⭐️ native windows registry resource

[chris-rock]

This PR adds native support for Windows registry keys when cnquery is executed locally. Specifically cnspec is going to profit from this change with a 3.8 times faster execution for CIS Windows 2022 benchmark.

Besides the performance improvements, this PR also adds support for multi-line string and binary data support for registry keys.

We deprecate registrykey.properties

cnspec> registrykey(path: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').properties
registrykey.properties: {
  EnableAuthenticateUserSharing: "0"
  Guid: ""
  NullSessionPipes: ""
  ServiceDll: "%SystemRoot%\\system32\\srvsvc.dll"
  ServiceDllUnloadOnStop: "1"
  autodisconnect: "15"
  enableforcedlogoff: "1"
  enablesecuritysignature: "0"
  requiresecuritysignature: "0"
  restrictnullsessaccess: "1"
}

in favor of the new registrykey.items. This returns the full property MQL resources and also allows inspection of type:

cnspec> registrykey(path: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters').items { * }
registrykey.items: [
  0: {
    value: "0"
    type: "dword"
    name: "EnableAuthenticateUserSharing"
    path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
    data: 0
    exists: true
  }
  1: {
    value: ""
    type: "multistring"
    name: "NullSessionPipes"
    path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
    data: [
      0: ""
    ]
    exists: true
  }
  2: {
    value: "%SystemRoot%\\system32\\srvsvc.dll"
    type: "expandstring"
    name: "ServiceDll"
    path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
    data: "%SystemRoot%\\system32\\srvsvc.dll"
    exists: true
  }
  3: {
    value: "1"
    type: "dword"
    name: "ServiceDllUnloadOnStop"
    path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
    data: 1
    exists: true
  }
...

The resource registrykey.property introduces a new data field that returns dict type. This allows the support for more different data types. Therefore we deprecate the use of value which was only a string representation.

registrykey.property( path: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters', name: 'autodisconnect' ) { * }
registrykey.property: {
  data: 15
  name: "autodisconnect"
  path: "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters"
  exists: true
  type: "dword"
  value: "15"
}

Performance Testing

A CIS Windows 2022 Level 1 Member Benchmarks with latest 8.18.0 requires 1 minute and 48 seconds.

Days              : 0
Hours             : 0
Minutes           : 1
Seconds           : 48
Milliseconds      : 69
Ticks             : 1080693311
TotalDays         : 0.00125080244328704
TotalHours        : 0.0300192586388889
TotalMinutes      : 1.80115551833333
TotalSeconds      : 108.0693311
TotalMilliseconds : 108069.3311

The same benchmark with native support is complete in 28 seconds now:

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 28
Milliseconds      : 638
Ticks             : 286380873
TotalDays         : 0.00033145934375
TotalHours        : 0.00795502425
TotalMinutes      : 0.477301455
TotalSeconds      : 28.6380873
TotalMilliseconds : 28638.0873

[chris-rock]

I did another round of testing on AWS EC2 t2.large with Windows 2022

Measure-Command { cnspec.exe scan }

CIS Windows 2022 Level 1 Benchmark scan by using native Windows API

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 21
Milliseconds      : 35
Ticks             : 210359479
TotalDays         : 0.000243471619212963
TotalHours        : 0.00584331886111111
TotalMinutes      : 0.350599131666667
TotalSeconds      : 21.0359479
TotalMilliseconds : 21035.9479

CIS Windows 2022 Level 1 Benchmark scan by using Powershell to retrieve the information

Days              : 0
Hours             : 0
Minutes           : 1
Seconds           : 56
Milliseconds      : 65
Ticks             : 1160658369
TotalDays         : 0.00134335459375
TotalHours        : 0.03224051025
TotalMinutes      : 1.934430615
TotalSeconds      : 116.0658369
TotalMilliseconds : 116065.8369

This also reduces the memory footprint from 140 MB to 104 MB:

# Start the process
$cmd= 'cnspec.exe'
$arg1= "scan"

# Start the process
$process = Start-Process -PassThru -FilePath $cmd  -ArgumentList $arg1

do {
    Start-Sleep -Milliseconds 500
    $peakWorkingSet = $process.PeakWorkingSet64
} while (!$process.HasExited)

# Output the memory usage
$memoryUsageMB = $peakWorkingSet / 1MB
"Memory usage: $memoryUsageMB MB"

Native Windows API:

Memory usage: 104.12890625 MB

Powershell:

Memory usage: 140.1953125 MB

[imilchev]

I ran this a couple of times and it seems to be working as expected