Remotely identify currently loaded user Registry branch

-1

I know that HKCU is a reference to the HKU\<SID> of the currently logged-on user.

How can I determine which user profile has been referenced by the current instance of HKCU? Can I determine this from a remote command prompt?

I need to modify a setting in the currently logged-on user's HKCU branch of the Registry on a remote Windows 7 Pro PC. Unfortunately I cannot connect using the Remote Registry functionality in regedit.exe. I do have access to a remote Command Prompt via PSEXEC.

I say Reinstate Monica

Posted 2014-11-24T20:56:13.217

Reputation: 21 477

There is a lot of tips in this article Getting the Username from the HKEY_USERS values at StackOverflow there

– JosefZ – 2014-11-25T00:03:19.340

Thanks. I reviewed that question but unfortunately it does not address my question of how to figure out which branch from HKU has been loaded into HKCU. – I say Reinstate Monica – 2014-11-25T02:28:35.020

Answers

The easy part of determining user's details (SID included) for the currently logged on user is finding the domain and username. That can be achieved from the command line by issuing the wmic query:

wmic /node:<remotepc> computersystem get username

where <remotepc> is a computer name or IP address which is to be processed. This command returns output in the form

<domain>\<username>

where <domain> is either the computer name or AD domain. After we obtain that info, we can than proceed to determine the SID of that user.

If the user account is local to the computer, then his SID can be read again via wmic, by issuing the command:

wmic /node:<remotepc> useraccount where 'name = "<username>"' get name, sid

where <username> is determined in the previous step;

The alternative method would be by using the remote registry query, like this:

reg query \\<remotepc>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUserSID

again, <remotepc> being a computername or IP address of the computer of interest. That this is indeed the SID of the logged on user can be verified by inspecting the return of the registry key:

reg query \\<remotepc>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUser

which should match the output of the first wmic query. And that's the easy case.

The (much) harder case is when logged on user is not a local account, but an AD one. Then the SID of the domain user cannot be determined by wmic useraccount query, so it cannot be matched against the output of wmic computersystem username query.

The username and domain information is held in two system environment variables, %USERDOMAIN% and %USERNAME%, which are fortunately also mirrored under the following registry key:

HKEY_USERS\<SID>\Volatile Environment

That fact gives us the chance to determine the SID of the currently logged on domain user. By issuing the registry query on the remote computer:

reg query "\\<remotepc>\HKEY_USERS" /s /c /k /e /f "Volatile Environment"

From the output of this command we are able to extract the SID of the currently logged on user, which can be verified by matching values USERDOMAIN and USERNAME contained under that key against the first wmic computersystem query obtained <domain>\<username>, and consequently the HKEY_USERS branch that is equivalent to the HKEY_CURRENT_USER registry hive alias.

This is the solution that works on various versions of Windows, including 7 and 10, and is using only tools available in the command line interface. It must be noted though, that for remote queries (both wmic and reg) to work, they must be run in the administrative account context present and equivalent on both local and remote computer.

G.100sic

Posted 2014-11-24T20:56:13.217

Reputation: 11

The problem I see is that there is not only one HKCU, but a HKCU for each of the users logged in the system, services accounts included.

Having access to psexec, if you have also have at hand handle.exe (also from sysinternals), you can try

handle .log1

to show the log files associated to the open hive .dat files. Knowing the .dat, the keys under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

should point to the searched sid

MC ND

Posted 2014-11-24T20:56:13.217

Reputation: 1 286

I shall try this, but I'm most interested in a way to make the identification from examining the Registry alone. – I say Reinstate Monica – 2014-11-26T13:45:26.297

Here's my supply: two ways how-to get SID on a local computer XP and Win7. Added username from different sources for verification.

How the script works: pivotal idea comes out of cognition that:

#1. The user profile hive (HKEY_CURRENT_USER, abbr. HKCU) is mounted into registry once an user logs on to a computer, and HKCU is a moniker (alias) only for HKEY_USERS\<SID> registry key, where <SID> abbreviates the security identifier (SID) for the user's account

#2. One can see a list of all registry hives that are currently mounted under any name as values in following registry key. Here value name establishes the internal registry path (and contains <SID> for subpath under HKEY_USERS) and value data is the path to the hive supporting file(s) (and current user's supporting file is always ntuser.dat): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

#3. Correspondence of user name and <SID> can be found by WMIC.

#3a. (Honestly, there is a registry key as well but this key is omitted in the script for the present: presumed as ToDo) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Brief procedure description: script seeks for matches among three sources mentioned above by axioms #1 and #3, always against items in the hivelist key (cf. #2)

How the script output looks like and matching criteria

Chapter 0 - . HKLM...\Winlogon defaults. No seeking. Echoes only %USERNAME% environment variable and some user-related values from following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Chapter 1 - . wmic SID => HKLM...\hivelist. Seeks every SID from WMIC query (#3) for match in value name of #2.

Chapter 2 - . HKU SID => HKLM...\hivelist. Seeks every SID from HKEY_USERS\<SID> (#1) for match in value name of #2. Gives false positive match for <SID>_Classes

Chapter 3 - . %USERNAME% => HKLM...\hivelist. Seeks %USERNAME% for match in value data of #2. Could be updated to seek for every user name of #3, but matching by SID considered be more reliable.

Chapter 4 - . ProfileList SID => HKLM...\hivelist (ToDo): Seeks every SID from ProfileList registry key (#3a) for match in value name of #2.

@ECHO OFF >NUL
@rem SETLOCAL enableextensions enabledelayedexpansion
@echo .
@echo . HKLM^\...^\Winlogon defaults:
@echo .
@echo        UserName     "%USERNAME%" ^(environment^)
call :regquery DefaultUserName "   "
call :regquery DefaultDomainName "                "
call :regquery AltDefaultUserName ""
call :regquery AltDefaultDomainName "             "

@echo .
@echo . wmic SID =^> HKLM^\...^\hivelist:
@echo .
@echo user "%USERNAME%" ^(environment^)
@wmic USERACCOUNT GET name, sid >getvmic.txt
if EXIST getvmic.txt (
  for /F "tokens=1,2" %%G in ('type getvmic.txt') do (
    for /F "tokens=1,2*" %%K in ('reg query ^"HKLM^\SYSTEM^\CurrentControlSet^\Control^\hivelist^" /v ^\REGISTRY^\USER^\%%H 2^>NUL ^| FIND /I "%%H"') do (
      if "%%M"=="" ( 
        @echo OFF >NUL
    ) else (
        for /F "tokens=4* delims=^\" %%P in ("%%M") do (
        @echo user "%%G" ^(wmic^)
        @echo user "%%P" ^(hivelist^)
        @echo SID  "%%H" ^(wmic^) 
        for /F "tokens=3* delims=^\" %%S in ( "%%K") do @echo SID  "%%S" ^(hivelist^)
) )
      for /F "tokens=1,2* delims=^\" %%P in ('reg query ^"HKU^" 2^>NUL ^| FIND /I "%%H"') do (
        If /I "%%Q"=="%%H" @echo SID  "%%Q" ^(HKU^)
) ) ) )

@echo .
@echo . HKU SID =^> HKLM^\...^\hivelist:
@echo .
  for /F "tokens=1,2* delims=^\" %%G in ('reg query ^"HKU^" 2^>NUL') do (
    for /F "tokens=1,2*" %%K in ('reg query ^"HKLM^\SYSTEM^\CurrentControlSet^\Control^\hivelist^" /v ^\REGISTRY^\USER^\%%H 2^>NUL ^| FIND /I "%%H"') do (
      if "%%M"=="" ( 
        @echo OFF >NUL
      ) else (
        for /F "tokens=4* delims=^\" %%P in ("%%M") do (
        if "%%P"=="%USERNAME%" (
          @echo user "%USERNAME%" ^(environment^)
          @echo user "%%P" ^(hivelist^)
          if EXIST getvmic.txt (
            for /F "tokens=1,2" %%W in ('type getvmic.txt ^| FIND /I "%%P"') do (
              @echo user "%%W" ^(wmic^)
              if "%%X"=="%%H" @echo SID  "%%X" ^(wmic^)
          ) ) 
          @echo SID  "%%H" ^(HKU^)
          for /F "tokens=3* delims=^\" %%S in ( "%%K") do @echo SID  "%%S" ^(hivelist^) 
) ) ) ) ) 

@echo .
@echo . %%USERNAME%% =^> HKLM^\...^\hivelist:
@echo .
@echo user "%USERNAME%" ^(environment^)
for /F "tokens=*" %%K in ('reg query ^"HKLM^\SYSTEM^\CurrentControlSet^\Control^\hivelist^" 2^>NUL ^| FIND /I "%USERNAME%" ^| FIND /I "ntuser.dat"') do (
  for /F "tokens=1,3,7 delims=^\" %%L in ("%%K") do (
    @echo user "%%N" ^(hivelist^)
  for /F %%S in ("%%M") do (
    for /F "tokens=1,2* delims=^\" %%T in ('reg query ^"HKU^" 2^>NUL ^| FIND /I "%%S"') do (
      if /I "%%S"=="%%U" (
        if EXIST getvmic.txt (
          for /F "tokens=1,2" %%W in ('type getvmic.txt ^| FIND /I "%%U"') do (
            @echo user "%%W" ^(wmic^)
            @echo SID  "%%X" ^(wmic^)
        ) )
      @echo SID  "%%U" ^(HKU^)
) ) 
    @echo SID  "%%S" ^(hivelist^)
) ) )
goto :eof

:regquery
for /F "tokens=1,3*" %%S in ('reg query ^"HKLM^\SOFTWARE^\Microsoft^\Windows NT^\CurrentVersion^\Winlogon^" /v %1 2^>NUL ^| FIND /I "%1"') do (
@echo %%S %~2 "%%T" ^(Winlogon^)
)
exit /B

Hope could be usable, although I don't know which user credential psexec runs under.

JosefZ

Posted 2014-11-24T20:56:13.217

Reputation: 9 121

This looks intriguing! Can you provide a brief "plain English" overview of what exactly this script does to accomplish its purpose? – I say Reinstate Monica – 2014-11-26T14:48:40.073

I'll try to comply with your request by updating my answer gradually. Be patient of time while and tolerant of my poor English, please. – JosefZ – 2014-11-26T15:38:48.097