20

I wonder if there is a way to find a local user's registry key in HKEY_USERS if you know the login-name of that user on the local machine. I want to programmatically add stuff to a specific user's registry keys (Autorun for example), but I only know the username. How can I determine which of the cryptic users in HKEY_USERS actually belongs to a specific username?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Erik
  • 2,316
  • 9
  • 36
  • 58

3 Answers3

30
$User = New-Object System.Security.Principal.NTAccount($env:UserName)
$sid = $User.Translate([System.Security.Principal.SecurityIdentifier]).value

The above snippet gives you the SID of the logged-in user. This when appended to the HKEY_USERS givs you the right path for that username.

New-PSDrive HKU Registry HKEY_USERS
Get-Item "HKU:\${sid}"
ravikanth
  • 24,922
  • 4
  • 60
  • 60
  • Ok, do you know how to programaticaly (PowerShell) load a user hive, like it can be done with regedit.exe ? – JPBlanc Jun 06 '12 at 07:03
  • U meant something similar to reg.exe LOAD option? – ravikanth Jun 06 '12 at 08:33
  • @JPBlanc Looks like there's no support in .NET and subsequently PowerShell to do that. You'll have to P/Invoke the Windows API using RegLoadKey(). Check this out - http://www.csharphelp.com/2007/01/registry-ins-and-outs-using-c/ – Andy Arismendi Jun 06 '12 at 08:51
  • Thanks @Andy Arismendi that what I suspect. – JPBlanc Jun 06 '12 at 09:07
  • 1
    Hi,thanks alot for that answer, however, I can find the SID of the other user the way youdescribed, but I get a SID that I cannot see when I open regedit.exe. So the question is how can I finally add or change keys of that user path? Does it have to be somehow explicitly loaded, and if so, how can that be achieved? – Erik Jun 08 '12 at 08:21
  • 2
    If you do not want a `New-PSDrive` (HKU:), it appears that you can just use `Get-Item Registry::HKEY_USERS\${sid}`. – Jeppe Stig Nielsen Sep 04 '16 at 00:19
7

This answer is not complete, as HKEY_USERS does not contain all the users, just those that are currently active.

You'll need to load the registry hive for the user(s) you want to work with using 

reg load hku\ThatUserName C:\Users\ThatUserName\NTUSER.DAT

See this SO answer for an example of how to load the registry hive for all the user(s).

You can then access the registry for that user with

Set-Location HKU:\ThatUserName

Or call New-PSDrive to give the user's registry it's own drive, like so:

New-PSDrive -Name HKThatUser -PSProvider Registry -Root HKU\ThatUserName 
Set-Location HKThatUser:

Be sure to unload the registry, and do garbage collection to ensure the hive is released when done:

reg unload hku\ThatUserName
[gc]::collect()

See this post for more info

Community
  • 1
  • 1
David Cobb
  • 680
  • 6
  • 11
  • 1
    The part to ensure the hive is released is important. I had to switch the order to `[gc]::collect() [GC]::WaitForPendingFinalizers() reg unload hku\ThatUserName`. Otherwise I get a permission denied error when unloading. If I don't unload it the changes to the registry aren't saved. – absynce Feb 24 '15 at 21:01
  • @absynce upvoted but unfortunately not correct answer, the key has to be close regardless if used or not before calling `reg unload` see here: https://learn.microsoft.com/en-us/dotnet/api/microsoft.win32.registrykey.close?view=netframework-4.8 – metablaster Oct 23 '20 at 11:24
3

This does it for me

ls 'hklm:software/microsoft/windows nt/currentversion/profilelist' | ? {
  $_.getvalue('profileimagepath') -match 'Steven'
} | % pschildname

Example

Zombo
  • 1
  • 62
  • 391
  • 407