CB Home with Blogs

I don't believe that that information is stored on the endpoint, so it could not be queried with Live Query. For AD you would have to use net commands or the like. I know that is not what the query claims, but it seems like the registry is not reliable ...

It looks like your user's directory is too large for the query to work across all of it as it timed out. Try using a smaller subset like "\Users\%\desktop\%%"

Hello CBR community, How would one search for processes that were run with elevated privileges on Windows, specifically when a user has right-clicked on an executable for example, and chosen "Run as administrator" From my testing, searching for process_name:consent.exe ...