26 March 2012

Accessing HKCU and HKCR from Remote Registry

When you open registry editor and connect to a remote system, the only hives you will see are HKEY_LOCAL_MACHINE and HKEY_USERS. The other two hives, HKEY_CLASSES_ROOT and HKEY_CURRENT_USER are there too, but are under the two visible hives. So for all purposes, I am only going to explain here how to access the once that are not openly evident.

This hive is located under HKEY_LOCAL_MACHINE\SOFTWARE\Classes

This hive is more tricky to find because you have to correlate what the SID is to the user. This  can be done by going to HKEY_USERS and parsing through each SID. Ignore the SIDs that have only 4 sets of numbers (i.e. S-1-5-18). These are system accounts. The best way I found to parse through and find who the user is is to go to HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Run. Under this key will be a list off applications that are set to run when the system is booted up. You can look at the data field and there will usually be a few apps that will say "c:\users\<username>", which will give away who the user of that SID is.

There is another way and that would be to remotely run a WMI query to find out who the current user is and the SID for that user.



  1. Just got me out of a scrape, many thanks for this.
    Weirdly, I was finding that I was unable to access HKLM going through regedit remotely, but reg query \\hostname\hklm let me in no problems. Not sure why as yet.

  2. PSTools has a nice util called PsGetsid. Super easy to find a user SID for remote management.

  3. Other way for finding the User corresponding to the SID in HKEY_CURRENT_USER Hive:

    - On the remote Computer navigate to: HKLM\Software\Microsoft\Windows NT\Current Version\ProfileList\

    - Navigate trough the long SID's, look for ProfileImagePath! :)

    Greetings Shan

  4. Thanks Mick... good onya mate.

  5. If you right click on the SID and select permissions this should show the user that it is configured to.