How to get information from HKEY_CURRENT_USER registry HIVE remotely

  • Understanding the problem
  • The solution
  • The script
  • Conclusion

Having access to the registry information from a remote computer is a crucial step that every system administrator have to face in his career, the registry store not only information but also actually configurations in the system and it’s installed applications.
So since I use to expend most of my time at work creating PowerShell automation for end-point configurations, there’s the place to go when it comes to getting information or even making changes for applications configurations.

  • Understanding the problem

So here’s the scenario, you remotely access some computer to grab a specific information in the registry, all you need to do is open a Powershell remote session to the destination and go to that location using the Get-ItemProperty, I’ll be using the Cisco IP Communicator SoftPhone for this demo, So for getting the value of a property called ‘HostName’ that this application contains I would do it like this:

At this point you could think “wow, that was easy” but then you realize that actually you’re getting the information from your own user located in that remote computer, actually this could probably not even return any information because you would need to run the application in that machine at least once with your user to create those registry files, and even if you do this, you wouldn’t see the right information and you wouldn’t be able to make any changes for the actual system logged user that way.

This happens because this specific piece of information is located in the registry in a user scope (HKCU) and not in a system scope (HKLM). This means that every user has their own configuration for that particular software, so when you remote in using a Powershell remote session you’re still using your own user in that machine, and that’s why you can see just your own user registry files in HKCU even remoting to that machine, you can still see the remote computer system configurations in HKLM though.

  • The solution

If you open the registry in your computer you’ll see that the system has 5 hives,  one of them is the HKEY_USERS, this hive stores all the information from all existent users in that system, but unfortunately there’s not a built-in feature to remotely access it through Powershell, and for this exactly situation that we have the PSGallery, the official Powershell repository for Powershell modules.

There we can find the  PSRemoteRegistry module, this module expand the remote access in the registry, so we can access the HKEY_USERS with it! so let’s install it first.

Install-Module PSRemoteRegistry
Import-Module PSRemoteRegistry

The next barrier is that in HKEY_USERS each user folder is identified by SID’s (Security Identifier), and not by user’s name so you can’t figure what is the right folder to access in the remote computer. This is exactly what the script below will solve for us!

* It’s a good practice to have a section in you Powershell profile to import the modules you have already installed to always automatically import it to your Powershell session every time you run it.

  • The script

  • Conclusion

For solving our problem about getting into the users scope registry files we have installed a Powershell module available in the PSGallery, after that we still needed to solve a last barrier which was how to know the right user SID, for completing this task we built a script which grabs the current user logged in the system, convert it to it’s correspondent SIDgoing through the path of the specific registry property we want making use of the SID variable and the Get-RegString function from PSRemoteRegistry module, and finally making a customized output to display the data in the Powershell console.

Notice that for completing this task I made use of several Powershell techniques such as custom hashtable in line 33, created an object calling a .NET class in line 23, getting the current logged user in the remote system in line 15, split and select splitted strings in lines 17-21 and so on. If you have any doubt about such techniques please let me know and I highly encourage you to go ahead and make your research through the internet to get more familiar with them!

I hope this article was useful for you, you can still make a lot of changes in the script for you own purposes or use the techniques presented here for another situations 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.