Running a registry based query

%3CLINGO-SUB%20id%3D%22lingo-sub-2868462%22%20slang%3D%22en-US%22%3ERunning%20a%20registry%20based%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2868462%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Ewe%20have%20some%20computers%20which%20we%20need%20to%20find%20out%20the%20specific%20registry%20value%20in%20order%20to%20be%20able%20to%20update%20their%20OS.%3CBR%20%2F%3EThe%20path%3A%26nbsp%3BHKEY_LOCAL_MACHINE%5Csoftware%5Cpolicies%5CMicrosoft%5CWindows%5CWindowsUpdate%5CAU%3C%2FP%3E%3CP%3EThe%20value%20(Dword)%3A%20NoAutoUpdate%3C%2FP%3E%3CP%3EI%20want%20to%20find%20out%20which%20computers%20that%20are%20onboarded%20to%20defender%20for%20endpoint%20has%20this%20registry%20set%20to%20%221%22%2FOn.%3C%2FP%3E%3CP%3EThanks%20for%20help%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2868462%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDefender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2868523%22%20slang%3D%22en-US%22%3ERe%3A%20Running%20a%20registry%20based%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2868523%22%20slang%3D%22en-US%22%3EWhy%20not%20just%20Advanced%20Hunting%20and%20query%20the%20registry%20from%20there%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2868528%22%20slang%3D%22en-US%22%3ERe%3A%20Running%20a%20registry%20based%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2868528%22%20slang%3D%22en-US%22%3EThat's%20what%20I%20am%20trying%20to%20do%20but%20I%20cant%20find%20the%20correct%20syntax%3C%2FLINGO-BODY%3E
New Contributor
 

Hello,

we have some computers which we need to find out the specific registry value in order to be able to update their OS.
The path: HKEY_LOCAL_MACHINE\software\policies\Microsoft\Windows\WindowsUpdate\AU

The value (Dword): NoAutoUpdate

I want to find out which computers that are onboarded to defender for endpoint has this registry set to "1"/On.

Thanks for help

 

4 Replies
Why not just Advanced Hunting and query the registry from there?
That's what I am trying to do but I cant find the correct syntax

@UBBER2290 

Head into Advanced hunting - Microsoft 365 security

Use this to start with:

>DeviceRegistryEvents
>| limit 100
 
Then pivot from there using show filters?
For instance I have recently been wanting to track Macros that have been executed, so I'm looking for this in TrustedRecords using this KQL

DeviceRegistryEvents
| where RegistryKey has @"SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords"
| project Timestamp, DeviceName, RegistryValueName
www.000webhost.com