How to modify the registry of another user

Black and White PDQ logo
Kris Powell|Updated May 12, 2021
Generic blog header
Generic blog header
Sections
    No Data

    Have you ever wondered how to modify the registry of another user? The HKEY_CURRENT_USER registry hive is specific to each user, so in order to modify this for another user, we first need to identify where that information is stored.

    In the later versions of Windows, it’s stored in the user directory in the file called NTUSER.DAT. This file is loaded every time a user logs on:

    C:\Users\<username>\ntuser.dat

    Now that we’ve identified the file that we’d like to modify, let’s dive in and modify the registry!

    There are many ways that we can modify the registry (Active Setup and Active Directory Group Policy Preferences come to mind), but since I am rather fond of PowerShell, I’d like to keep it as PowerShell-friendly as possible.

    Whatever your reasons, here’s a solution that will hopefully work for you. I’m going to split this blog post into two parts. The first part will cover the basics. The second part will cover the fancier stuff.

    Disclaimer: Use this information with a healthy dose of caution. It is never wise to modify the registry without a good reason, and even some good reasons aren’t always great justification. In other words, be responsible and test your scripts before using on production systems. We cannot be held responsible for any issues that you may encounter.

    Modify the Registry of Another User

    Before we can modify the HKEY_CURRENT_USER (HKCU) key of another user, we need to understand it a little bit better. The HKCU key is actually a pointer for the HKEY_USERS (HKU) key specific to a logged-in user and their security identifier (SID).

    You can see that in the Registry Editor:

    Registry Editor

    The HKU\<SID> and HKCU keys are loaded when a user logs into a machine. The associated keys are unloaded when that user logs out of a machine. In my example above, the two displayed keys represent the user’s registry for my username.

    In order to modify the registry keys for a different user, we need to load their registry first. In the later versions of windows, it’s stored in the user directory as the file NTUSER.DAT.

    C:\Users\<username>\ntuser.dat

    Loading/Unloading ntuser.dat

    In order to load and unload a user’s ntuser.dat file, we’re going to use reg.exe (link for info). This built-in program allows us to access the registry directly from Powershell (or a command line).

    Usage of reg.exe to load and unload ntuser.dat files is pretty straightforward:

    Loading ntuser.dat

    Syntax

    reg load <Key> <File & Path Of Ntuser.dat>

    Example

    reg load HKU\Fancy C:\Users\Vincent\ntuser.dat
    Administrator: Windows P{owerShell

    Unloading ntuser.dat

    Syntax

    reg unload <Key>

    Example

    reg unload HKU\Fancy
    Administrator: Windows PowerShell

    The Key has to include a valid root key, but the subkey can be anything you’d like. In my examples, I used the HKU (HKEY_USERS) root key and then loaded/unloaded Vincent’s ntuser.dat to the subkey Fancy.

    Putting it all together

    Now that we know how to load and unload the registry of a different user, we can use this in a PowerShell script to add/remove any keys for any user.

    Let’s say we want to create the following key for Vincent: HKCU\Software\FancyKey (see New-Item)

    # Load ntuser.dat reg load HKU\Vincent C:\users\vincent\NTUSER.DAT # Create a new key, close the handle, and trigger garbage collection $result = New-Item -Path 'Registry::HKEY_USERS\Vincent\Software\FancyStuff' $result.Handle.Close() [gc]::Collect() #Unload ntuser.dat reg unload HKU\Vincent

    Sometimes the user profile handle doesn’t close as quickly as you’d expect. Because of this, the section about garbage collection is necessary in order to close the handle that was created when creating a new key in the loaded ntuser.dat. See this StackOverflow post for more details.

    Since there’s so much information to cover, the next blog post will cover modifying registry keys for all users on a machine so that we will be able to make changes universally across all users.

    Black and White PDQ logo
    Kris Powell

    Kris was an employee at PDQ.

    Related articles