Windows registry monitoring

We could introduce monitoring of Windows Registry data by adding the following item to Zabbix Agent:

win.registry.get[key,subkey,<value>]

• key - one of the predefined keys:
  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_CONFIG
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_PERFORMANCE_DATA
  • HKEY_PERFORMANCE_NLSTEXT
  • HKEY_PERFORMANCE_TEXT
  • HKEY_USERS
• subkey - the name of the registry key. For example, "SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install".
• value - the name of the registry value or empty value for unnamed or default value. For example, "LastSuccessTime".

As far as I am concerned, we could retrieve all the value types (https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types) that could be processed by preprocessing later. But we should make some decison on "Do we want to bother with some complex types like Multistring / Binary / Etc."

Additionally, we could merge key and subkey into one param as this is a path and there is no real need to split it (while WinApi splits it). Then item key would be just win.registry.get[key,<value>]

For discovery, we could use key:

win.registry.discover[key,subkey]

• key - one of the predefined keys:
  • HKEY_CLASSES_ROOT
  • HKEY_CURRENT_CONFIG
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE
  • HKEY_PERFORMANCE_DATA
  • HKEY_PERFORMANCE_NLSTEXT
  • HKEY_PERFORMANCE_TEXT
  • HKEY_USERS
• subkey - the name of the registry key. For example, "SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install".

Result of the discovery is an JSON array conaining all the values, values of the values (sorry for the bad naming, but Microsoft is calling registry entries "values", so values have values) and data types of the specified key.

Another option is to discover keys. But we should provide an option to specify regexp for keys or some query for values. This is a more usefull option than a discovery of values.