PsExec - registry current user

   wow .. I didn't check this thread anymore for some time, but it's got some whole new ideas in there now !!!
great everyone thanks for your help, I will post what I did eventually after some testing and scripting. 
***************************************
update below:
***************************************
ok, I ran into some problems trying your solutions ... 
when enumerating the user SID, I get a string that is a bit longer then the one in the registry :
this is what is returned :
S-1-5-21-510595209-1753942385-315576832-26444
but in the registry I only see :

So this doesn't match up.
As for the method with REG LOAD and REG UNLOAD ... you can't load the NTUSER.DAT when the user is logged in ...the file is locked. So that didn't work out either 
I'm calling it a day and I'll try again on monday !!
Thanks for all the help everyone !

Edited by axewater

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
axewater Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Newbie Joined: 19 September 2005 Location: Netherlands Online Status: Offline Posts: 6	Post Options Post Reply Quote axewater Report Post Quote Reply Topic: PsExec - registry current user Posted: 13 January 2006 at 6:37am
	wow .. I didn't check this thread anymore for some time, but it's got some whole new ideas in there now !!! great everyone thanks for your help, I will post what I did eventually after some testing and scripting. ************************************* update below: ************************************* ok, I ran into some problems trying your solutions ... when enumerating the user SID, I get a string that is a bit longer then the one in the registry : this is what is returned : S-1-5-21-510595209-1753942385-315576832-26444 but in the registry I only see : So this doesn't match up. As for the method with REG LOAD and REG UNLOAD ... you can't load the NTUSER.DAT when the user is logged in ...the file is locked. So that didn't work out either I'm calling it a day and I'll try again on monday !! Thanks for all the help everyone ! Edited by axewater

tim7ad Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 08 November 2005 Location: United States Online Status: Offline Posts: 13	Post Options Post Reply Quote tim7ad Report Post Quote Reply Posted: 09 November 2005 at 1:13pm
	The best way to accomplish this is use reg load & unload. I�ve done this before several times, but don�t have time right now to go dig up the code. Essentially you�ll need to write a script or batch file that you execute remotely using psexec. The script will find the user�s ntuser.dat files that you need to modify. The script can use the REG load function. REG LOAD will load a user�s hive (ntuser.dat) into a key you specify. You can do this through the GUI to see what I�m talking about. 1. Open regedit. 2. Select the HKEY_Users key. 3. Select File, Load Hive 4. Browse to another profile on your system and find its ntuser.dat file, click Open 5. Give it a key name. (Any name will do. This is just an arbitrary key name that will be created to temporarily load the hive into.) 6. At this point you can see the user�s registry (what would be in HKCU when the user logs on) and make any changes you wish. ***NOTE** There is no save option. When you unload the Hive it is saved. SO BE CAREFUL WHAT YOU CHANGE. J A script would do essentially the same thing Get a list of the ntuser.dat files with their paths by enumerating the �documents and settings� folder (assuming W2k or later and profiles are local). Use a For loop to go through each one of them Use REG LOAD to load the hive into a key Use REG EDIT to make your change Use REG UNLOAD to unload the key Move Next Works like a charm. The only dependency is having the REG command. In some cases I copy that to the machine with the script. If I have a chance to pull the actual code I�ll do so. Gotta run right now. I hope this is helpful, Tim

Jherad Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 09 November 2005 Online Status: Offline Posts: 2	Post Options Post Reply Quote Jherad Report Post Quote Reply Posted: 09 November 2005 at 10:07am
	If you're using batch, something like... ... for /f "tokens=3" %%i in ('psloggedon -l \\remotecomputer ^\|findstr /C:":"') do set myuser=%%i for /f "tokens=*" %%i in ('psgetsid \\remotecomputer %myuser% ^\|findstr /C:"-"') do set mysid=%%i echo REGEDIT4 >myregfile.reg echo.>>myregfile.reg echo [HKEY_USERS\%mysid%\test]>>myregfile.reg echo "test"="test">>myregfile.reg echo.>>myregfile.reg copy myregfile.reg \\remotecomputer\c$ psexec \\remotecomputer regedit -s c:\myregfile.reg ... Or something like that. I haven't tried it, but it looks right(ish). Test first

Jherad Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 09 November 2005 Online Status: Offline Posts: 2	Post Options Post Reply Quote Jherad Report Post Quote Reply Posted: 09 November 2005 at 9:51am
	If you are pretty handy at scripting, you could use psloggedon to return the current logged on user, then psgetsid to convert the userid to a SID... THEN pipe the results to a reg file to copy to the machine for psexec...

Madmekanic Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 07 November 2005 Location: United States Online Status: Offline Posts: 1	Post Options Post Reply Quote Madmekanic Report Post Quote Reply Posted: 07 November 2005 at 8:20pm
	Well I'd tell you what I did but the results weren't what I had intended good thing I backed up be for I made the attempt. Best of luck
	Mad say You. Whom might you be to Judge

jwray239 Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 07 November 2005 Online Status: Offline Posts: 5	Post Options Post Reply Quote jwray239 Report Post Quote Reply Posted: 07 November 2005 at 5:22pm
	Just as a follow-up and FYI You can't access the HKCU remotely. Edited by jwray239

gyokuran Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 04 November 2005 Location: United Kingdom Online Status: Offline Posts: 30	Post Options Post Reply Quote gyokuran Report Post Quote Reply Posted: 07 November 2005 at 4:08am
	You could search the Active Directory for the user and retrieve his SID. The user's property in the AD is "objectSID".

axewater Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Newbie Joined: 19 September 2005 Location: Netherlands Online Status: Offline Posts: 6	Post Options Post Reply Quote axewater Report Post Quote Reply Posted: 07 November 2005 at 3:10am
	Ah yes ... that would do the job ... However .. the scripts I write are to solve problems on workstations here, I would run a script that changes some settings or installs some software. This would be instead of : remote control to the users pc, close all apps, log out user, log in myself, apply fixes / install software, log out, log user back in ... now I just call a script with the click of a button, and the problem is fixed in a few seconds... If I use your method, there is still a logout / log back in involved ... nevertheless, I will use it since it seems the only option.

scatter Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 06 November 2005 Online Status: Offline Posts: 1	Post Options Post Reply Quote scatter Report Post Quote Reply Posted: 06 November 2005 at 4:41am
	Well, i had the same problem and solved it by running a batch-fil from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] which imported the registry file with keys pointing to 'current user', for every user that logged into the computer. After a couple of weeks I removed the entry from 'Run'. Not a very nice solution, but it worked.

axewater Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Newbie Joined: 19 September 2005 Location: Netherlands Online Status: Offline Posts: 6	Post Options Post Reply Quote axewater Report Post Quote Reply Posted: 03 November 2005 at 9:08am
	please ... I'm still looking for an answer to this one ... anyone ?