1

I'm currently working on a PowerShell tool that reads from the registry remotely via the Remote Registry Service. When a user is logged in, the data I'm reading from is located in HKCU\Software\. Obviously, when a computer has multiple user accounts, HKCU will not accurately reflect all users. Is there a dynamic way where I can loop through all users on a computer and access their registries?

Currently I'm doing the following in PowerShell:

$KeyType = [Microsoft.Win32.RegistryHive]::CurrentUser
$BaseRegKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($KeyType, $RemoteComputer)
$SoftwareKey = $BaseRegKey.OpenSubKey($SoftwarePathEnding)

How would I be able to use similar code to loop through all users to get the right data I'm looking for?

Sorry if this isn't explained too well and if I'd need to provide some clarification.

Chiggins
  • 8,197
  • 22
  • 56
  • 81

1 Answers1

4

HKCU is a shortcut to HKU\<User-SID>, where the ntuser.dat from the user's profile is loaded at login. To get access to every user's registry branch you need to load each user's ntuser.dat first, e.g. by running reg load on the remote host via Invoke-Command.

Invoke-Command -Computer 'hostname' -ScriptBlock {
    & reg load 'HKU\someuser' 'C:\Users\someuser\ntuser.dat'
}

Don't forget to reg unload the file after you're done.

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
  • Right on, I like that answer. I was hoping to go with something without having to run commands on the remote host, but this makes sense. Thank you. – Chiggins Feb 01 '19 at 05:52
  • 1
    To clarify 'shortcut', `HKEY_CURRENT_USER` is a predefined key handle that the API automatically maps to a handle for "\Registry\User\" for the current process. It's not obviously meaningful to use this handle with a remote registry. `HKEY_USERS` is another predefined handle, which gets mapped either to a handle for the local "\Registry\User" or an RPC handle for this key on a remote system. Using predefined handles simplifies the API for current-user and remote access. IMO, the way the names of predefined handles get used in path strings obfuscates that it's a handle-relative path. – Eryk Sun Feb 01 '19 at 08:14