What is the path for the NT AUTHORITY\SYSTEM registry hive?

8

1

If I open the registry with the SYSTEM account in Windows by using the PSExec tool from SysInternals:

psexec -i -s regedit

and I change an entry, for example, here:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

... I presume that a corresponding NTUSER.DAT file will be modified.

What is the path to this NTUSER.DAT file?

Sopalajo de Arrierez

Posted 2014-07-28T00:45:18.307

Reputation: 5 328

I think it's c:\windows\system32\config\systemprofile. – LawrenceC – 2014-07-28T00:56:42.550

What version of Windows? – I say Reinstate Monica – 2014-07-28T01:56:50.537

Well, @ultrasawblade, in fact there is a ntuser.dat file there. I am trying to browse it from linux's tool chntpw to check what it is, but the key \Software\Microsoft\ only contains a tree named CTF. There is nothing about the rest of the HKEY_CURRENT_USER tree. – Sopalajo de Arrierez – 2014-07-28T01:56:57.910

1@Twisty, I am testing this matter with Windows XP SP3 and Windows 7. I think most Windows versions behave the same way. – Sopalajo de Arrierez – 2014-07-28T01:59:35.703

Not true. I believe Windows 7 stores the LocalSystem and NetworkService registry hives at 'C:\Windows\ServiceProfiles\LocalService\ntuser.dat' and C:\Windows\ServiceProfiles\NetworkService\ntuser.dat' respectively. These folders don't exist on XP. – I say Reinstate Monica – 2014-07-28T02:17:39.623

Well, @Twisty, I have just made the change above (the CurrentVerion\Run key), and according to its modification date, none of these last two ntuser.dat files seem to be what we seek. – Sopalajo de Arrierez – 2014-07-28T02:34:38.843

@Twisty: as it happent with the @ultrasawblade above suggestion, I have edited those ntuser.dat files, and they have only the CTF tree inside. – Sopalajo de Arrierez – 2014-07-28T02:50:30.453

@SopalajodeArrierez - The path would be C:\Users\<username> , because Run key in HKEY_CURRENT_USER implies that must be associated in that specific user profile. – Ĭsααc tիε βöss – 2014-07-28T11:10:08.497

@Ĭsααctիεβöss, the HKEY_CURRENT_USER registry tree, when opened via psexec -s is a diferent one than if I open it via simple regedit, so I must suppose <username> here should be something like SYSTEM, and there is no c:\Users\SYSTEM folder in Windows computers. – Sopalajo de Arrierez – 2014-07-28T14:16:51.597

Answers

3

Contrary to common intuition, the ntuser.dat file in LocalSystem's user profile folder (\Windows\System32\config\systemprofile) is not the source of HKEY_CURRENT_USER for applications running as SYSTEM. As far as I can tell, it's not actually used for anything, and it contains very little information.

In reality, the HKCU for applications running as SYSTEM is .DEFAULT under HKEY_USERS. (I'll address another common misconception: .DEFAULT isn't the template for new user profiles, ntuser.dat in \Users\Default is.) .DEFAULT is stored on disk in a file called \Windows\System32\config\DEFAULT. See the MSDN article on Registry-backing files.

Also interesting: the list of the backing files for the various Registry hierarchies, including .DEFAULT, can be found in HKLM\SYSTEM\CurrentControlSet\Control\hivelist.

Ben N

Posted 2014-07-28T00:45:18.307

Reputation: 32 973

Is this expected to be valid for any version of Windows? – Sopalajo de Arrierez – 2015-09-17T20:35:21.443

@SopalajodeArrierez Essentially yes, from Windows NT and on, with appropriate substitution of \WinNT for \Windows and \Documents and Settings for \Users on Windows XP. Further reading at TechNet

– Ben N – 2015-09-17T21:22:34.003

Asked: 2014-07-28T00:45:18.307

Viewed: 4 031 times

Active: 2015-09-17T18:06:56.967