Find computers with specific registry key

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Find computers with specific registry key

L3 Networker

Hi,

Is it possible to find computers which have specific registry key set to particular value using Cortex XDR? I'm not looking for registry modification just for existence. If so, could you tell me how to do this please?

2 accepted solutions

Accepted Solutions

L5 Sessionator

Hi @Piotr_Kowalczyk , thanks for using the Live Community!

 

The Cortex XDR Console comes with a script to check the value of a registry entry:

 

jmazzeo_0-1697550664646.png

You set the path, and this will return the value, and type.

 

If you need to receive a "Exists/Non-exists" return answer from a particular key and the value, then a custom script will be the approach to solve it.

JM

View solution in original post

@Piotr_Kowalczyk you don't need to connect to each computer!

  • The script can be run from Incident Response -> Action Center -> Agent Script Library, then look for the script and select Run.

 

jmazzeo_0-1697551392520.png

  • Then set the registry key.

jmazzeo_1-1697551505426.png

 

  • And define the target, can be many endpoints at the same time. You only need to select the right filter, can be wildcard like when you assign a profile with the policy.

 

jmazzeo_2-1697551606433.png

(this example is my test VM, based in my prefix "JM")

 

  • Click NEXT, review the settings and click "Run".

 

  • You can see the result in the Action Center - All Actions with right-click -> Additional Data.

jmazzeo_3-1697551835858.png

 

JM

View solution in original post

4 REPLIES 4

L5 Sessionator

Hi @Piotr_Kowalczyk , thanks for using the Live Community!

 

The Cortex XDR Console comes with a script to check the value of a registry entry:

 

jmazzeo_0-1697550664646.png

You set the path, and this will return the value, and type.

 

If you need to receive a "Exists/Non-exists" return answer from a particular key and the value, then a custom script will be the approach to solve it.

JM

Thank you for your reply.

 

My understanding is that this will require to connect with console to particular machine? If so, unfortunately this is not solution which I'm looking for as I need to find all computers (perhaps a few hundreds) which have particular registry value. 

@Piotr_Kowalczyk you don't need to connect to each computer!

  • The script can be run from Incident Response -> Action Center -> Agent Script Library, then look for the script and select Run.

 

jmazzeo_0-1697551392520.png

  • Then set the registry key.

jmazzeo_1-1697551505426.png

 

  • And define the target, can be many endpoints at the same time. You only need to select the right filter, can be wildcard like when you assign a profile with the policy.

 

jmazzeo_2-1697551606433.png

(this example is my test VM, based in my prefix "JM")

 

  • Click NEXT, review the settings and click "Run".

 

  • You can see the result in the Action Center - All Actions with right-click -> Additional Data.

jmazzeo_3-1697551835858.png

 

JM

L3 Networker

This is exactly what I was looking for! Thank you!

  • 2 accepted solutions
  • 1715 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!