Registry Value

The registry value object describes a Windows registry value.

Attributes

Caption	Name	Type	Description
Data	`data`	JSON	The data of the registry value.
Default Value	`is_default`	Boolean	The indication of whether the value is from a default value name. For example, the value name could be missing.
System	`is_system`	Boolean	The indication of whether the object is part of the operating system.
Modified Time	`modified_time`	Timestamp	The time when the registry value was last modified.
Name	`name`	String	The name of the registry value.
Path	`path`	String	The full path to the registry key, where the value is located.
Raw Data	`raw_data`	JSON	The event data as received from the event source.
Record ID	`record_id`	String	Unique identifier for the object
Type	`type`	String	A string representation of the value type as specified in Registry Value Types.
Type ID	`type_id`	Integer	The value type ID. `0`: Unknown (`UNKNOWN`) `1`: REG_BINARY (`REG_BINARY`) `10`: REG_SZ (`REG_SZ`) `2`: REG_DWORD (`REG_DWORD`) `3`: REG_DWORD_BIG_ENDIAN (`REG_DWORD_BIG_ENDIAN`) `4`: REG_EXPAND_SZ (`REG_EXPAND_SZ`) `5`: REG_LINK (`REG_LINK`) `6`: REG_MULTI_SZ (`REG_MULTI_SZ`) `7`: REG_NONE (`REG_NONE`) `8`: REG_QWORD (`REG_QWORD`) `9`: REG_QWORD_LITTLE_ENDIAN (`REG_QWORD_LITTLE_ENDIAN`) `99`: Other (`OTHER`)
Unmapped Data	`unmapped`	Unmapped[]	The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

These objects and events reference Registry Value in their attributes:

Registry Value references the following objects and events in its attributes:

This page describes qdm-1.3.2+ocsf-1.3.0