The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Sticky Keys Registry Backdoor

Description: Sticky Keys Registry Backdoor Query

What The Data Shows: Searches for the presence of the 'Debugger' registry key for common Windows accessibility tools. More info: (


SELECT path,data,
datetime(mtime,"unixepoch","localtime") as mtime
FROM registry
WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%%'
AND name='Debugger';
Community Manager
Community Manager

Hi @stympanick thank you so much for your contribution!  We'll get this tested and if it runs as expected we'll update your submission from "Under Review" to "CB Approved".

Thanks again!

Carbon Black Employee
Status changed to: Approved