Remotely identify currently loaded user Registry branch
Solution 1
The easy part of determining user's details (SID included) for the currently logged on user is finding the domain and username. That can be achieved from the command line by issuing the wmic query:
wmic /node:<remotepc> computersystem get username
where <remotepc> is a computer name or IP address which is to be processed. This command returns output in the form
<domain>\<username>
where <domain> is either the computer name or AD domain. After we obtain that info, we can than proceed to determine the SID of that user.
If the user account is local to the computer, then his SID can be read again via wmic, by issuing the command:
wmic /node:<remotepc> useraccount where 'name = "<username>"' get name, sid
where <username> is determined in the previous step;
The alternative method would be by using the remote registry query, like this:
reg query \\<remotepc>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUserSID
again, <remotepc> being a computername or IP address of the computer of interest. That this is indeed the SID of the logged on user can be verified by inspecting the return of the registry key:
reg query \\<remotepc>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUser
which should match the output of the first wmic query. And that's the easy case.
The (much) harder case is when logged on user is not a local account, but an AD one. Then the SID of the domain user cannot be determined by wmic useraccount query, so it cannot be matched against the output of wmic computersystem username query.
The username and domain information is held in two system environment variables, %USERDOMAIN% and %USERNAME%, which are fortunately also mirrored under the following registry key:
HKEY_USERS\<SID>\Volatile Environment
That fact gives us the chance to determine the SID of the currently logged on domain user. By issuing the registry query on the remote computer:
reg query "\\<remotepc>\HKEY_USERS" /s /c /k /e /f "Volatile Environment"
From the output of this command we are able to extract the SID of the currently logged on user, which can be verified by matching values USERDOMAIN and USERNAME contained under that key against the first wmic computersystem query obtained <domain>\<username>, and consequently the HKEY_USERS branch that is equivalent to the HKEY_CURRENT_USER registry hive alias.
This is the solution that works on various versions of Windows, including 7 and 10, and is using only tools available in the command line interface. It must be noted though, that for remote queries (both wmic and reg) to work, they must be run in the administrative account context present and equivalent on both local and remote computer.
Solution 2
The problem I see is that there is not only one HKCU, but a HKCU for each of the users logged in the system, services accounts included.
Having access to psexec
, if you have also have at hand handle.exe
(also from sysinternals), you can try
handle .log1
to show the log
files associated to the open hive .dat
files. Knowing the .dat
, the keys under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
should point to the searched sid
Related videos on Youtube
I say Reinstate Monica
Updated on September 18, 2022Comments
-
I say Reinstate Monica over 1 year
I know that
HKCU
is a reference to theHKU\<SID>
of the currently logged-on user.How can I determine which user profile has been referenced by the current instance of
HKCU
? Can I determine this from a remote command prompt?I need to modify a setting in the currently logged-on user's
HKCU
branch of the Registry on a remote Windows 7 Pro PC. Unfortunately I cannot connect using the Remote Registry functionality inregedit.exe
. I do have access to a remote Command Prompt via PSEXEC.-
JosefZ over 9 yearsThere is a lot of tips in this article Getting the Username from the HKEY_USERS values at StackOverflow there
-
I say Reinstate Monica over 9 yearsThanks. I reviewed that question but unfortunately it does not address my question of how to figure out which branch from HKU has been loaded into HKCU.
-
-
I say Reinstate Monica over 9 yearsI shall try this, but I'm most interested in a way to make the identification from examining the Registry alone.
-
I say Reinstate Monica over 9 yearsThis looks intriguing! Can you provide a brief "plain English" overview of what exactly this script does to accomplish its purpose?