CB ThreatHunter: Registry operations sometimes display with \REGISTRY\ prefix
Article ID: 285612
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
In some cases registry operations will display as
\REGISTRY\A\{guid}
Environment
- CB ThreatHunter Web Console: All Versions
- CB PSC Windows Sensor: 3.4.x.x and higher
- Microsoft Windows: Vista and higher
Cause
This is caused by a regmod operation taking place in an Application Hive
Resolution
The sensor is reporting accurately the registry path, more information on Application Hives can be found in the referenced Microsoft Article below
Feedback
Yes
No
Powered by
