26 March 2012

Accessing HKCU and HKCR from Remote Registry

When you open registry editor and connect to a remote system, the only hives you will see are HKEY_LOCAL_MACHINE and HKEY_USERS. The other two hives, HKEY_CLASSES_ROOT and HKEY_CURRENT_USER are there too, but are under the two visible hives. So for all purposes, I am only going to explain here how to access the once that are not openly evident.

HKEY_CLASSES_ROOT
This hive is located under HKEY_LOCAL_MACHINE\SOFTWARE\Classes

HKEY_CURRENT_USER
This hive is more tricky to find because you have to correlate what the SID is to the user. This  can be done by going to HKEY_USERS and parsing through each SID. Ignore the SIDs that have only 4 sets of numbers (i.e. S-1-5-18). These are system accounts. The best way I found to parse through and find who the user is is to go to HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Run. Under this key will be a list off applications that are set to run when the system is booted up. You can look at the data field and there will usually be a few apps that will say "c:\users\<username>", which will give away who the user of that SID is.

There is another way and that would be to remotely run a WMI query to find out who the current user is and the SID for that user.

8 comments:

  1. Just got me out of a scrape, many thanks for this.
    Weirdly, I was finding that I was unable to access HKLM going through regedit remotely, but reg query \\hostname\hklm let me in no problems. Not sure why as yet.

    ReplyDelete
  2. PSTools has a nice util called PsGetsid. Super easy to find a user SID for remote management.

    ReplyDelete
  3. Other way for finding the User corresponding to the SID in HKEY_CURRENT_USER Hive:

    - On the remote Computer navigate to: HKLM\Software\Microsoft\Windows NT\Current Version\ProfileList\

    - Navigate trough the long SID's, look for ProfileImagePath! :)

    Greetings Shan

    ReplyDelete
  4. Thanks Mick... good onya mate.

    ReplyDelete
  5. If you right click on the SID and select permissions this should show the user that it is configured to.

    ReplyDelete
  6. How can I capture specific registry hive under HKCU with SCCM 2012 with extended HW inventory? Any idea?

    ReplyDelete