Bewerken

registryKeyState resource type (deprecated)

Namespace: microsoft.graph

Important

The legacy alerts API is deprecated and will be retired on August 31, 2026. Migrate to the new alerts and incidents API. For more information, see Migrate from legacy alerts to the alerts and incidents API.

Contains information about registry key changes related to the alert, and the process that changed the registry keys.

Properties

Property Type Description
hive registryHive A Windows registry hive :
  • HKEY_CURRENT_CONFIG
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE\SAM
  • HKEY_LOCAL_MACHINE\Security
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\System
  • HKEY_USERS\.Default.
The possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSecurity, localMachineSoftware, localMachineSystem, usersDefault.
key String Current (i.e. changed) registry key (excludes HIVE).
oldKey String Previous (i.e. before changed) registry key (excludes HIVE).
oldValueData String Previous (i.e. before changed) registry key value data (contents).
oldValueName String Previous (i.e. before changed) registry key value name.
operation registryOperation Operation that changed the registry key name and/or value. The possible values are: unknown, create, modify, delete.
processId Int32 Process ID (PID) of the process that modified the registry key (process details will appear in the alert 'processes' collection).
valueData String Current (i.e. changed) registry key value data (contents).
valueName String Current (i.e. changed) registry key value name
valueType registryValueType Registry key value type
  • REG_BINARY
  • REG_DWORD
  • REG_DWORD_LITTLE_ENDIAN
  • REG_DWORD_BIG_ENDIAN
  • REG_EXPAND_SZ
  • REG_LINK
  • REG_MULTI_SZ
  • REG_NONE
  • REG_QWORD
  • REG_QWORD_LITTLE_ENDIAN
  • REG_SZ
The possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz.

JSON representation

The following JSON representation shows the resource type.

{
  "hive": "@odata.type: microsoft.graph.registryHive",
  "key": "String",
  "oldKey": "String",
  "oldValueData": "String",
  "oldValueName": "String",
  "operation": "@odata.type: microsoft.graph.registryOperation",
  "processId": 1024,
  "valueData": "String",
  "valueName": "String",
  "valueType": "@odata.type: microsoft.graph.registryValueType"
}
  • Last updated on