Link to home
Start Free TrialLog in
Avatar of bobgato111
bobgato111

asked on

How to use OpenRemoteBaseKey to read the HKU registry values for currently-logged-on user

I know how to use RegEdit to access reg values of remote workstations on my network. But its time consuming and I want to write a script or .net app which will do this for me.
When I connect remotely using regedit, I see three values under HKU:
.DEFAULT
S-1-5-21-838102356-342305600-1392588124-198975
S-1-5-21-838102356-342305600-1392588124-198975_Classes

Since I want to see what the currently-logged-on users registry looks like, then the middle key above ('S-1-5-21-838102356-342305600-1392588124-198975') is the one which I want to check

I cloned/wrote a small .net program which checks the values in       HKU\Control Panel\Desktop and reports on the values. (e.g. the value of 'ScreenSaveTimeOut') .

However, when I run it under my own permissions,  it is bringing back the values from the '.DEFAULT' node rather than the currently-logged-on user. My question is: is there a way to query the middle key above?

Here is my code which does the above verification:
Imports System.Net.NetworkInformation
Imports System.Text
Imports System.Management
Imports Microsoft.VisualBasic
Imports System
Imports System.IO
Imports System.Security.Permissions
Imports Microsoft.Win32

<Assembly: RegistryPermissionAttribute( _
    SecurityAction.RequestMinimum, _
    Read:="HKEY_CURRENT_USER\Control Panel")>
<Assembly: SecurityPermissionAttribute( _
    SecurityAction.RequestMinimum, UnmanagedCode:=True)>


Public Class Form1

.
.
.

    Public Sub subControlPanelDesktop(ByVal strHost As String)
        Dim ControlPanelKey As RegistryKey
        Dim strValue As String
        Try
            ControlPanelKey = RegistryKey.OpenRemoteBaseKey(RegistryHive.CurrentUser, strHost).OpenSubKey("Control Panel").OpenSubKey("Desktop")
         
            For Each valueName As String In ControlPanelKey.GetValueNames()
                strValue = ControlPanelKey.GetValue(valueName).ToString()
                If valueName = "ScreenSaveTimeOut" Then
                    TextBox2.Text &= ">#> " & strHost & " ScreenSaveTimeOut = " & strValue
                    If strValue = "900" Then
                        TextBox2.Text &= vbCrLf
                    Else
                        TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
                    End If
                End If
                If valueName = "ScreenSaveActive" Then
                    TextBox2.Text &= ">#> " & strHost & " ScreenSaveActive=" & strValue
                    If strValue = "1" Then
                        TextBox2.Text &= vbCrLf
                    Else
                        TextBox2.Text &= " >>>EXCEPTION<<<" & vbCrLf
                    End If

                End If
                If valueName = "SCRNSAVE.EXE" Then
                    TextBox2.Text &= ">#> " & strHost & " SCRNSAVE.EXE=" & strValue & vbCrLf
                End If
            Next

        Catch ex As IOException
            MessageBox.Show("problems:" & ex.GetType().Name & " " & ex.Message)
            Return
        End Try

        ' Close the registry key.
        ControlPanelKey.Close()
    End Sub
ASKER CERTIFIED SOLUTION
Avatar of graye
graye
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bobgato111
bobgato111

ASKER

Thank you Graye for the very detailed example. There is just one follow up question. Although I have admin rights across my network, I want to be sure that I'm not making unintended updates to the registry on the remote workstations.

For this reason, I don't even mount the hives for the users in the ProfileList (rather I just query any HKU hives that are currently there e.g. any currently-logged-in user).  However when I run my query-tool (borrowing the OpenRemoteBaseKey code from you) on my workstation, and then run ProcessMonitor on the other one of the workstations I'm checking, I can see a lot of log entries (from ProcessMonitor) that suggest an update is happening (or was at least requested):
19047      5:15:32.2955776 PM      wmiprvse.exe      1588      RegCreateKey      HKLM\Software      SUCCESS      Desired Access: Maximum Allowed
Because the log entries (like the one above) mention wmi and/or wbem, and because the behavior is consistent in between tests, I'm thinking it's coming from the wmi calls in my program.  

Avatar of graye
graye
Flag of United States of America image
I've never watched the mounting of a remote registry hive with ProcessMonitor...   So, I can't say what's normal, and what's not.

As you have probably figured out by my SOSOS example, I routinely get ScreenSaverTimeout value from all users of a remote PC.   This technique has never been a problem in the years that this feature has been running