Class Registry
Following table lists the possible sections of the class Registry.
Section
|
Values
|
Notes
|
Class
|
Registry
|
|
Id
|
4000 - 7999
|
|
level
|
0, 1, 2, 3, 4
|
|
time
|
*
|
|
user_name
|
user or system account
|
|
application
|
path + application name
|
|
keys or values
|
registry key or value
|
See Note 1
|
old data
|
Previous data of the value
|
This section is optional. It is only for <directive> Modify; see Note 2.
|
new data
|
New data of the value
|
This section is optional. It is only for <directive> Modify or Create; see Note 2.
|
directives -c -d
|
registry:delete
|
Deletion of a registry key/value
|
|
registry:modify
|
Modification of the content of a registry value or the modification of the info of a registry key
|
|
registry:permissions
|
Modification of the permissions of a registry key.
|
|
registry:read
|
Obtaining registry key information (number of subkeys, etc), or, getting the content of a registry value.
|
|
registry:enumerate
|
Enumeration of a registry key, that is, getting the list of all the key’s subkeys and values.
|
Note 1
HKEY_LOCAL_MACHINE in a registry path is replaced by \REGISTRY\MACHINE\ and CurrentControlSet is replaced by ControlSet. For example the registry value “abc” under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa is represented as \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet\\Control\\Lsa\\abc.
Note 2
The data of the sections old data and new data must be in hexadecimal. For example, the data ‘def’ of registry value “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\abc” must be represented as old_data { Include “%64%65%66”}.
Copyright © 2006 McAfee, Inc. All Rights Reserved.