · Answer

Why not just Advanced Hunting and query the registry from there?

mrevci · Answer

That's what I am trying to do but I cant find the correct syntax

david caddick · Answer

MREVCI&nbsp;Head into&nbsp;https://security.microsoft.com/advanced-huntingUse this to start with:&gt;DeviceRegistryEvents&gt;|&nbsp;limit&nbsp;100&nbsp;Then pivot from there using show filters?

david caddick · Answer

For instance I have recently been wanting to track Macros that have been executed, so I'm looking for this in TrustedRecords using this KQLDeviceRegistryEvents| where RegistryKey has @"SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords"| project Timestamp, DeviceName, RegistryValueName

Forum Discussion

Running a registry based query

4 Replies

Resources