Hello,everyone!
At first, sorry for my bad English.
I have a problem to join two result.
The raw data is a reg file, like this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc]
"DisplayName"="@%systemroot%\\system32\\XboxNetApiSvc.dll,-100"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Start"=dword:00000003
"Type"=dword:00000020
"Description"="@%systemroot%\\system32\\XboxNetApiSvc.dll,-101"
"DependOnService"=hex(7):42,00,46,00,45,00,00,00,6d,00,70,00,73,00,73,00,76,00,\
63,00,00,00,00,00
"ObjectName"="LocalSystem"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,\
72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,\
00,65,00,67,00,65,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc\Parameters]
"ServiceDll"="%SystemRoot%\system32\XboxNetApiSvc.dll"
"ServiceDllUnloadOnStop"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip]
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,62,00,6f,00,78,00,67,00,69,00,\
70,00,2e,00,73,00,79,00,73,00,00,00
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"Group"="NDIS"
"Tag"=dword:00000001
"DisplayName"="@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver"
"Description"="@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver"
"Owners"=hex(7):78,00,62,00,6f,00,78,00,67,00,69,00,70,00,2e,00,69,00,6e,00,66,\
00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip\Linkage]
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,78,00,62,00,6f,\
00,78,00,67,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):00,00
"Route"=hex(7):00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave]
"DisplayName"="@%systemroot%\\system32\\XblGameSave.dll,-100"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Start"=dword:00000003
"Type"=dword:00000020
"Description"="@%systemroot%\\system32\\XblGameSave.dll,-101"
"DependOnService"=hex(7):55,00,73,00,65,00,72,00,4d,00,61,00,6e,00,61,00,67,00,\
65,00,72,00,00,00,58,00,62,00,6c,00,41,00,75,00,74,00,68,00,4d,00,61,00,6e,\
00,61,00,67,00,65,00,72,00,00,00,00,00
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,04,00,00,00,14,00,00,\
00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,\
00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave\Parameters]
"ServiceDll"="%SystemRoot%\System32\XblGameSave.dll"
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceIdleTimeout"=dword:0000003c
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wof]
"SupportedFeatures"=dword:00000003
"DisplayName"="Windows Overlay File System Filter Driver"
"ErrorControl"=dword:00000001
"Group"="FSFilter Compression"
"Start"=dword:00000000
"Type"=dword:00000002
"DependOnService"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wof\Instances]
"DefaultInstance"="Wof Instance"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wof\Instances\Wof Instance]
"Altitude"="40700"
"Flags"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wof\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\workerdd]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\workerdd\Device0]
"InstalledDisplayDrivers"=hex(7):57,00,4f,00,52,00,4b,00,45,00,52,00,44,00,44,\
00,00,00,00,00
"VgaCompatible"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\workfolderssvc]
"DisplayName"="@%systemroot%\\system32\\workfolderssvc.dll,-102"
"ErrorControl"=dword:00000001
"Group"="LocalService"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,00,00
"Start"=dword:00000003
"Type"=dword:00000020
"Description"="@%systemroot%\\system32\\workfolderssvc.dll,-101"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,73,00,65,00,\
61,00,72,00,63,00,68,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,\
00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
65,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wpcfltr]
"DisplayName"="Family Safety Filter Driver"
"ErrorControl"=dword:00000001
"Group"="NDIS"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,70,00,63,00,66,00,6c,00,74,\
00,72,00,2e,00,73,00,79,00,73,00,00,00
"Start"=dword:00000003
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wpcfltr\Security]
"Security"=hex:01,00,14,80,8c,00,00,00,98,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,5c,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,01,00,00,00,00,\
00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPDBusEnum]
"Start"=dword:00000003
"DisplayName"="@%SystemRoot%\\system32\\wpdbusenum.dll,-100"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,79,00,73,00,74,00,65,00,6d,\
00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,72,00,\
69,00,63,00,74,00,65,00,64,00,00,00
"Type"=dword:00000020
"Description"="@%SystemRoot%\\system32\\wpdbusenum.dll,-101"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ObjectName"="LocalSystem"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,\
61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,\
00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,\
61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,\
74,00,65,00,50,00,65,00,72,00,6d,00,61,00,6e,00,65,00,6e,00,74,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\
70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\
00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPDBusEnum\BthActiveConnect]
"ACInterval"=dword:00000078
"DCInterval"=dword:000000f0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPDBusEnum\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
You can save it to .reg file and import to splunk.
The first search result is :
The second search result is :
And my problem is how to join this two search when SrvName=SrvName2,the final result should be like below:
How to solve this problem with splunk?
Thank you,my friends!!
| makeresults
| eval _raw="Windows Registry Editor Version 5.00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\XboxNetApiSvc.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\XboxNetApiSvc.dll,-101\"
\"DependOnService\"=hex(7):42,00,46,00,45,00,00,00,6d,00,70,00,73,00,73,00,76,00,\\
63,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,\\
72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,\\
00,65,00,67,00,65,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc\\Parameters]
\"ServiceDll\"=\"%SystemRoot%\\system32\\XboxNetApiSvc.dll\"
\"ServiceDllUnloadOnStop\"=dword:00000001
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip]
\"ImagePath\"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\\
00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,62,00,6f,00,78,00,67,00,69,00,\\
70,00,2e,00,73,00,79,00,73,00,00,00
\"Type\"=dword:00000001
\"Start\"=dword:00000003
\"ErrorControl\"=dword:00000001
\"Group\"=\"NDIS\"
\"Tag\"=dword:00000001
\"DisplayName\"=\"@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver\"
\"Description\"=\"@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver\"
\"Owners\"=hex(7):78,00,62,00,6f,00,78,00,67,00,69,00,70,00,2e,00,69,00,6e,00,66,\\
00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip\\Linkage]
\"Export\"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,78,00,62,00,6f,\\
00,78,00,67,00,69,00,70,00,00,00,00,00
\"Bind\"=hex(7):00,00
\"Route\"=hex(7):00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip\\Parameters]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\XblGameSave.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\XblGameSave.dll,-101\"
\"DependOnService\"=hex(7):55,00,73,00,65,00,72,00,4d,00,61,00,6e,00,61,00,67,00,\\
65,00,72,00,00,00,58,00,62,00,6c,00,41,00,75,00,74,00,68,00,4d,00,61,00,6e,\\
00,61,00,67,00,65,00,72,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,04,00,00,00,14,00,00,\\
00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,\\
00,00,00,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave\\Parameters]
\"ServiceDll\"=\"%SystemRoot%\\System32\\XblGameSave.dll\"
\"ServiceDllUnloadOnStop\"=dword:00000001
\"ServiceIdleTimeout\"=dword:0000003c
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof]
\"SupportedFeatures\"=dword:00000003
\"DisplayName\"=\"Windows Overlay File System Filter Driver\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"FSFilter Compression\"
\"Start\"=dword:00000000
\"Type\"=dword:00000002
\"DependOnService\"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Instances]
\"DefaultInstance\"=\"Wof Instance\"
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Instances\\Wof Instance]
\"Altitude\"=\"40700\"
\"Flags\"=dword:00000000
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Parameters]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workerdd]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workerdd\\Device0]
\"InstalledDisplayDrivers\"=hex(7):57,00,4f,00,52,00,4b,00,45,00,52,00,44,00,44,\\
00,00,00,00,00
\"VgaCompatible\"=dword:00000000
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workfolderssvc]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\workfolderssvc.dll,-102\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"LocalService\"
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\\
00,65,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\workfolderssvc.dll,-101\"
\"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,73,00,65,00,\\
61,00,72,00,63,00,68,00,00,00,00,00
\"ObjectName\"=\"NT AUTHORITY\\\\LocalService\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,\\
00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\\
65,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wpcfltr]
\"DisplayName\"=\"Family Safety Filter Driver\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"NDIS\"
\"ImagePath\"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,70,00,63,00,66,00,6c,00,74,\\
00,72,00,2e,00,73,00,79,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000001
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wpcfltr\\Security]
\"Security\"=hex:01,00,14,80,8c,00,00,00,98,00,00,00,14,00,00,00,30,00,00,00,02,\\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\\
00,00,02,00,5c,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\\
20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,01,00,00,00,00,\\
00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum]
\"Start\"=dword:00000003
\"DisplayName\"=\"@%SystemRoot%\\\\system32\\\\wpdbusenum.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,79,00,73,00,74,00,65,00,6d,\\
00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,72,00,\\
69,00,63,00,74,00,65,00,64,00,00,00
\"Type\"=dword:00000020
\"Description\"=\"@%SystemRoot%\\\\system32\\\\wpdbusenum.dll,-101\"
\"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,\\
61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,\\
00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,\\
61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,\\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,\\
74,00,65,00,50,00,65,00,72,00,6d,00,61,00,6e,00,65,00,6e,00,74,00,50,00,72,\\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\\
70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\\
00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum\\BthActiveConnect]
\"ACInterval\"=dword:00000078
\"DCInterval\"=dword:000000f0
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum\\Parameters]
\"ServiceDllUnloadOnStop\"=dword:00000001"
| eval event=split(_raw,"|")
| mvexpand event
| rex field=event "(?ms)(?<event>\[.*)"
| eval _raw=event
| table _raw
``` the lines above create some sample data ```
``` extract service name with or without Parameter key ```
| rex "Services\\\\(?<SrvName>\w+)(\\\\Parameters)?\]"
``` extract other fields where they exist ```
| rex "\"Start\"=dword:(?<Start>\d+)"
| rex "\"Type\"=dword:(?<Type>\d+)"
| rex "\"ServiceDll\"=\"(?<SrvDll>[^\"]+)"
``` gather fields where service name matches ```
| stats values(*) as * by SrvName
| makeresults
| eval _raw="Windows Registry Editor Version 5.00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\XboxNetApiSvc.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\XboxNetApiSvc.dll,-101\"
\"DependOnService\"=hex(7):42,00,46,00,45,00,00,00,6d,00,70,00,73,00,73,00,76,00,\\
63,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,\\
72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,\\
00,65,00,67,00,65,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc\\Parameters]
\"ServiceDll\"=\"%SystemRoot%\\system32\\XboxNetApiSvc.dll\"
\"ServiceDllUnloadOnStop\"=dword:00000001
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip]
\"ImagePath\"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\\
00,69,00,76,00,65,00,72,00,73,00,5c,00,78,00,62,00,6f,00,78,00,67,00,69,00,\\
70,00,2e,00,73,00,79,00,73,00,00,00
\"Type\"=dword:00000001
\"Start\"=dword:00000003
\"ErrorControl\"=dword:00000001
\"Group\"=\"NDIS\"
\"Tag\"=dword:00000001
\"DisplayName\"=\"@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver\"
\"Description\"=\"@xboxgip.inf,%XBOXGIP_Desc%;Xbox Game Input Protocol Driver\"
\"Owners\"=hex(7):78,00,62,00,6f,00,78,00,67,00,69,00,70,00,2e,00,69,00,6e,00,66,\\
00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip\\Linkage]
\"Export\"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,78,00,62,00,6f,\\
00,78,00,67,00,69,00,70,00,00,00,00,00
\"Bind\"=hex(7):00,00
\"Route\"=hex(7):00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\xboxgip\\Parameters]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\XblGameSave.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\XblGameSave.dll,-101\"
\"DependOnService\"=hex(7):55,00,73,00,65,00,72,00,4d,00,61,00,6e,00,61,00,67,00,\\
65,00,72,00,00,00,58,00,62,00,6c,00,41,00,75,00,74,00,68,00,4d,00,61,00,6e,\\
00,61,00,67,00,65,00,72,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,04,00,00,00,14,00,00,\\
00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,01,00,00,00,10,27,00,00,\\
00,00,00,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave\\Parameters]
\"ServiceDll\"=\"%SystemRoot%\\System32\\XblGameSave.dll\"
\"ServiceDllUnloadOnStop\"=dword:00000001
\"ServiceIdleTimeout\"=dword:0000003c
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof]
\"SupportedFeatures\"=dword:00000003
\"DisplayName\"=\"Windows Overlay File System Filter Driver\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"FSFilter Compression\"
\"Start\"=dword:00000000
\"Type\"=dword:00000002
\"DependOnService\"=hex(7):46,00,6c,00,74,00,4d,00,67,00,72,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Instances]
\"DefaultInstance\"=\"Wof Instance\"
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Instances\\Wof Instance]
\"Altitude\"=\"40700\"
\"Flags\"=dword:00000000
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Wof\\Parameters]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workerdd]
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workerdd\\Device0]
\"InstalledDisplayDrivers\"=hex(7):57,00,4f,00,52,00,4b,00,45,00,52,00,44,00,44,\\
00,00,00,00,00
\"VgaCompatible\"=dword:00000000
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\workfolderssvc]
\"DisplayName\"=\"@%systemroot%\\\\system32\\\\workfolderssvc.dll,-102\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"LocalService\"
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\\
00,65,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000020
\"Description\"=\"@%systemroot%\\\\system32\\\\workfolderssvc.dll,-101\"
\"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,73,00,65,00,\\
61,00,72,00,63,00,68,00,00,00,00,00
\"ObjectName\"=\"NT AUTHORITY\\\\LocalService\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,\\
00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\\
65,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wpcfltr]
\"DisplayName\"=\"Family Safety Filter Driver\"
\"ErrorControl\"=dword:00000001
\"Group\"=\"NDIS\"
\"ImagePath\"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,70,00,63,00,66,00,6c,00,74,\\
00,72,00,2e,00,73,00,79,00,73,00,00,00
\"Start\"=dword:00000003
\"Type\"=dword:00000001
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wpcfltr\\Security]
\"Security\"=hex:01,00,14,80,8c,00,00,00,98,00,00,00,14,00,00,00,30,00,00,00,02,\\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\\
00,00,02,00,5c,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\\
20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,01,00,00,00,00,\\
00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum]
\"Start\"=dword:00000003
\"DisplayName\"=\"@%SystemRoot%\\\\system32\\\\wpdbusenum.dll,-100\"
\"ErrorControl\"=dword:00000001
\"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,79,00,73,00,74,00,65,00,6d,\\
00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,72,00,\\
69,00,63,00,74,00,65,00,64,00,00,00
\"Type\"=dword:00000020
\"Description\"=\"@%SystemRoot%\\\\system32\\\\wpdbusenum.dll,-101\"
\"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
\"ObjectName\"=\"LocalSystem\"
\"ServiceSidType\"=dword:00000001
\"RequiredPrivileges\"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,\\
61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,\\
00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,\\
61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,\\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,\\
74,00,65,00,50,00,65,00,72,00,6d,00,61,00,6e,00,65,00,6e,00,74,00,50,00,72,\\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\\
70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\\
00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
\"FailureActions\"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum\\BthActiveConnect]
\"ACInterval\"=dword:00000078
\"DCInterval\"=dword:000000f0
|
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WPDBusEnum\\Parameters]
\"ServiceDllUnloadOnStop\"=dword:00000001"
| eval event=split(_raw,"|")
| mvexpand event
| rex field=event "(?ms)(?<event>\[.*)"
| eval _raw=event
| table _raw
``` the lines above create some sample data ```
``` extract service name with or without Parameter key ```
| rex "Services\\\\(?<SrvName>\w+)(\\\\Parameters)?\]"
``` extract other fields where they exist ```
| rex "\"Start\"=dword:(?<Start>\d+)"
| rex "\"Type\"=dword:(?<Type>\d+)"
| rex "\"ServiceDll\"=\"(?<SrvDll>[^\"]+)"
``` gather fields where service name matches ```
| stats values(*) as * by SrvName
Oh no.
I push the wrong button to submit the solution!! How to change it?? Is there have Any splunk employee to help me?
Do you have a "Not the solution" button on the reply?
If not, don't worry about it 😀
Oh!! I found it!
Thank you,ITWhisperer!!!
You are so great,I feel angry with myself.I'm so stuppid.
No,I Dont have this button
Wow!! It works very well!
Thank you very much @ITWhisperer UR so great!