Hey guys,
It has come up a few times that modifying HKCU in a worklet doesn’t behave as expected. This is because the process is running under the SYSTEM account. So only the keys under the SYSTEM SID (S-1-5-18 ) will be modified if you point to HKCU:\
.
This evaluates and sets the desired value for every local user account tied to that device:
Evaluation
#Define desired registry settings
$regPath = "Key Path Here"
$regName = "Property/Value Name Here"
$desiredValue = "I'm a String"
#Get User details including SID from Get-LocalUser
$users = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount = 'True'"
#Add HKEY_USERS to a PSDrive for easy access later
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue | Out-Null
$nonCompliant = @()
#Loop through the list of users to check each for compliance
foreach ($user in $users) {
#Retrieve SIDs for each user
$sid = $user.SID
$name = $user.Name
#Load Registries for users, if ntuser.dat exists
#this prevents us from attempting to load Administrator and similar accounts
if (Test-Path "C:\Users\$name\ntuser.dat") {
#Load user's ntuser.dat into the registry
& reg load "HKU\$sid" "C:\Users\$name\ntuser.dat" | Out-Null
$properties = Get-ItemProperty -Path "HKU:\$sid\$regpath"
$value = $($properties.$regName)
#If this value doesn't match the desired value, add the user name to nonCompliant list
if ($value -ne $desiredValue) {
$nonCompliant += $name
}
}
}
#Clean-up the PSDrive
Remove-PSDrive -Name HKU
#If any users are non-compliant, "Exit 1" to flag remediation. Else "Exit 0" for Compliant
if ($nonCompliant.Count -gt 0) {
Exit 1
} else { Exit 0}
Remediation
#Define desired registry settings
$regPath = "Key Path Here"
$regName = "Property/Value Name Here"
$desiredValue = "I'm a String"
$propertyType = 'Binary'
#Get User details including SID from Get-LocalUser
$users = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount = 'True'"
#Add HKEY_USERS to a PSDrive for easy access later
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
foreach ($user in $users) {
#Retrieve SIDs for each user
$sid = $user.SID
$name = $user.Name
#Load Registries for users, if ntuser.dat exists
#this prevents us from attempting to load Administrator and similar accounts
if (Test-Path "C:\Users\$name\ntuser.dat") {
#Load user's ntuser.dat into the registry
& reg load "HKU\$sid" "C:\Users\$name\ntuser.dat"
#Create Key
New-Item -Path "HKU:\$sid\$regPath" -ItemType Directory -Force
#Create Value
New-ItemProperty -Path "HKU:\$sid\$regPath" -Name $regName -PropertyType $propertyType -Value $desiredValue
}
}
Remove-PSDrive -Name HKU