The easy part of determining user's details (SID included) for the currently logged on user is finding the domain and username. That can be achieved from the command line by issuing the wmic query:
wmic /node:<remotepc> computersystem get username
where <remotepc> is a computer name or IP address which is to be processed.
This command returns output in the form
<domain>\<username>
where <domain> is either the computer name or AD domain. After we obtain that info, we can than proceed to determine the SID of that user.
If the user account is local to the computer, then his SID can be read again via wmic, by issuing the command:
wmic /node:<remotepc> useraccount where 'name = "<username>"' get name, sid
where <username> is determined in the previous step;
The alternative method would be by using the remote registry query, like this:
reg query \\<remotepc>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUserSID
again, <remotepc> being a computername or IP address of the computer of interest.
That this is indeed the SID of the logged on user can be verified by inspecting the return of the registry key:
reg query \\<remotepc>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUser
which should match the output of the first wmic query.
And that's the easy case.
The (much) harder case is when logged on user is not a local account, but an AD one. Then the SID of the domain user cannot be determined by wmic useraccount query, so it cannot be matched against the output of wmic computersystem username query.
The username and domain information is held in two system environment variables, %USERDOMAIN% and %USERNAME%, which are fortunately also mirrored under the following registry key:
HKEY_USERS\<SID>\Volatile Environment
That fact gives us the chance to determine the SID of the currently logged on domain user. By issuing the registry query on the remote computer:
reg query "\\<remotepc>\HKEY_USERS" /s /c /k /e /f "Volatile Environment"
From the output of this command we are able to extract the SID of the currently logged on user, which can be verified by matching values USERDOMAIN and USERNAME contained under that key against the first wmic computersystem query obtained <domain>\<username>, and consequently the HKEY_USERS branch that is equivalent to the HKEY_CURRENT_USER registry hive alias.
This is the solution that works on various versions of Windows, including 7 and 10, and is using only tools available in the command line interface. It must be noted though, that for remote queries (both wmic and reg) to work, they must be run in the administrative account context present and equivalent on both local and remote computer.
There is a lot of tips in this article Getting the Username from the HKEY_USERS values at StackOverflow there
– JosefZ – 2014-11-25T00:03:19.340Thanks. I reviewed that question but unfortunately it does not address my question of how to figure out which branch from HKU has been loaded into HKCU. – I say Reinstate Monica – 2014-11-25T02:28:35.020