Tuesday, October 21, 2008

Registry and the dreaded HKCU

Good to be back in the swing of things.  Last month I spent some time at DisneyWorld and had a blast.  When I came back, another hot issue on the table for this script master to solve.

I can't tell you how many times I've need to add/delete/modify a key in the HKEY Current Users hive on remote machines.  WMI does provide a registry object that you can use and it does include an HKCU hive...  However, as some of you may know, when you access that HKCU hive, it's not the actual HKCU but rather the HKCU for the account you are using to run the script.  Not very useful.

 

There are several ways to get in the actual HKCU but my personal method is a three step process.  We already know that there is another hive, HKEY Users, that contains all the users on that machine. And we have no problem getting into that hive remotely.  But, that hive uses SID values to identify each unique user.  My process is to identify the current user, get the SID for that user, then drill into the HKU\SID hive. 

 

Step One: Get the current user of a machine.

For this I use a function (as I usually do):

 

Function GetCurrentUser2(sstrComputer)
 
    On Error Resume Next
    Dim sstrKeyPath,sstrCU,sstrCUD,sstrCurrentUser,sstrCurrentUserDomain
    
    sHKEY_LOCAL_MACHINE = &H80000002
    
    Set sobjRegistry = GetObject("winmgmts:\\" & sstrComputer & "\root\default:StdRegProv")
    
    sstrKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon"
    sstrCU = "DefaultUserName"
    sstrCUD = "DefaultDomainName"
    
    sobjRegistry.GetStringValue sHKEY_LOCAL_MACHINE, sstrKeyPath, sstrCU, sstrCurrentUser
    sobjRegistry.GetStringValue sHKEY_LOCAL_MACHINE, sstrKeyPath, sstrCUD, sstrCurrentUserDomain
    
    
    
    GetCurrentUser2 = sstrCurrentUserDomain & "\" & sstrCurrentUser
 
 
End Function

 

Simply pass the computer name and it returns the user as "domain\logon".  This works fairly well unless you have some sort of security policy that is removing that value from the remote registry. You'll notice that my function is called GetCurrentUsers2.  The original function I used looked up the explorer.exe and found the owner of that process.  That worked, but not 100%.

Now that we have the current user stored as a "domain\logon" variable, we can then query the domain to get the associated SID for that user.  Again, another function.

 

Function GetSIDFromUser(UserName)
'Input: UserName as domain\logon
'Output: SID
 
  Dim DomainName, Result, WMIUser
 
  If InStr(UserName, "\") > 0 Then
    DomainName = Mid(UserName, 1, InStr(UserName, "\") - 1)
    UserName = Mid(UserName, InStr(UserName, "\") + 1)
  Else
    DomainName = CreateObject("WScript.Network").UserDomain
  End If
 
  On Error Resume Next
  Set WMIUser = GetObject("winmgmts:{impersonationlevel=impersonate}!" _
    & "/root/cimv2:Win32_UserAccount.Domain='" & DomainName & "'" _
    & ",Name='" & UserName & "'")
  If Err = 0 Then Result = WMIUser.SID Else Result = ""
  On Error GoTo 0
 
  GetSIDFromUser = Result
End Function

 

This function will query the domain for the user and return the unique SID for the user.  Now you can put two and two together and access HKEY_Users\SID to get the HKCU hive on a machine.

 

I have some functions for accessing the registry remotely.  Each of them rely on these two functions for support when accessing HKCU.  I will posting up new articles with those functions soon.  In the meantime, if you have any questions on these functions or suggestions for new ones, please let me know by clicking the email icon below.

-Corey

4 comments:

Anonymous said...

very interesting i faced the same problem long time ago. and the only solution i came with is accessing the registry through calling win32 API from my vbscript. and i have done this by using this software vbs2exe

Muz said...

hey useful info - I wanted to figure this out for a script I had to quickly write up in a couple of hours and your code was very useful and works like a charm...many thanks.

Anonymous said...

Are you sure that HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\DefaultUserName is the currently logged on user. It appears to be the last logged on user not the current user.

Corey Thomas said...

To the issue above, it depends. Some companies have a GPO setting that prevents Windows from storing the user info in this location.

I do have another solution for you. You can check the running processes for explorer.exe and see what user is running it. If it's System, no user is logged on. Anything else, then a user is on the machine.

There may also be a WMI class but I haven't looked in a long time. If I run across one, I'll post it here.