How to access HKCU registry of currently logged on user(s), from a service?

Asked 2/3, 2010 at 17:46 Answered 6/6, 2018 at 4:30

From within a windows service I want to check some user preferences that are stored within each users' HKCU registry area. How can I do this?

I see that HKEY_USERS has subkeys of each user that has logged in to the machine (or something like that?), and within these are the HKCU areas for each user. However, these subkeys are the SIDs of the users, so somehow I'd need to work out the SID of the currently logged in user(s).

I would then query HKEY_USERS\<the users SID>\whichever\key\i\need in place of querying HKEY_CURRENT_USER\whichever\key\i\need.

From this question I can get a list of the current users on the machine in DOMAIN\USER format. Is there a way to get the SID of a user from their windows login? Or is there a more direct way to get the registry path that is HKCU for the currently logged in user(s)?

Kettering answered 2/3, 2010 at 17:46 Comment(2)

I'm not sure what your service is trying to accomplish and don't have a username -> SID solution but what do you plan to do if more than one user is currently logged on? – Occidental 2/3, 2010 at 18:37

I'm just collecting their user preferences, so I'll loop through the users and get each one's preferences. – Kettering 2/3, 2010 at 19:19

In HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList you will find the SID's of the existing profiles. The ProfileImagePath will give the path of the profile.

Most of the time this path is the username. But it could be another path if a similar path already existed when the profile was created.

The short SID's like S-1-5-18 (=> Local System) are default local accounts (https://support.microsoft.com/en-us/kb/243330)

Shanelleshaner answered 21/4, 2015 at 7:51 Comment(0)

In order to do this you will need to do one of the following

Impersonate the users credentials and access HKCU from that impersonation context
Read the registry file directly off of disk (this has threading and data integrity implications).

I'm not 100% sure that #1 will work but I believe it will.

For either solution though you will need either the users credentials or access token in your process. This is not easily available because it's a security issue.

Farrison answered 2/3, 2010 at 17:54 Comment(1)

No, I believe I can just query the registry in the normal way, but using the key KEY_USERS\<the users SID>\... instead of HKCU\.... My service is running as Local System so should have all the permissions it needs. So I think the only problem is determining the currently logged on user'(s) SID. – Kettering 2/3, 2010 at 17:59

You can connect to their remote registry, then search the entire HKU key for their username (i.e. jsmith). Various entries reference their user profile; these will pop up then you can just look under which SID those entries are located. Bit of a roundabout way of doing it, but seems to work.

Frugivorous answered 17/3, 2010 at 17:52 Comment(0)

Using PowerShell you can match them up:

Get-ItemProperty -path  "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | select ProfileImagePath, PSChildName

You can even search by username (eg john):

Get-ItemProperty -path  "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | ? {$_.ProfileImagePath -match "john"}  | select ProfileImagePath, PSChildName

Bonus: reverse SID lookup using PowerShell (will return DOMAIN\USERNAME)

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-2139915555-1840087203-3974481593-26737")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

Macroscopic answered 6/6, 2018 at 4:30 Comment(0)

Recommended topics

Hot tags