Getting the Username from the HKEY_USERS values

windows vbscript registry wmi
200,020

Solution 1

If you look at either of the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

You can find a list of the SIDs there with various values, including where their "home paths" which includes their usernames.

I'm not sure how dependable this is and I wouldn't recommend messing about with this unless you're really sure what you're doing.

Solution 2

It is possible to query this information from WMI. The following command will output a table with a row for every user along with the SID for each user.

wmic useraccount get name,sid

You can also export this information to CSV:

wmic useraccount get name,sid /format:csv > output.csv

I have used this on Vista and 7. For more information see WMIC - Take Command-line Control over WMI.

Solution 3

  1. Open Reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

  2. make a loop to get all subkeys

  3. the subkeys you are interested with are those started with [S-1-5-21-] which means user (see key name [ProfileImagePath] they are always started with a path c:\Users)

  4. Those starting with [S-1-5-21-12] are all local users

  5. Those starting with [S-1-5-21-13] are all network users [if joined to Domained network] that are previously logged on the machine.

Solution 4

By searching for my userid in the registry, I found 

HKEY_CURRENT_USER\Volatile Environment\Username

Solution 5

You can use the command PSGetSid from Microsoft's SysInternals team.

Download URL: http://technet.microsoft.com/en-gb/sysinternals/bb897417.aspx

Usage: 

psgetsid [\\computer[,computer[,...] | @file] [-u username [-p password]]] [account|SID]
-u  Specifies optional user name for login to remote computer.
-p  Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Account PsGetSid will report the SID for the specified user account rather than the computer.
SID PsGetSid will report the account for the specified SID.
Computer    Direct PsGetSid to perform the command on the remote computer or computers specified. If you omit the computer name PsGetSid runs the command on the local system, and if you specify a wildcard (\\*), PsGetSid runs the command on all computers in the current domain.
@file   PsGetSid will execute the command on each of the computers listed in the file.

Example:

psgetsid S-1-5-21-583907252-682003330-839522115-63941

NB:

  • Where the user is a domain/AD(LDAP) user, running this on any computer on the domain should give the same results.
  • Where the user is local to the machine the command should either be run on that machine, or you should specify the computer via the optional parameter.

Update

If you use PowerShell, the following may be useful for resolving any AD users listed:

#create a drive for HKEY USERS:
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue

#List all immediate subfolders
#where they're a folder (not a key)
#and they's an SID (i.e. exclude .DEFAULT and SID_Classes entries)
#return the SID
#and return the related AD entry (should one exist).
Get-ChildItem -Path 'HKU:\' `
| ?{($_.PSIsContainer -eq $true) `
-and ($_.PSChildName -match '^S-[\d-]+$')} `
| select @{N='SID';E={$_.PSChildName}} `
, @{N='Name';E={Get-ADUser $_.PSChildName | select -expand Name}}

You could also refine the SID filter further to only pull back those SIDs which will resolve to an AD account if you wished; more on the SID structure here: https://technet.microsoft.com/en-us/library/cc962011.aspx

Share:
200,020

Related videos on Youtube

modz0r
Author by

modz0r

Nothing much.

Updated on July 09, 2022

Comments

  • modz0r
    modz0r almost 2 years

    Is there a way to connect between the values under HKEY_USERS to the actual username?
    I saw some similar questions, but most (if not all) talks about C# code, and my need is in VBScript.

  • user66001
    user66001 over 11 years
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist seems to only be the currently logged in user on every system (Xp - 7) I have looked at... And I would not consider HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SSID>\ProfileImagePath a reliable way of determining username (See support.microsoft.com/kb/2454362).
  • user66001
    user66001 over 11 years
    ""%systemroot%\system32\config\systemprofile"... as its not a directory path..." is incorrect. Try c&p this into the run dialog.
  • user66001
    user66001 over 11 years
    3 contains an error, and not wise advise. [ProfileImagePath] doesn't HAVE to start with a path c:\Users... Look at google.com/…; Also, as elsewhere commented on this thread, and mentioned by @spade if the user / administrator has changed the users username post account creation and login, the profile directory name will no longer match the username (support.microsoft.com)/kb/2454362)
  • summea
    summea almost 11 years
    You may want to use code markup "tags" to format this code example :)
  • user3383301
    user3383301 almost 10 years
    Unfortunately, the SIDs I get don't match up with values under HKEY_USERS on Windows 7 x64.
  • amonroejj
    amonroejj over 7 years
    It's possible for a legit SID to be seemingly absent because that particular user's hive is not loaded right at that moment. Runas /profile /user:desireduser somearbitrarycommand will load it.
  • Paul
    Paul about 5 years
    That is CURRENT_USER, not USER
  • f4d0
    f4d0 almost 5 years
    HKEY_USERS only has the actual logged in users and the default users like "NT AUTHORITY\SYSTEM"
  • Rob Traynere
    Rob Traynere over 4 years
    I know this isn't the exact answer that the OP asked, but this is EXACTLY what I was looking for.
  • ssimm
    ssimm over 4 years
    I don't know if this is accessible from VBScript but this is the best answer if you just want to get the list "manually"
  • Hicsy
    Hicsy about 4 years
    only non-domain users?
  • DGM
    DGM about 3 years
    reg query 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' Find the corresponding SID in the list you are interested in, then run the following replacing SID with the actual SID string. reg query 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\SID' ProfileImagePath contains the home directory with username

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

VBScript - get main monitor resolution
Where does Add/Remove programs pull data for the "Installed On" column?
Reading the Internet Explorer Protected Mode registry
How to terminate process using VBScript
Check if registry key exists using VBScript
Can I try to ping a website through a specific adapter?
String comparison in VBScript
Simple question about Registry CreateSubKey
Registering application in windows registry
Check if a key exists in the Windows Registry with VB.NET