I'm looking to create a compound registry query to read the value "Type" of an unknown Services key and then display several values of that key. I cannot use the (DisplayName of it, Imagepath of it) of it as this is blocked by the services i am looking for. Malware also blocks SC Query and WMI requests.
So it must be done using Registry keys.
This part works:
Q: if exists ((values "Type" of keys of keys "HKLM\System\CurrentControlSet\Services" of x64 registry) as string) whose (it = "272")
This part does not work: I want the DisplayName key data value of "Beep" to display
then ((values "DisplayName" of keys of keys "HKLM\System\CurrentControlSet\Services" of x64 registry) as string) whose ("Type" of "Beep" = "1") else "No Key"
I used "Beep" as an example which has to be the Service Key the if exists finds. I would like to read the following values of each key with "Type value = 272" or any other value I am looking for. They can be four separate Properties in the analysis. Would be fine
1. Services\unknown - Actual Key name whose Type value = 272 or 120 HEX
Seems simple enough, but can't get it.