EDR: How to Search for Default Registry Locations
search cancel

EDR: How to Search for Default Registry Locations

book

Article ID: 289975

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to search for the following registry entries within EDR Process Search page;
  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG

Environment

  • EDR Console
  • EDR Cloud

Resolution

  1. Log into the EDR console
  2. Navigate to the 'Process Search' page
  3. Use the search term regmod: followed by the registry key path to search for as documented below.
  • HKEY_CLASSES_ROOT
regmod:registry\machine\software\classes\*
 
  • HKEY_CURRENT_USER
regmod:registry\user\<SID OF USER>\*
 
  • HKEY_LOCAL_MACHINE
regmod:registry\machine\*
 
  • HKEY_USERS
regmod:registry\user\*
 
  • HKEY_CURRENT_CONFIG
regmod:registry\machine\system\*
Powered by Wolken Software