What is a Recursive Registry Rule

 

Recursive Registry Rule:

A Recursive Registry rule is when you select a root registry key then select a valuename from a sub key.

(Confusing uh but its not really)

Although its a little tricky to understand at first, once you practice a couple Recursive Registry rules you'll understand it better.

 

Sample:

In this sample we want to recurs the sub keys under "MultifunctionAdapter", the first sub key is "\0" and the valuename is "Identifier".

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0

 

In order to recurs all the sub keys that hold a particular valuename our MOF would point to

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter

 

and request this value.

valuename=Identifier

 

The valuename "Identifier" is found within the sub key "\0" and possibly other sub keys under "MultifunctionAdapter" what our rule does is recurs all the sub keys under "MultifunctionAdapter" until it finds matches to the valuename "Identifier", it will then report the sub key name and the

value of   "Identifier" to your inventoried data gathered by your rule.

 

 

 

This would return all the sub keys under the root key and return the value for valuename (Identifier) within each of the sub key

plus list all the sub key names into inventory as well.

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter

\0

Identifier=PCI BIOS

\1

Identifier=PCI

\2

Identifier=PCI

\3

Identifier=APM

\4

Identifier=PNP BIOS

 

NOTE: The root key (HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\) is not reported back, only the sub key and the valuename value, plus sub key is only returned if the valuename is found.

 

As you can see above, you can get the sub keys of \MultifunctionAdapter\ without actually pointing directly to them. This method gives you easy enumeration of data.