Home > Software design >  How to read HKCU Registry key of another user in admin on powershell?
How to read HKCU Registry key of another user in admin on powershell?

Time:03-03

I have a powershell script that runs automatically thanks to a taskscheduler and its purpose is to take the version of all the softwares of the system in order to make a list and to quickly have an overview of the versions that are outdated. The problem is that in order for it to run at any time, the script is assigned to the SYSTEM user. However, some applications are only assigned to one user and SYSTEM cannot find them in its HKCU key.

So the question is, how can I list all the content?

Thanks in advance

CodePudding user response:

You will need to load their hive first

REG LOAD HKEY_Users\johnshive "C:\Users\john\NTUSER.DAT" 

You can then address their hive via powershell e.g.

Get-ChildItem -Path Registry::HKEY_USERS\johnshive

CodePudding user response:

If the person is logged on, you have to go into HKU and find all registry keys that end in "_Classes". Then remove the "_Classes" from the end of those keys and that is the list of possible keys that belong to the user. If there is only one, and you know the person is logged on, then that is probably their key. But if there is more than one, then you have mostly empty ghost copy/copies where windows failed to fully unload it. Afaik, the ghost copies will not have the subkey "Volatile Environment" with the value "USERNAME", but I have suspicion that this isn't a true statement. I've had PsLoggedon.exe report two users logged on, but only later did I learn PsLoggedon.exe uses HKU to find who is logged on (not sure what subkeys and values it uses).

But if the user is not logged on, don't even go down that road unless you are a very detailed oriented person. If you load their registry hive, do your work, and forget to unload their registry hive, you will lock their registry hive file, Windows will think the profile is corrupt, build a new user profile, user will log in finding Documents folder empty and think their files are gone. I did a lot of experiments injecting mapped network drives into registry hive files of test users before I ever did that on an actual user profile.

  • Related