Edit

Share via

registryKeyState resource type (deprecated)

Namespace: microsoft.graph

Note

The legacy alerts API is deprecated and will be removed by April 2026. We recommend that you migrate to the new alerts and incidents API.

Contains information about registry key changes related to the alert, and the process that changed the registry keys.

Properties

Property Type Description
hive registryHive A Windows registry hive :
  • HKEY_CURRENT_CONFIG
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE\SAM
  • HKEY_LOCAL_MACHINE\Security
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\System
  • HKEY_USERS\.Default.
The possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSecurity, localMachineSoftware, localMachineSystem, usersDefault.
key String Current (i.e. changed) registry key (excludes HIVE).
oldKey String Previous (i.e. before changed) registry key (excludes HIVE).
oldValueData String Previous (i.e. before changed) registry key value data (contents).
oldValueName String Previous (i.e. before changed) registry key value name.
operation registryOperation Operation that changed the registry key name and/or value. The possible values are: unknown, create, modify, delete.
processId Int32 Process ID (PID) of the process that modified the registry key (process details will appear in the alert 'processes' collection).
valueData String Current (i.e. changed) registry key value data (contents).
valueName String Current (i.e. changed) registry key value name
valueType registryValueType Registry key value type
  • REG_BINARY
  • REG_DWORD
  • REG_DWORD_LITTLE_ENDIAN
  • REG_DWORD_BIG_ENDIAN
  • REG_EXPAND_SZ
  • REG_LINK
  • REG_MULTI_SZ
  • REG_NONE
  • REG_QWORD
  • REG_QWORD_LITTLE_ENDIAN
  • REG_SZ
The possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz.

Relationships

None.

JSON representation

The following JSON representation shows the resource type.

{
  "hive": "@odata.type: microsoft.graph.registryHive",
  "key": "String",
  "oldKey": "String",
  "oldValueData": "String",
  "oldValueName": "String",
  "operation": "@odata.type: microsoft.graph.registryOperation",
  "processId": 1024,
  "valueData": "String",
  "valueName": "String",
  "valueType": "@odata.type: microsoft.graph.registryValueType"
}
  • Last updated on