https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/run-endpoint-script-registry-get/m-p/541366#M4306 <P>Hi all,</P> <P>I try to run registry_get in the action center, but always fails to run.</P> <P>I check the administrator guide</P> <P>and learned that doesn't seem to work when running&nbsp;<SPAN>specific hives&nbsp;(e.g. /</SPAN><SPAN>HKEY_CURRENT_USER/ )</SPAN></P> <P>&nbsp;</P> <P>So I try to get&nbsp;some registry information in \HKEY_LOCAL_MACHINE\SYSTEM\Cyvera,&nbsp;the content of this script mentions support for accepting registry paths starting with 'COMPUTER\\', but no matter if I add "COMPUTER\\", the final execution result is a failure, then&nbsp;the exception logs all show the following：</P> <LI-CODE lang="markup">Syntax error when running function ' run ' in script: Traceback (most recent call last): File "script_execution.py", line 463, in _execute_script File "C:\ProgramData\Cyvera\Administrators\Temp\payload_execution\26caf6\script.py", line 27, in run with winreg.OpenKey(map_key(registry_hkey), registry_key_path) as key: File "C:\ProgramData\Cyvera\Administrators\Temp\payload_execution\26caf6\script.py", line 61, in map_key return eval(f"winreg.{hkey}") File "&lt;string&gt;", line 1 winreg. ^ SyntaxError: unexpected EOF while parsing </LI-CODE> <P><SPAN>I would like to know&nbsp;</SPAN>what is the correct input method to execute this endpoint script (registry_get).<BR />Is there some sample input and running results for reference?</P> <P>Thanks.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 08 May 2023 06:26:42 GMT Chilla 2023-05-08T06:26:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/run-endpoint-script-registry-get/m-p/541366#M4306 <P>Hi all,</P> <P>I try to run registry_get in the action center, but always fails to run.</P> <P>I check the administrator guide</P> <P>and learned that doesn't seem to work when running&nbsp;<SPAN>specific hives&nbsp;(e.g. /</SPAN><SPAN>HKEY_CURRENT_USER/ )</SPAN></P> <P>&nbsp;</P> <P>So I try to get&nbsp;some registry information in \HKEY_LOCAL_MACHINE\SYSTEM\Cyvera,&nbsp;the content of this script mentions support for accepting registry paths starting with 'COMPUTER\\', but no matter if I add "COMPUTER\\", the final execution result is a failure, then&nbsp;the exception logs all show the following：</P> <LI-CODE lang="markup">Syntax error when running function ' run ' in script: Traceback (most recent call last): File "script_execution.py", line 463, in _execute_script File "C:\ProgramData\Cyvera\Administrators\Temp\payload_execution\26caf6\script.py", line 27, in run with winreg.OpenKey(map_key(registry_hkey), registry_key_path) as key: File "C:\ProgramData\Cyvera\Administrators\Temp\payload_execution\26caf6\script.py", line 61, in map_key return eval(f"winreg.{hkey}") File "&lt;string&gt;", line 1 winreg. ^ SyntaxError: unexpected EOF while parsing </LI-CODE> <P><SPAN>I would like to know&nbsp;</SPAN>what is the correct input method to execute this endpoint script (registry_get).<BR />Is there some sample input and running results for reference?</P> <P>Thanks.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 08 May 2023 06:26:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/run-endpoint-script-registry-get/m-p/541366#M4306 Chilla 2023-05-08T06:26:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/run-endpoint-script-registry-get/m-p/541397#M4309 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/251009">@Chilla</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for writing to live community!</P> <P>registry_get script is looking for an individual value instead of the key/subkey name.</P> <P>&nbsp;</P> <P>For example: To grab 'Security Health' value data under run once in Registry_Path look for that value name- "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth"&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> <P>&nbsp;</P> <P>Thank You</P> Mon, 08 May 2023 10:22:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/run-endpoint-script-registry-get/m-p/541397#M4309 PiyushKohli 2023-05-08T10:22:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/run-endpoint-script-registry-get/m-p/541643#M4319 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/276269">@PiyushKohli</a>&nbsp;</P> <P>Thank you for your response.&nbsp;<span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P> Wed, 10 May 2023 03:33:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/run-endpoint-script-registry-get/m-p/541643#M4319 Chilla 2023-05-10T03:33:43Z