Registry keys visible when running as non-admin but not as admin

Question

I have a registry key visible when queried as a normal user account using powershell or in regedit., But when I run powershell or regedit as an admin, it does not appear:

Non-admin:

PS C:\> Get-ChildItem HKLM:\software\microsoft\windows\currentversion\uninstall | % {Get-ItemProperty $_.PSPath}  | ? { $_.DisplayName -eq "Docker Desktop" }


DisplayIcon     : C:\Program Files\Docker\Docker\Docker Desktop Installer.exe
DisplayName     : Docker Desktop
DisplayVersion  : 2.2.0.4
Version         : 43472
InstallLocation : C:\Program Files\Docker\Docker
NoModify        : 1
NoRepair        : 1
Publisher       : Docker Inc.
ChannelName     : stable
ChannelUrl      : https://download.docker.com/win/stable/appcast.xml
UninstallString : "C:\Program Files\Docker\Docker\Docker Desktop Installer.exe" uninstall
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\unin
                  stall\Docker Desktop
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\unin
                  stall
PSChildName     : Docker Desktop
PSProvider      : Microsoft.PowerShell.Core\Registry

Admin:

PS C:\> Get-ChildItem HKLM:\software\microsoft\windows\currentversion\uninstall | % {Get-ItemProperty $_.PSPath}  | ? { $_.DisplayName -eq "Docker Desktop" }
PS C:\>

The same behaviour is observed when running regedit as an admin and a non-admin. I am using Avecto DefendPoint to run a command prompt (and regedit) as admin - I am not a member of the local admins group. This might have something to do with it but I am able to create and delete keys under this registry path. Interestingly, I can create a "Docker Desktop" key as an admin, it doesn't fail due to a key already existing. I have tried RegDelNull but it's not an embedded null problem.

I am trying to delete the registry key as Docker Desktop is still in Add/Remove Programs. I wasn't able to uninstall it from there but followed the steps in https://success.docker.com/article/how-to-completely-remove-docker-in-windows-10

Orsiris de Jong · Accepted Answer · 2020-05-25T09:11:06.990

There are "automagic" bitness redirections in the registry.

For instance HKLM\SORTWARE\Mirosoft\Windows\Currentversion\Uninstall might be mapped to HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall on 64 bit systems, depending on the API used to retrieve the registry keys.

I experienced a lot of strange registry behavior when it comes to bitness mapping depending on the user (see https://github.com/poweradminllc/PAExec/issues/29 for instance).

I'd suggest you use Microsoft PSTools PSexec to invoke regedit (or your powershell script) as system user, than have a look at both of the above locations.

C:\>PSExec.exe -i -s regedit

Hope this helps :)

Edit: Although very unlikely, you may also have a look at the user specific registry hives, ie HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall as standard user.

Once regedit is launched as admin, navigate to HKEY_USERS\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall where the SID (S-1-5-21-*-1001) is the SID of your non admin user.

The SID can be obtained with whoami /user command.

Thanks, this makes sense and I'll give the above a try. Marking this the answer so you get the bounty — nonpoliticaltag, May 26 '20 at 08:38
Thank you! You just cleared up so many questions I have related to registry permission issues. — Danimal111, Nov 24 '21 at 17:42

Registry keys visible when running as non-admin but not as admin

1 Answers1