Remotely identify currently loaded user Registry branch

Solution 1

The easy part of determining user's details (SID included) for the currently logged on user is finding the domain and username. That can be achieved from the command line by issuing the wmic query:

wmic /node:<remotepc> computersystem get username

where <remotepc> is a computer name or IP address which is to be processed. This command returns output in the form

<domain>\<username>

where <domain> is either the computer name or AD domain. After we obtain that info, we can than proceed to determine the SID of that user.

If the user account is local to the computer, then his SID can be read again via wmic, by issuing the command:

wmic /node:<remotepc> useraccount where 'name = "<username>"' get name, sid

where <username> is determined in the previous step;

The alternative method would be by using the remote registry query, like this:

reg query \\<remotepc>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUserSID

again, <remotepc> being a computername or IP address of the computer of interest. That this is indeed the SID of the logged on user can be verified by inspecting the return of the registry key:

reg query \\<remotepc>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1 /v LoggedOnUser

which should match the output of the first wmic query. And that's the easy case.

The (much) harder case is when logged on user is not a local account, but an AD one. Then the SID of the domain user cannot be determined by wmic useraccount query, so it cannot be matched against the output of wmic computersystem username query.

The username and domain information is held in two system environment variables, %USERDOMAIN% and %USERNAME%, which are fortunately also mirrored under the following registry key:

HKEY_USERS\<SID>\Volatile Environment

That fact gives us the chance to determine the SID of the currently logged on domain user. By issuing the registry query on the remote computer:

reg query "\\<remotepc>\HKEY_USERS" /s /c /k /e /f "Volatile Environment"

From the output of this command we are able to extract the SID of the currently logged on user, which can be verified by matching values USERDOMAIN and USERNAME contained under that key against the first wmic computersystem query obtained <domain>\<username>, and consequently the HKEY_USERS branch that is equivalent to the HKEY_CURRENT_USER registry hive alias.

This is the solution that works on various versions of Windows, including 7 and 10, and is using only tools available in the command line interface. It must be noted though, that for remote queries (both wmic and reg) to work, they must be run in the administrative account context present and equivalent on both local and remote computer.

Solution 2

The problem I see is that there is not only one HKCU, but a HKCU for each of the users logged in the system, services accounts included.

Having access to psexec, if you have also have at hand handle.exe (also from sysinternals), you can try

handle .log1

to show the log files associated to the open hive .dat files. Knowing the .dat, the keys under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

should point to the searched sid

Related videos on Youtube