This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. Win_Registry_Key_Object 2.0.1 09/19/2013 The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. Windows_Registry_Key object characterizes windows registry objects, including Keys and Key/Value pairs. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724871(v=vs.85).aspx The WindowsRegistryObjectType type is intended to characterize Windows registry objects, including Keys and Key/Value pairs. The Key field specifies the full key to the Windows registry object, not including the hive. The Hive field specifies the Windows registry hive to which the registry object belongs to. The Number_Values field specifies the number of values found in the registry key. The Values field specifies the values (with their name/data pairs) held within the registry key. The Modified_Time field specifies the last date/time that the registry object was modified. The Creator_Username field specifies the name of the user who created the registry object. The Handle_List field specifies a list of open Handles for this registry object. The Number_Subkeys field specifies the number of subkeys contained under the registry key. The Subkeys field specifies the set of subkeys contained under the registry key. The Byte_Runs field contains a list of byte runs from the raw registry. The RegistryValueType type is intended to characterize Windows registry Value name/data pairs. The Name field specifies the name of the registry value. The Data field specifies the data contained in the registry value. The Datatype field specifies the registry (REG_*) datatype used in the registry value. The Byte_Runs field contains a list of byte runs from the raw registry key entry. Registry_Datatype specifies Windows registry datatypes via a union of the RegistryDataTypesEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. RegistryHiveType specifies Windows registry hive types via a union of the RegistryHiveEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. The RegistryDataTypesEnum type is an enumeration of Windows registry datatypes (REG_*). See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx See also: http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=361 No defined value type. A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions. A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI functions. Binary data in any form. A 32-bit number. A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string (\0). A series of nested arrays designed to store a resource list used by a hardware device driver or one of the physical devices it controls. This data is detected and written into the ResourceMap tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value. A series of nested arrays designed to store a resource list used by a physical hardware device. This data is detected and written into the HardwareDescription tree by the system and is displayed in Registry Editor in hexadecimal format as a Binary Value. Device driver list of hardware resource requirements in Resource Map tree. See http://www.mdgx.com/reg.htm A 64-bit number. Specifies an invalid key. The RegistryHiveEnum type is an enumeration of Windows registry hives (HKEY_*). See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724836(v=vs.85).aspx Registry entries subordinate to this key define types (or classes) of documents and the properties associated with those types. Shell and COM applications use the information stored under this key. Contains information about the current hardware profile of the local computer system. The information under HKEY_CURRENT_CONFIG describes only the differences between the current hardware configuration and the standard configuration. Registry entries subordinate to this key define the preferences of the current user. These preferences include the settings of environment variables, data about program groups, colors, printers, network connections, and application preferences. This key makes it easier to establish the current user's settings; the key maps to the current user's branch in HKEY_USERS. Registry entries subordinate to this key define the physical state of the computer, including data about the bus type, system memory, and installed hardware and software. Registry entries subordinate to this key define the default user configuration for new users on the local computer and the user configuration for the current user. Registry entries subordinate to this key define preferences of the current user that are local to the machine. These entries are not included in the per-user registry portion of a roaming user profile. Registry entries subordinate to this key allow you to access performance data. The data is not actually stored in the registry; the registry functions cause the system to collect the data from its source. Registry entries subordinate to this key reference the text strings that describe counters in the local language of the area in which the computer system is running. These entries are not available to Regedit.exe and Regedt32.exe. Registry entries subordinate to this key reference the text strings that describe counters in US English. These entries are not available to Regedit.exe and Regedt32.exe. The RegistryValuesType type specifies the values (with their name/data pairs) held within the registry key. The Value field specifies the value (with name/data pair) held within the registry key. The RegistrySubkeysType specifies the set of subkeys contained under the registry key. The Subkey field specifies a single subkey contained under the registry key.