Shimcache: Only check CurrentControlSet (#7832)

Only check CurrentControlSet, since the others are clones/backups.
osquery · Dec 1, 2022 · bb716df · bb716df
1 parent a17655e
commit bb716df
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/osquery/tables/system/windows/shimcache.cpp b/osquery/tables/system/windows/shimcache.cpp
@@ -31,8 +31,11 @@ const std::string kWin10CreatorStart = "34";
 const std::string kWin8110ShimcacheDelimiter = "31307473";
 
 // Shimcache can be in multiple ControlSets (ControlSet001, ControlSet002, etc)
+// We are only going to check CurrentControlSet, which is symlinked to the
+// active ControlSet
+
 const std::string kShimcacheControlset =
-    "HKEY_LOCAL_MACHINE\\SYSTEM\\%ControlSet%\\Control\\Session "
+    "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session "
     "Manager\\AppCompatCache";
 
 struct ShimcacheData {