• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2639
  • Last Modified:

How to use OpenRemoteBaseKey to read the HKU registry values for currently-logged-on user

I know how to use RegEdit to access reg values of remote workstations on my network. But its time consuming and I want to write a script or .net app which will do this for me.
When I connect remotely using regedit, I see three values under HKU:

Since I want to see what the currently-logged-on users registry looks like, then the middle key above ('S-1-5-21-838102356-342305600-1392588124-198975') is the one which I want to check

I cloned/wrote a small .net program which checks the values in       HKU\Control Panel\Desktop and reports on the values. (e.g. the value of 'ScreenSaveTimeOut') .

However, when I run it under my own permissions,  it is bringing back the values from the '.DEFAULT' node rather than the currently-logged-on user. My question is: is there a way to query the middle key above?

Here is my code which does the above verification:
Imports System.Net.NetworkInformation
Imports System.Text
Imports System.Management
Imports Microsoft.VisualBasic
Imports System
Imports System.IO
Imports System.Security.Permissions
Imports Microsoft.Win32

<Assembly: RegistryPermissionAttribute( _
    SecurityAction.RequestMinimum, _
    Read:="HKEY_CURRENT_USER\Control Panel")>
<Assembly: SecurityPermissionAttribute( _
    SecurityAction.RequestMinimum, UnmanagedCode:=True)>

Public Class Form1


    Public Sub subControlPanelDesktop(ByVal strHost As String)
        Dim ControlPanelKey As RegistryKey
        Dim strValue As String
            ControlPanelKey = RegistryKey.OpenRemoteBaseKey(RegistryHive.CurrentUser, strHost).OpenSubKey("Control Panel").OpenSubKey("Desktop")
            For Each valueName As String In ControlPanelKey.GetValueNames()
                strValue = ControlPanelKey.GetValue(valueName).ToString()
                If valueName = "ScreenSaveTimeOut" Then
                    TextBox2.Text &= ">#> " & strHost & " ScreenSaveTimeOut = " & strValue
                    If strValue = "900" Then
                        TextBox2.Text &= vbCrLf
                        TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
                    End If
                End If
                If valueName = "ScreenSaveActive" Then
                    TextBox2.Text &= ">#> " & strHost & " ScreenSaveActive=" & strValue
                    If strValue = "1" Then
                        TextBox2.Text &= vbCrLf
                        TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
                    End If

                End If
                If valueName = "SCRNSAVE.EXE" Then
                    TextBox2.Text &= ">#> " & strHost & " SCRNSAVE.EXE=" & strValue & vbCrLf
                End If

        Catch ex As IOException
            MessageBox.Show("problems:" & ex.GetType().Name & " " & ex.Message)
        End Try

        ' Close the registry key.
    End Sub
  • 2
1 Solution
This is kinda complicated...

First of all, the HKEY_CURRENT_USER is just a synonym for that "middle key"... but that only works on your PC.   The concept of HKEY_CURRENT_USER doesn't really work when dealing with a remote PC.  Instead, you'd have to use HKEY_USERS and then find the list of keys below it.   That works... but only for the currently logged in users on the remote PC.

Which brings us to the next problem... what if there is nobody logged in?  Or, what if you've got multiple users on a PC?  The solution to those problems requires that you programatically mount and unmoutn the user's registry hives.

I've got a few VB.Net examples that you might find useful.   The registry routines are a part of a larger program called SOSOS and is available at the following URL:  http://home.hot.rr.com/graye/Articles/SOSOS.htm

Yeah, I know... that's a lot to download just to find a few lines of code, but you might find it interesting
bobgato111Author Commented:
Thank you Graye for the very detailed example. There is just one follow up question. Although I have admin rights across my network, I want to be sure that I'm not making unintended updates to the registry on the remote workstations.

For this reason, I don't even mount the hives for the users in the ProfileList (rather I just query any HKU hives that are currently there e.g. any currently-logged-in user).  However when I run my query-tool (borrowing the OpenRemoteBaseKey code from you) on my workstation, and then run ProcessMonitor on the other one of the workstations I'm checking, I can see a lot of log entries (from ProcessMonitor) that suggest an update is happening (or was at least requested):
19047      5:15:32.2955776 PM      wmiprvse.exe      1588      RegCreateKey      HKLM\Software      SUCCESS      Desired Access: Maximum Allowed
Because the log entries (like the one above) mention wmi and/or wbem, and because the behavior is consistent in between tests, I'm thinking it's coming from the wmi calls in my program.  

I've never watched the mounting of a remote registry hive with ProcessMonitor...   So, I can't say what's normal, and what's not.

As you have probably figured out by my SOSOS example, I routinely get ScreenSaverTimeout value from all users of a remote PC.   This technique has never been a problem in the years that this feature has been running


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now