0

Windows 7, in Powershell (running as admin), running the following command on an offline user:

& REG LOAD HKLM\CHANGEUSER c:\users\testuser\ntuser.dat
Write-Host Loaded with result $?

Result: False. On inspection of the key using regedit, it has NOT been loaded. Note: HKLM\Changeuser is not precreated.

If I use the same command from a command prompt (as admin), it is all fine:

REG LOAD HKLM\CHANGEUSER c:\users\testuser\ntuser.dat

Result: The command completed successfully, and the file has been loaded into the registry.

Why is it not loading into the registry when using powershell? I have attempted with and without the call operator (&), but get the same result.

MrBeatnik
  • 97
  • 3
  • 9
  • 1
    Are you running as admin in _both_ cases? – Matt Feb 01 '16 at 11:51
  • Yes, both Powershell and Command Prompt state "Administrator:" at the top (Updated question to reflect this) – MrBeatnik Feb 01 '16 at 12:20
  • `.\REG LOAD HKLM\CHANGEUSER c:\users\testuser\ntuser.dat` – Mathias R. Jessen Feb 01 '16 at 12:45
  • 1
    Works for me. What does `Get-Command reg` show? – Ansgar Wiechers Feb 01 '16 at 12:58
  • @AnsgarWiechers output shows "Application, reg.exe, C:\Windows\system32\reg.exe". There is no PS error when I run the command (so the command is found), but the hive is not loaded. – MrBeatnik Feb 01 '16 at 14:49
  • @MathiasR.Jessen ".\REG" give PS error "not recognized as the name of a cmdlet..." – MrBeatnik Feb 01 '16 at 14:50
  • 1
    The command looks OK. Can you read the file (`cat c:\users\testuser\ntuser.dat -Encoding Byte | select -First 3`)? Did you verify that it isn't already loaded elsewhere when you run the command. Also try logging what's happening with [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/processmonitor). – Ansgar Wiechers Feb 01 '16 at 15:04
  • inexplicably, it has now started working. I don't know why or how; no changes have been made to the test DAT file I'm using or to PS - not even a reboot. *Confused*. In any case, we can close this - appreciate all your input and apologies for taking your time. This is clearly not a PS issue. – MrBeatnik Feb 02 '16 at 16:53

1 Answers1

1

I would not attach the hive to HKLM. You're supposed to attach it to HKEY_USERS (HKU). That's what it's for.

Try:

reg.exe load HKU\Changeuser c:\users\testuser\ntuser.dat
Write-Host Loaded with result $?

You can access it like so:

Set-Location Registry::\HKEY_USERS\Changeuser

If you want a PowerShell drive (HKEY_USERS normally doesn't have one) you can use:

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS; 
Set-Location HKU:

To expand, I've scheduled this with Task Scheduler running as a service account and as the local SYSTEM account using at.exe and I got nothing but success. I even tried HKLM, and had success. It's not clear to me what you're doing, but I don't have enough information anymore for why it's failing.

Bacon Bits
  • 30,782
  • 5
  • 59
  • 66
  • Whilst it is true it is a user hive, I don't particularly mind where it is loaded, provided I can access it to do offline edits. Unfortunately, selecting HKU makes no different - the same problem occurs. At the moment, I cannot see why it is not loading using the command in PS. If I can get more information, I will, but it's a normal NTUSER.dat, and I have full admin. – MrBeatnik Feb 02 '16 at 15:39