How do I create a registry detection check for a DWORD value? DWORD values are not working for detection or applicability rules.
DWORD values are not natively supported, however there is a way to configure a registry rule to work with DWORD values.
By adding dword: to the front of your value, you can use DWORD values in your detection check. See this screenshot for examples of how this should be configured:
Registry example:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects]
"VisualFXSetting"=dword:00000003
Rule Configuration:
Note that you should use Substring as the Match criteria.