bobgato111
asked on
How to use OpenRemoteBaseKey to read the HKU registry values for currently-logged-on user
I know how to use RegEdit to access reg values of remote workstations on my network. But its time consuming and I want to write a script or .net app which will do this for me.
When I connect remotely using regedit, I see three values under HKU:
.DEFAULT
S-1-5-21-838102356-3423056 00-1392588 124-198975
S-1-5-21-838102356-3423056 00-1392588 124-198975 _Classes
Since I want to see what the currently-logged-on users registry looks like, then the middle key above ('S-1-5-21-838102356-34230 5600-13925 88124-1989 75') is the one which I want to check
I cloned/wrote a small .net program which checks the values in HKU\Control Panel\Desktop and reports on the values. (e.g. the value of 'ScreenSaveTimeOut') .
However, when I run it under my own permissions, it is bringing back the values from the '.DEFAULT' node rather than the currently-logged-on user. My question is: is there a way to query the middle key above?
Here is my code which does the above verification:
Imports System.Net.NetworkInformat ion
Imports System.Text
Imports System.Management
Imports Microsoft.VisualBasic
Imports System
Imports System.IO
Imports System.Security.Permission s
Imports Microsoft.Win32
<Assembly: RegistryPermissionAttribut e( _
SecurityAction.RequestMini mum, _
Read:="HKEY_CURRENT_USER\C ontrol Panel")>
<Assembly: SecurityPermissionAttribut e( _
SecurityAction.RequestMini mum, UnmanagedCode:=True)>
Public Class Form1
.
.
.
Public Sub subControlPanelDesktop(ByV al strHost As String)
Dim ControlPanelKey As RegistryKey
Dim strValue As String
Try
ControlPanelKey = RegistryKey.OpenRemoteBase Key(Regist ryHive.Cur rentUser, strHost).OpenSubKey("Contr ol Panel").OpenSubKey("Deskto p")
For Each valueName As String In ControlPanelKey.GetValueNa mes()
strValue = ControlPanelKey.GetValue(v alueName). ToString()
If valueName = "ScreenSaveTimeOut" Then
TextBox2.Text &= ">#> " & strHost & " ScreenSaveTimeOut = " & strValue
If strValue = "900" Then
TextBox2.Text &= vbCrLf
Else
TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
End If
End If
If valueName = "ScreenSaveActive" Then
TextBox2.Text &= ">#> " & strHost & " ScreenSaveActive=" & strValue
If strValue = "1" Then
TextBox2.Text &= vbCrLf
Else
TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
End If
End If
If valueName = "SCRNSAVE.EXE" Then
TextBox2.Text &= ">#> " & strHost & " SCRNSAVE.EXE=" & strValue & vbCrLf
End If
Next
Catch ex As IOException
MessageBox.Show("problems: " & ex.GetType().Name & " " & ex.Message)
Return
End Try
' Close the registry key.
ControlPanelKey.Close()
End Sub
When I connect remotely using regedit, I see three values under HKU:
.DEFAULT
S-1-5-21-838102356-3423056
S-1-5-21-838102356-3423056
Since I want to see what the currently-logged-on users registry looks like, then the middle key above ('S-1-5-21-838102356-34230
I cloned/wrote a small .net program which checks the values in HKU\Control Panel\Desktop and reports on the values. (e.g. the value of 'ScreenSaveTimeOut') .
However, when I run it under my own permissions, it is bringing back the values from the '.DEFAULT' node rather than the currently-logged-on user. My question is: is there a way to query the middle key above?
Here is my code which does the above verification:
Imports System.Net.NetworkInformat
Imports System.Text
Imports System.Management
Imports Microsoft.VisualBasic
Imports System
Imports System.IO
Imports System.Security.Permission
Imports Microsoft.Win32
<Assembly: RegistryPermissionAttribut
SecurityAction.RequestMini
Read:="HKEY_CURRENT_USER\C
<Assembly: SecurityPermissionAttribut
SecurityAction.RequestMini
Public Class Form1
.
.
.
Public Sub subControlPanelDesktop(ByV
Dim ControlPanelKey As RegistryKey
Dim strValue As String
Try
ControlPanelKey = RegistryKey.OpenRemoteBase
For Each valueName As String In ControlPanelKey.GetValueNa
strValue = ControlPanelKey.GetValue(v
If valueName = "ScreenSaveTimeOut" Then
TextBox2.Text &= ">#> " & strHost & " ScreenSaveTimeOut = " & strValue
If strValue = "900" Then
TextBox2.Text &= vbCrLf
Else
TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
End If
End If
If valueName = "ScreenSaveActive" Then
TextBox2.Text &= ">#> " & strHost & " ScreenSaveActive=" & strValue
If strValue = "1" Then
TextBox2.Text &= vbCrLf
Else
TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
End If
End If
If valueName = "SCRNSAVE.EXE" Then
TextBox2.Text &= ">#> " & strHost & " SCRNSAVE.EXE=" & strValue & vbCrLf
End If
Next
Catch ex As IOException
MessageBox.Show("problems:
Return
End Try
' Close the registry key.
ControlPanelKey.Close()
End Sub
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've never watched the mounting of a remote registry hive with ProcessMonitor... So, I can't say what's normal, and what's not.
As you have probably figured out by my SOSOS example, I routinely get ScreenSaverTimeout value from all users of a remote PC. This technique has never been a problem in the years that this feature has been running
As you have probably figured out by my SOSOS example, I routinely get ScreenSaverTimeout value from all users of a remote PC. This technique has never been a problem in the years that this feature has been running
ASKER
For this reason, I don't even mount the hives for the users in the ProfileList (rather I just query any HKU hives that are currently there e.g. any currently-logged-in user). However when I run my query-tool (borrowing the OpenRemoteBaseKey code from you) on my workstation, and then run ProcessMonitor on the other one of the workstations I'm checking, I can see a lot of log entries (from ProcessMonitor) that suggest an update is happening (or was at least requested):
19047 5:15:32.2955776 PM wmiprvse.exe 1588 RegCreateKey HKLM\Software SUCCESS Desired Access: Maximum Allowed
Because the log entries (like the one above) mention wmi and/or wbem, and because the behavior is consistent in between tests, I'm thinking it's coming from the wmi calls in my program.