Skip to main content

Modify registry key/value under HKEY_USERS (HKCU Workaround)

  • December 8, 2020
  • 2 replies
  • 1837 views
Rich-Automox

Hey guys,


It has come up a few times that modifying HKCU in a worklet doesn’t behave as expected. This is because the process is running under the SYSTEM account. So only the keys under the SYSTEM SID (S-1-5-18 ) will be modified if you point to HKCU:\.


This evaluates and sets the desired value for every local user account tied to that device:


Evaluation


#Define desired registry settings

$regPath = "Key Path Here"

$regName = "Property/Value Name Here"

$desiredValue = "I'm a String"



#Get User details including SID from Get-LocalUser

$users = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount = 'True'"





#Add HKEY_USERS to a PSDrive for easy access later

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue | Out-Null



$nonCompliant = @()



#Loop through the list of users to check each for compliance

foreach ($user in $users) {

    #Retrieve SIDs for each user

    $sid = $user.SID

    $name = $user.Name

    #Load Registries for users, if ntuser.dat exists

    #this prevents us from attempting to load Administrator and similar accounts

    if (Test-Path "C:\Users\$name\ntuser.dat") {

        #Load user's ntuser.dat into the registry

        & reg load "HKU\$sid" "C:\Users\$name\ntuser.dat" | Out-Null

        $properties = Get-ItemProperty -Path "HKU:\$sid\$regpath"

        $value = $($properties.$regName)

        

        #If this value doesn't match the desired value, add the user name to nonCompliant list

        if ($value -ne $desiredValue) {

            $nonCompliant += $name

        }

    }

}



#Clean-up the PSDrive

Remove-PSDrive -Name HKU



#If any users are non-compliant, "Exit 1" to flag remediation. Else "Exit 0" for Compliant

if ($nonCompliant.Count -gt 0) {

    Exit 1

} else { Exit 0}

Remediation


#Define desired registry settings

$regPath = "Key Path Here"

$regName = "Property/Value Name Here"

$desiredValue = "I'm a String"

$propertyType = 'Binary'



#Get User details including SID from Get-LocalUser

$users = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount = 'True'"



#Add HKEY_USERS to a PSDrive for easy access later

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS



foreach ($user in $users) {

    #Retrieve SIDs for each user

    $sid = $user.SID

    $name = $user.Name

    #Load Registries for users, if ntuser.dat exists

    #this prevents us from attempting to load Administrator and similar accounts

    if (Test-Path "C:\Users\$name\ntuser.dat") {

        #Load user's ntuser.dat into the registry

        & reg load "HKU\$sid" "C:\Users\$name\ntuser.dat"

        #Create Key

        New-Item -Path "HKU:\$sid\$regPath" -ItemType Directory -Force

        #Create Value

        New-ItemProperty -Path "HKU:\$sid\$regPath" -Name $regName -PropertyType $propertyType -Value $desiredValue

    }

}



Remove-PSDrive -Name HKU

    2 replies

    J
    Forum|alt.badge.img
    • jesumyip
    • Power User
    • 52 replies
    • December 10, 2020

    Try this.

     

    Also, here’s another example that doesn’t use GMI to enumerate users.

     

    Nic-Automox
    1 person likes this
    • Nic-Automox
      Nic-Automox
    M
    • Maxus
    • 0 replies
    • October 29, 2021

    I just tried to use this code to edit a registry key and I Got the following error.


    ERROR: A required privilege is not held by the client.

    Get-ItemProperty : Cannot find path ‘HKU:\S-1-5-21-2015044887-3745614883-1194307576-1001\HKLM:\ystem\CurrentControlSet\Control\Terminal Server’ because it does not exist.

    At line:10 char:23




    •     $properties = Get-ItemProperty -Path "HKU:\$sid\$regpath"





    •                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


      • CategoryInfo : ObjectNotFound: (HKU:\S-1-5-21-2…Terminal Server:String) [Get-ItemProperty], ItemNotFoundException

      • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand




    The goal is to Disable RDP


    $regPath = “HKLM:\System\CurrentControlSet\Control\Terminal Server”

    $regName = “fDenyTSConnections”

    $desiredValue = “1”

    Reply


    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings