HKEY_USERS entry for service account

Question

I've created a service account for a scheduled task on our 2008R2 server. The task runs a PowerShell script, which will, among other things, download an archive from a Linux server every time it is run using PuTTY's PSCP.

However, it does not work, since the service account has never connected to that server before, and does not know its host key. Reading the manual and searching, it turns out that these keys are stored in the registry, under HKEY_USERS\<SID>\Software\SimonTatham\PuTTY\SshHostKeys.

But here is the problem: since it is not allowed local login, the service account does not have a local profile, so it does not have an entry in HKEY_USERS.

How can this be fixed? I doubt it'd be a very good idea to just create the SID key under HKEY_USERS, but there must be some workaround? Could I put this in some default user key?

I was thinking about doing that as a last resort. We will need to do this on several more servers in the future, and it's a manual step (or rather half a dozen manual steps) I'd rather avoid. — carlpett, Mar 27 '12 at 20:03
Does the service account not have a profile folder in %SystemDrive%\Users? — Chris McKeown, Mar 27 '12 at 20:52
Haven't tested, but have you tried creating something under `HKEY_USERS\.DEFAULT\Software\SimonTatham\PuTTY\SshHostKeys` perhaps? — Zoredache, Mar 27 '12 at 21:56
@ChrisMcK: Nope. Those are created upon first (interactive?) login, aren't they? And this account has only logged in as a batch job. — carlpett, Mar 28 '12 at 05:27
@carlpett: I did wonder about that. The user's registry hive is loaded from NTUSER.DAT under the profile folder, and attached under HKEY_USERS at login and detached at logoff. The local system account, for example, has its NTUSER.DAT stored in C:\Windows\System32\config\systemprofile. If your service account does have its own registry hive, it must be on the filesystem somewhere. — Chris McKeown, Mar 28 '12 at 07:50
Sadly, I get this each time the job is run: `Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.`. So I suppose I need to log in after all. — carlpett, Mar 28 '12 at 19:59

Ryan Bolger · Answer 1 · 2012-03-29T18:22:35.067

0

Ideally, direct support in PuTTY for a command line option to "pre accept" a host key or turn off host key checking altogether would be the easiest solution. However, it doesn't look like that feature will be here anytime soon.

However, you've already got a powershell script running that should be capable of writing to it's own HKEY_CURRENT_USER registry hive. And I assume the host key of your linux server isn't changing that often. So why not just have the powershell script write the appropriate value to the registry before it starts making the pscp calls?

Set-ItemProperty "hkcu:\Software\SimonTatham\PuTTY\SshHostKeys" "{name}" "{value}"

You find the {name} and {value} from another user's session who has already accepted the key. HKEY_USERS\<SID> is the same as the root of HKEY_CURRENT_USER for the user who matches that SID. So as long as you reference HKEY_CURRENT_USER from both accounts, the path to the host keys should be the same.

edited Mar 29 '12 at 18:22

answered Mar 28 '12 at 07:58

Ryan Bolger

16,472
3
40
59

Hi! Yeah, I read that "we won't fix it"-note. Would be great if I could at least supply the host key I expect, but no such luck... The problem with your suggested approach as I see it is that there is no `HKEY_USERS\[...]` for this user, since it has never logged on. I don't think just creating it with regedit is going to be a very good idea, or am I just cowardly? – carlpett Mar 28 '12 at 21:24
The HKCU hive is created as soon as your task starts running as that user for the first time on the machine. You don't need to pre-create anything. Just include a line in the script right before the pscp calls that writes the value you need. – Ryan Bolger Mar 29 '12 at 18:13

HKEY_USERS entry for service account

1 Answers1