Have you ever wondered how to modify the registry of another user? The HKEY_CURRENT_USER registry hive is specific to each user, so in order to modify this for another user, we first need to identify where that information is stored.
In the later versions of windows, it’s stored in the user directory in the file called NTUSER.DAT. This file is loaded every time a user logs on:
Now that we’ve identified the file that we’d like to modify, let’s dive in and modify the registry!
There are many ways that we can modify the registry (Active Setup and Active Directory Group Policy Preferences come to mind), but since I am rather fond of PowerShell, I’d like to keep it as PowerShell-friendly as possible.
Whatever your reasons, here’s a solution that will hopefully work for you. I’m going to split this blog post into two parts. The first part will cover the basics. The second part will cover the fancier stuff.
Disclaimer: Use this information with a healthy dose of caution. It is never wise to modify the registry without a good reason, and even some good reasons aren’t always great justification. In other words, be responsible and test your scripts before using on production systems. We cannot be held responsible for any issues that you may encounter.
Before we can modify the HKEY_CURRENT_USER (HKCU) key of another user, we need to understand it a little bit better. The HKCU key is actually a pointer for the HKEY_USERS (HKU) key specific to a logged-in user and their security identifier (SID).
You can see that in the Registry Editor:
The HKU\<SID> and HKCU keys are loaded when a user logs into a machine. The associated keys are unloaded when that user logs out of a machine. In my example above, the two displayed keys represent the user’s registry for my username.
In order to modify the registry keys for a different user, we need to load their registry first. In the later versions of windows, it’s stored in the user directory as the file NTUSER.DAT.
Usage of reg.exe to load and unload ntuser.dat files is pretty straightforward:
reg load <Key> <File & Path Of Ntuser.dat>
reg load HKU\Fancy C:\Users\Vincent\ntuser.dat
reg unload <Key>
reg unload HKU\Fancy
The Key has to include a valid root key, but the subkey can be anything you’d like. In my examples, I used the HKU (HKEY_USERS) root key and then loaded/unloaded Vincent’s ntuser.dat to the subkey Fancy.
Now that we know how to load and unload the registry of a different user, we can use this in a PowerShell script to add/remove any keys for any user.
Let’s say we want to create the following key for Vincent: HKCU\Software\FancyKey (see New-Item)
# Load ntuser.dat reg load HKU\Vincent C:\users\vincent\NTUSER.DAT # Create a new key, close the handle, and trigger garbage collection $result = New-Item -Path 'Registry::HKEY_USERS\Vincent\Software\FancyStuff' $result.Handle.Close() [gc]::Collect() #Unload ntuser.dat reg unload HKU\Vincent
Sometimes the user profile handle doesn’t close as quickly as you’d expect. Because of this, the section about garbage collection is necessary in order to close the handle that was created when creating a new key in the loaded ntuser.dat. See this StackOverflow post for more details.
Since there’s so much information to cover, the next blog post will cover modifying registry keys for all users on a machine so that we will be able to make changes universally across all users.
Did you know that PDQ Deploy has a PowerShell step you can use to deploy your scripts?