Search Registry Data

Searches through parsed Windows Registry data using text queries, filters, and time ranges. Enables rapid investigation of Registry keys, values, persistence mechanisms, and configuration changes.

Search Registry Data

Searches through parsed Windows Registry data using text queries, filters, and time ranges. Enables rapid investigation of Registry keys, values, persistence mechanisms, and configuration changes.

API Endpoint

POST /analysis/registry/search

HTTP Headers

Content-Type: application/json
X-Cursed-Api-Token: API token for authentication
X-Cursed-Api-Enc-Key: Encryption key for authenticated users (required if using encrypted job results)

Request Method

POST

Parameters

Request Body (JSON):

Parameter	Type	Required	Description
`job_id`	UUID	Yes	Job ID from a completed Registry parse operation
`search`	string	Yes	Search query text to match against Registry data
`filter`	array	No	Array of filter criteria objects
`page`	integer	No	Page number for pagination (1-10, default: 1)
`show`	integer	No	Number of results per page (1-100, default: 10)
`start_time`	integer	No	Start timestamp filter (Unix milliseconds)
`end_time`	integer	No	End timestamp filter (Unix milliseconds)
`browse_events`	boolean	Yes	Whether to browse raw Registry data or summary insights

Filter Criteria Schema

{
  "field": "string",
  "operator": "string",
  "value": "string"
}

Supported Filter Operators

Operator	Description
`equals`	Exact match
`not_equals`	Not equal to
`contains`	Contains substring
`does_not_contain`	Does not contain substring
`starts_with`	Starts with substring
`ends_with`	Ends with substring

Request Body Schema

{
  "job_id": "string (UUID)",
  "search": "string",
  "filter": [
    {
      "field": "string",
      "operator": "string",
      "value": "string"
    }
  ],
  "page": 1,
  "show": 10,
  "start_time": 1705395000000,
  "end_time": 1705481400000,
  "browse_events": true
}

Response Format

Success Response (200 OK) - Browse Events Mode:

{
  "insights": [
    {
      "IndexTable": {
        "title": "Registry Table",
        "data": [
          [
            [
              "SOFTWARE",
              "ROOT",
              "Microsoft\\Windows\\CurrentVersion\\Run",
              "2024-01-15 14:30:22"
            ],
            {
              "ValueType": "RegSZ",
              "ValueName": "SecurityHealth",
              "Value": "%windir%\\system32\\SecurityHealthSystray.exe"
            }
          ]
        ],
        "columns": [
          "File Name",
          "Root Key",
          "Key",
          "Last Write Time",
          "Registry Data"
        ],
        "category": "General"
      }
    }
  ]
}

Error Response (400 Bad Request):

{
  "error": "Job not found"
}

{
  "error": "Job not completed"
}

{
  "error": "Invalid time range"
}

Error Codes

HTTP Status	Description
200	Success - Search results retrieved
400	Bad Request - Invalid job ID or search parameters
401	Unauthorized - Missing authentication
403	Forbidden - Encryption key required for private job
404	Not Found - Job not found
500	Internal Server Error - Server processing error

Example cURL Commands

Basic Registry Search

curl -X POST https://api.cursedtools.com/analysis/registry/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "79f49d06-d80b-463d-9b3c-1f54c87ae95c",
    "search": "run",
    "page": 1,
    "show": 25,
    "browse_events": true
  }'

Search with Filters and Time Range

curl -X POST https://api.cursedtools.com/analysis/registry/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "79f49d06-d80b-463d-9b3c-1f54c87ae95c",
    "search": "persistence",
    "filter": [
      {
        "field": "root_key",
        "operator": "equals",
        "value": "HKEY_LOCAL_MACHINE"
      },
      {
        "field": "details.ValueType",
        "operator": "equals",
        "value": "RegSZ"
      }
    ],
    "start_time": 1705395000000,
    "end_time": 1705481400000,
    "page": 1,
    "show": 50,
    "browse_events": true
  }'

Search Capabilities

Text Search

Full-text search across all Registry fields
Case-insensitive matching
Partial string matching
Binary data search (UTF-8 and UTF-16)
Key path and value name searching

Filterable Fields

Common fields available for filtering:

file_name - Registry hive filename
root_key - Registry root key
key - Registry key path
details.ValueType - Registry value type (RegSZ, RegDWord, etc.)
details.ValueName - Registry value name
details.Value - Unified value field (searches string, binary, and list data)
details.LastWriteTime - Key last write timestamp

Registry Value Types

RegSZ: String values
RegExpandSZ: Expandable string values
RegDWord: 32-bit integer values
RegQWord: 64-bit integer values
RegBinary: Binary data (searchable as hex and text)
RegMultiSZ: Multi-string values

Time Range Filtering

Unix timestamp in milliseconds
Filters based on Registry key modification timestamps
Efficient querying of configuration change periods

Browse Modes

Browse Events (true)

Searches raw Registry key and value data
Individual Registry entries
Detailed value type and binary data
Forensic-level Registry analysis

Browse Summary (false)

Searches processed Registry insights
Aggregated artifact analysis
High-level configuration patterns
Timeline correlation data

Example Use Cases

Hunt for Persistence Mechanisms

curl -X POST https://api.cursedtools.com/analysis/registry/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "job-uuid",
    "search": "run",
    "filter": [
      {
        "field": "key",
        "operator": "contains",
        "value": "CurrentVersion\\Run"
      }
    ],
    "browse_events": true
  }'

Search for Suspicious Services

curl -X POST https://api.cursedtools.com/analysis/registry/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "job-uuid",
    "search": "service",
    "filter": [
      {
        "field": "key",
        "operator": "contains",
        "value": "Services"
      },
      {
        "field": "details.ValueName",
        "operator": "equals",
        "value": "ImagePath"
      }
    ],
    "browse_events": true
  }'

User Activity Investigation

curl -X POST https://api.cursedtools.com/analysis/registry/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "job-uuid",
    "search": "userassist",
    "filter": [
      {
        "field": "key",
        "operator": "contains",
        "value": "UserAssist"
      }
    ],
    "browse_events": true
  }'

Binary Data Search

curl -X POST https://api.cursedtools.com/analysis/registry/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "job-uuid",
    "search": "malicious-domain.com",
    "filter": [
      {
        "field": "details.ValueType",
        "operator": "equals",
        "value": "RegBinary"
      }
    ],
    "browse_events": true
  }'

Timeline Analysis

curl -X POST https://api.cursedtools.com/analysis/registry/search \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "job_id": "job-uuid",
    "search": "",
    "start_time": 1705395000000,
    "end_time": 1705481400000,
    "page": 1,
    "show": 100,
    "browse_events": true
  }'

Performance Tips

Efficient Searching

Use specific key paths to reduce result sets
Apply value type filters for targeted searches
Use time ranges for incident-focused analysis
Search specific value names for known artifacts

Large Dataset Handling

Start with summary searches (browse_events: false)
Use pagination for large Registry hives
Apply filters before broad text searching
Use time ranges to limit modification periods

Advanced Search Features

Binary Data Search

Automatic UTF-8 and UTF-16 text search in binary values
Hexadecimal pattern matching
Cross-encoding search capabilities

Value Type Filtering

Filter by specific Registry value types
Combine with text search for precise queries
Support for all standard Registry data types

Cross-Hive Correlation

Search across multiple Registry hives simultaneously
Correlate findings between SYSTEM, SOFTWARE, and user hives
Timeline analysis across different Registry sources

Notes

Job must be completed before searching
Authentication is required for private jobs
Encryption key needed for encrypted job results
Search supports both raw Registry data and summary insights
Results are paginated for performance
Time ranges filter by Registry key modification timestamps
Text search includes binary data conversion for comprehensive coverage
Filters can be combined for precise Registry queries
Browse mode affects search performance and detail level
Results optimized for Registry forensics workflows
Binary values are automatically formatted as hexdump for analysis
Cross-hive correlation available when multiple hives were analyzed

Search Prefetch Data

Searches through parsed Windows Prefetch data using text queries, filters, and time ranges. Enables rapid investigation of program execution patterns, timeline analysis, and anomaly detection.

Yara Data Analysis

Runs Yara-X rules against user-provided test data in real-time. Supports both custom rules and community rules for malware detection and file analysis rule validation.