1

I'm trying to clean up a big mess of random mapped network drives. All our network drives have been mapped on a per-user basis (causing gwmi win32_mappedlogicaldisk to come up empty).

I'm trying to remotely access the registry of each workstation and list the contents of HKCU:\Network, but when I run this:

$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("CurrentUser", $computername)
$Reg.GetSubKeyNames()

I get only the following output:

AppEvents
Console
Control Panel
Environment
Identities
Keyboard Layout
Printers
Software
UNICODE Program Groups

More than a few subkeys are missing. If I run the same command on my local machine all subkeys are displayed.

Why can't I access these subkeys, and how can I work around it?

rtf
  • 884
  • 2
  • 16
  • 30

2 Answers2

2

HKEY_CURRENT_USER doesn't really exist per se. It's just a projection of HKEY_USERS\<SID> of the currently logged on user and is merely provided for your viewing convenience.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
1

The HKCU hives are located in the user's profile directories. They aren't a part of the main registry hive (%SystemRoot%\System32\Config).

You can get a list of active hives for a machine from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
  • Interesting. I'm seeing `REGISTRY\USER\.DEFAULT` under `hivelist`. Is it only loading the default values? Can I access HKCU remotely or will I have to get the target user's SID first? – rtf Jul 09 '13 at 22:35
  • I'm pretty sure you're going to have to run the script as the actual user. Perhaps as an AD logon script? – Katherine Villyard Jul 09 '13 at 22:44
  • 1
    Ended up getting the user's SID and running `$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("Users", $computername); $RegKey= $Reg.OpenSubKey("$SID\\Network")` instead. Worked well. – rtf Jul 09 '13 at 23:39