From e891087a5ef47d7d94b411960ea119dbf8ce3ec2 Mon Sep 17 00:00:00 2001 From: Eric Capuano Date: Mon, 4 May 2026 19:36:42 -0400 Subject: [PATCH] docs(endpoint-commands): fix reg_list event name and parameter syntax - Response event is REGISTRY_LIST_REP, not REG_LIST_REP (matches docs/8-reference/edr-events.md and faq/privacy.md). - The registry path is a positional argument. Confirmed in production: passing --reg_path causes the command to fail. Replace the example with confirmed-working invocations using short hive prefixes (hklm). - Add reg_list to the platform-support table at the top of the file (it was missing). --- docs/8-reference/endpoint-commands.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/8-reference/endpoint-commands.md b/docs/8-reference/endpoint-commands.md index 8b240bab..4e4961fb 100644 --- a/docs/8-reference/endpoint-commands.md +++ b/docs/8-reference/endpoint-commands.md @@ -46,6 +46,7 @@ For commands which emit a report/reply event type from the agent, the correspond | os\_users | [OS\_USERS\_REP](edr-events.md#os_users_rep) | | ☑️ | | | | | [os\_version](#os_version) | [OS\_VERSION\_REP](edr-events.md#os_version_rep) | ☑️ | ☑️ | ☑️ | | | | put | [RECEIPT](edr-events.md#receipt) | ☑️ | ☑️ | ☑️ | | | +| [reg\_list](#reg_list) | [REGISTRY\_LIST\_REP](edr-events.md#registry_list_rep) | | ☑️ | | | | | [rejoin\_network](#rejoin_network) | [REJOIN\_NETWORK](edr-events.md#rejoin_network) | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | | restart | N/A | ☑️ | ☑️ | ☑️ | | | | [run](#run) | N/A | ☑️ | ☑️ | ☑️ | | | @@ -1031,20 +1032,22 @@ limacharlie sensor task pcap_stop ### reg_list -List Windows registry keys and values. +List Windows registry keys and values at the specified path. **Platforms:** Windows **Parameters:** -- `reg_path` (required): Registry path to list (e.g., "HKEY_LOCAL_MACHINE\\SOFTWARE") +- `` (required, positional): Registry path to list. Use short hive prefixes such as `hklm`, `hku`, `hkcu`, `hkcr`, `hkcc`. -**Response Event:** REG_LIST_REP +**Response Event:** REGISTRY_LIST_REP -**Usage Example:** +**Usage Examples:** ```bash -limacharlie sensor task reg_list --reg_path "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" +limacharlie sensor task reg_list hklm\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging +limacharlie sensor task reg_list hklm\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging +limacharlie sensor task reg_list hklm\Software\Policies\Microsoft\Windows\PowerShell\Transcription ``` ---