Heads up! These docs are for STIX 1.1.1, which is not the latest version (1.2). View the latest!

WindowsRegistryKeyObjectTypeWin Registry Key Object Schema

The WindowsRegistryObjectType type is intended to characterize Windows registry objects, including Keys and Key/Value pairs.

Fields

Field Name	Type	Description
@object_referenceoptional	QName	The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Custom_Properties0..1	CustomPropertiesType	The Custom_Properties construct is optional and enables the specification of a set of custom Object Properties that may not be defined in existing Properties schemas.
Key0..1	StringObjectPropertyType	The Key field specifies the full key to the Windows registry object, not including the hive.
Hive0..1	RegistryHiveType	The Hive field specifies the Windows registry hive to which the registry object belongs to.
Number_Values0..1	UnsignedIntegerObjectPropertyType	The Number_Values field specifies the number of values found in the registry key.
Values0..1	RegistryValuesType	The Values field specifies the values (with their name/data pairs) held within the registry key.
Modified_Time0..1	DateTimeObjectPropertyType	The Modified_Time field specifies the last date/time that the registry object was modified.
Creator_Username0..1	StringObjectPropertyType	The Creator_Username field specifies the name of the user who created the registry object.
Handle_List0..1	WindowsHandleListType	The Handle_List field specifies a list of open Handles for this registry object.
Number_Subkeys0..1	UnsignedIntegerObjectPropertyType	The Number_Subkeys field specifies the number of subkeys contained under the registry key.
Subkeys0..1	RegistrySubkeysType	The Subkeys field specifies the set of subkeys contained under the registry key.
Byte_Runs0..1	ByteRunsType	The Byte_Runs field contains a list of byte runs from the raw registry.

Field Name

Type

Description

@object_referenceoptional

QName

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

Custom_Properties0..1

CustomPropertiesType

The Custom_Properties construct is optional and enables the specification of a set of custom Object Properties that may not be defined in existing Properties schemas.

Key0..1

StringObjectPropertyType

The Key field specifies the full key to the Windows registry object, not including the hive.

Hive0..1

RegistryHiveType

The Hive field specifies the Windows registry hive to which the registry object belongs to.

Number_Values0..1

UnsignedIntegerObjectPropertyType

The Number_Values field specifies the number of values found in the registry key.

Values0..1

RegistryValuesType

The Values field specifies the values (with their name/data pairs) held within the registry key.

Modified_Time0..1

DateTimeObjectPropertyType

The Modified_Time field specifies the last date/time that the registry object was modified.

Creator_Username0..1

StringObjectPropertyType

The Creator_Username field specifies the name of the user who created the registry object.

Handle_List0..1

WindowsHandleListType

The Handle_List field specifies a list of open Handles for this registry object.

Number_Subkeys0..1

UnsignedIntegerObjectPropertyType

The Number_Subkeys field specifies the number of subkeys contained under the registry key.

Subkeys0..1

RegistrySubkeysType

The Subkeys field specifies the set of subkeys contained under the registry key.

Byte_Runs0..1

ByteRunsType

The Byte_Runs field contains a list of byte runs from the raw registry.