Skip to main content

1E 8.1 (on-premises)

NativeServices.RegistryEnumerateUserKeys

Method

RegistryEnumerateUserKeys

Module

NativeServices

Library

Core

Action

Enumerate the subkeys under a registry key for each user in the HKEY_USERS hive.

Parameters

Subkey (string): The registry key to look for.

Recursive (boolean; optional, default false): Whether to descend recursively or not.

Return values

If Subkey has invalid structure then the result is ExecutionError and the string "Invalid syntax".

If SubKey exists under HKU but cannot be opened by the agent for any user (for any reason) then it is treated as though it does not exist.

If Subkey does not exist for any user then the result is SuccessNoContent.

Otherwise the results issued will have these columns:

  • Name (string): the full path of a key found below the Subkey parameter supplied

  • DefaultValue (string): The string value assigned to the key if set (the value named "(Default)" in RegEdit), or "(value not set)" if not (like RegEdit).

  • Sid (string): The Security Identifier of the user.

  • Username (string): The Windows account that the SID relates to.

Example

NativeServices.RegistryEnumerateUserKeys(Subkey:"software\\vendor", Recursive:true);

Platforms

  • Windows

Notes

REG_MULTI_SZ values are displayed with a '|' between each string.

There is a limit of 8192 subkeys being returned (including the key itself for each user, if it exists). This limit applies to all users in total, not per user. This is currently not changeable.

Warning

This method may attempt to call AD to translate a SID to a username.

The supplied key will appear in the results if it exists, regardless of whether or not it has child keys.

In this section: