How to use OpenRemoteBaseKey to read the HKU registry values for currently-logged-on user

Posted on 2007-08-10
Last Modified: 2013-11-05
I know how to use RegEdit to access reg values of remote workstations on my network. But its time consuming and I want to write a script or .net app which will do this for me.
When I connect remotely using regedit, I see three values under HKU:

Since I want to see what the currently-logged-on users registry looks like, then the middle key above ('S-1-5-21-838102356-342305600-1392588124-198975') is the one which I want to check

I cloned/wrote a small .net program which checks the values in       HKU\Control Panel\Desktop and reports on the values. (e.g. the value of 'ScreenSaveTimeOut') .

However, when I run it under my own permissions,  it is bringing back the values from the '.DEFAULT' node rather than the currently-logged-on user. My question is: is there a way to query the middle key above?

Here is my code which does the above verification:
Imports System.Net.NetworkInformation
Imports System.Text
Imports System.Management
Imports Microsoft.VisualBasic
Imports System
Imports System.IO
Imports System.Security.Permissions
Imports Microsoft.Win32

<Assembly: RegistryPermissionAttribute( _
    SecurityAction.RequestMinimum, _
    Read:="HKEY_CURRENT_USER\Control Panel")>
<Assembly: SecurityPermissionAttribute( _
    SecurityAction.RequestMinimum, UnmanagedCode:=True)>

Public Class Form1


    Public Sub subControlPanelDesktop(ByVal strHost As String)
        Dim ControlPanelKey As RegistryKey
        Dim strValue As String
            ControlPanelKey = RegistryKey.OpenRemoteBaseKey(RegistryHive.CurrentUser, strHost).OpenSubKey("Control Panel").OpenSubKey("Desktop")
            For Each valueName As String In ControlPanelKey.GetValueNames()
                strValue = ControlPanelKey.GetValue(valueName).ToString()
                If valueName = "ScreenSaveTimeOut" Then
                    TextBox2.Text &= ">#> " & strHost & " ScreenSaveTimeOut = " & strValue
                    If strValue = "900" Then
                        TextBox2.Text &= vbCrLf
                        TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
                    End If
                End If
                If valueName = "ScreenSaveActive" Then
                    TextBox2.Text &= ">#> " & strHost & " ScreenSaveActive=" & strValue
                    If strValue = "1" Then
                        TextBox2.Text &= vbCrLf
                        TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
                    End If

                End If
                If valueName = "SCRNSAVE.EXE" Then
                    TextBox2.Text &= ">#> " & strHost & " SCRNSAVE.EXE=" & strValue & vbCrLf
                End If

        Catch ex As IOException
            MessageBox.Show("problems:" & ex.GetType().Name & " " & ex.Message)
        End Try

        ' Close the registry key.
    End Sub
Question by:bobgato111
    LVL 41

    Accepted Solution

    This is kinda complicated...

    First of all, the HKEY_CURRENT_USER is just a synonym for that "middle key"... but that only works on your PC.   The concept of HKEY_CURRENT_USER doesn't really work when dealing with a remote PC.  Instead, you'd have to use HKEY_USERS and then find the list of keys below it.   That works... but only for the currently logged in users on the remote PC.

    Which brings us to the next problem... what if there is nobody logged in?  Or, what if you've got multiple users on a PC?  The solution to those problems requires that you programatically mount and unmoutn the user's registry hives.

    I've got a few VB.Net examples that you might find useful.   The registry routines are a part of a larger program called SOSOS and is available at the following URL:

    Yeah, I know... that's a lot to download just to find a few lines of code, but you might find it interesting

    Author Comment

    Thank you Graye for the very detailed example. There is just one follow up question. Although I have admin rights across my network, I want to be sure that I'm not making unintended updates to the registry on the remote workstations.

    For this reason, I don't even mount the hives for the users in the ProfileList (rather I just query any HKU hives that are currently there e.g. any currently-logged-in user).  However when I run my query-tool (borrowing the OpenRemoteBaseKey code from you) on my workstation, and then run ProcessMonitor on the other one of the workstations I'm checking, I can see a lot of log entries (from ProcessMonitor) that suggest an update is happening (or was at least requested):
    19047      5:15:32.2955776 PM      wmiprvse.exe      1588      RegCreateKey      HKLM\Software      SUCCESS      Desired Access: Maximum Allowed
    Because the log entries (like the one above) mention wmi and/or wbem, and because the behavior is consistent in between tests, I'm thinking it's coming from the wmi calls in my program.  

    LVL 41

    Expert Comment

    I've never watched the mounting of a remote registry hive with ProcessMonitor...   So, I can't say what's normal, and what's not.

    As you have probably figured out by my SOSOS example, I routinely get ScreenSaverTimeout value from all users of a remote PC.   This technique has never been a problem in the years that this feature has been running


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    #Citrix #POC #XenDesktop #vCenter #VMware #ESX
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now