Audit and Remediation: Registry Query With Multiple Wildcards Gives No Results
Article ID: 286037
Updated On:
Products
Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)
Issue/Introduction
A registry query with multiple wildcards yields no results. Ex:
select * from registry where path like 'HKEY_USERS\%\Software\Microsoft\Office\%\Excel\Security\Trusted Documents\TrustRecords\%'
Environment
- Carbon Black Cloud Console
- Audit and Remediation
- Carbon Black Cloud Sensor: All Supported Versions
- Microsoft Windows: All Supported Versions:
Cause
At the current time, multiple wildcards are not supported.
Resolution
Use a single wildcard such as:
OR
Query the path where the wildcard would be, to see what paths all need to be included in the query.
select * from registry where path like 'HKEY_USERS\%\Software\Microsoft\Office\16\Excel\Security\Trusted Documents\TrustRecords\%'
OR
Query the path where the wildcard would be, to see what paths all need to be included in the query.
Additional Information
https://osquery.io/schema/5.0.1/#registry
Feedback
Yes
No
Powered by
