CB ThreatHunter: Registry operations sometimes display with \REGISTRY\ prefix
search cancel

CB ThreatHunter: Registry operations sometimes display with \REGISTRY\ prefix

book

Article ID: 285612

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

In some cases registry operations will display as
\REGISTRY\A\{guid}

Environment

  • CB ThreatHunter Web Console: All Versions
  • CB PSC Windows Sensor: 3.4.x.x¬†and higher
  • Microsoft Windows: Vista and higher

Cause

This is caused by a regmod operation taking place in an Application Hive

Resolution

The sensor is reporting accurately the registry path, more information on Application Hives can be found in the referenced Microsoft Article below