Forum Discussion

MREVCI's avatar
MREVCI
Copper Contributor
Oct 21, 2021

Running a registry based query

  Hello, we have some computers which we need to find out the specific registry value in order to be able to update their OS. The path: HKEY_LOCAL_MACHINE\software\policies\Microsoft\Windows\Win...
Defender for Endpoint
hunting
David Caddick's avatar
David Caddick
Iron Contributor
Oct 21, 2021
Why not just Advanced Hunting and query the registry from there?
  • MREVCI's avatar
    MREVCI
    Copper Contributor
    Oct 21, 2021
    That's what I am trying to do but I cant find the correct syntax
    • David Caddick's avatar
      David Caddick
      Iron Contributor
      Oct 21, 2021

      MREVCI 

      Head into https://security.microsoft.com/advanced-hunting

      Use this to start with:

      >DeviceRegistryEvents
      >| limit 100
       
      Then pivot from there using show filters?
      • David Caddick's avatar
        David Caddick
        Iron Contributor
        Oct 25, 2021
        For instance I have recently been wanting to track Macros that have been executed, so I'm looking for this in TrustedRecords using this KQL

        DeviceRegistryEvents
        | where RegistryKey has @"SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords"
        | project Timestamp, DeviceName, RegistryValueName

Resources