Approved

Finding the Sophos Machine ID

Each device managed by Sophos has a unique machineID. This is created at the time of installation. There are some scenarios where it's useful to be able to search for a unique machineID, or a collection of them.

-- Name: List Sophos Machine IDs
-- Description: List the Sophos machineID of your endpoints and servers

SELECT
    CASE type
        WHEN 'subkey' THEN path
        ELSE rtrim(path, replace(path, '\', ''))
    END keyPath,
    CASE type
        WHEN 'subkey' THEN ''
        ELSE name
    END valueName,
    CASE type
        WHEN 'subkey' THEN ''
        ELSE type
    END valueType,
    data valueData,
    datetime(mtime,'unixepoch') lastTimeModified
FROM registry
WHERE (path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application\SavMachineId')
ORDER BY keyPath ASC 

Parents
  • Of course, if you need to find a defined machineID, you can do so with a simple variable:

    -- Name: List Sophos Machine IDs
    -- Description: List the Sophos machineID of your endpoints and servers
    -- Variable#1: name=machineID type=string default=%
    
    SELECT
        CASE type
            WHEN 'subkey' THEN path
            ELSE rtrim(path, replace(path, '\', ''))
        END keyPath,
        CASE type
            WHEN 'subkey' THEN ''
            ELSE name
        END valueName,
        CASE type
            WHEN 'subkey' THEN ''
            ELSE type
        END valueType,
        data valueData,
        datetime(mtime,'unixepoch') lastTimeModified
    FROM registry
    WHERE (path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application\SavMachineId')
    AND valueData LIKE '%$$MachineID$$%'
    ORDER BY keyPath ASC

Comment
  • Of course, if you need to find a defined machineID, you can do so with a simple variable:

    -- Name: List Sophos Machine IDs
    -- Description: List the Sophos machineID of your endpoints and servers
    -- Variable#1: name=machineID type=string default=%
    
    SELECT
        CASE type
            WHEN 'subkey' THEN path
            ELSE rtrim(path, replace(path, '\', ''))
        END keyPath,
        CASE type
            WHEN 'subkey' THEN ''
            ELSE name
        END valueName,
        CASE type
            WHEN 'subkey' THEN ''
            ELSE type
        END valueType,
        data valueData,
        datetime(mtime,'unixepoch') lastTimeModified
    FROM registry
    WHERE (path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\Application\SavMachineId')
    AND valueData LIKE '%$$MachineID$$%'
    ORDER BY keyPath ASC

Children
No Data