Registry Value

The data of the registry value. Where the value type is known, implementers should instead use a type-specific attribute, i.e. reg_binary_data, reg_integer_data, reg_string_data, or reg_string_list_data.

The indication of whether the value is from a default value name. For example, the value name could be missing.

The indication of whether the object is part of the operating system.

The time when the registry value was last modified.

Entity:REGISTRY_VALUE_OBJECT_NAME
The name of the registry value.

Entity:REGISTRY_KEY_PATH
The full path to the registry key, where the value is located.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

The data of the registry value when type_id is REG_BINARY or REG_NONE.

The data of the registry value when type_id is REG_DWORD, REG_DWORD_BIG_ENDIAN, or REG_QWORD.

The data of the registry value when type_id is REG_SZ, REG_EXPAND_SZ, or REG_LINK.

The data of the registry value when type_id is REG_MULTI_SZ.

A string representation of the value type as specified in Registry Value Types.

The value type ID.

• 1: REG_BINARY (REG_BINARY)
• 2: REG_DWORD (REG_DWORD)
• 3: REG_DWORD_BIG_ENDIAN (REG_DWORD_BIG_ENDIAN)
• 4: REG_EXPAND_SZ (REG_EXPAND_SZ)
• 5: REG_LINK (REG_LINK)
• 6: REG_MULTI_SZ (REG_MULTI_SZ)
• 7: REG_NONE (REG_NONE)
• 8: REG_QWORD (REG_QWORD)
• 9: REG_QWORD_LITTLE_ENDIAN (REG_QWORD_LITTLE_ENDIAN)
• 10: REG_SZ (REG_SZ)
• 0: Unknown (UNKNOWN)
• 99: Other (OTHER)

Data from the source that was not mapped into the schema.