How can I programmatically find a users HKEY_USERS registry key using powershell?

Question

I wonder if there is a way to find a local user's registry key in HKEY_USERS if you know the login-name of that user on the local machine. I want to programmatically add stuff to a specific user's registry keys (Autorun for example), but I only know the username. How can I determine which of the cryptic users in HKEY_USERS actually belongs to a specific username?

Answer 1

$User = New-Object System.Security.Principal.NTAccount($env:UserName)
$sid = $User.Translate([System.Security.Principal.SecurityIdentifier]).value

The above snippet gives you the SID of the logged-in user. This when appended to the HKEY_USERS givs you the right path for that username.

New-PSDrive HKU Registry HKEY_USERS
Get-Item "HKU:\${sid}"

Answer 2

This answer is not complete, as HKEY_USERS does not contain all the users, just those that are currently active.

You'll need to load the registry hive for the user(s) you want to work with using

reg load hku\ThatUserName C:\Users\ThatUserName\NTUSER.DAT

See this SO answer for an example of how to load the registry hive for all the user(s).

You can then access the registry for that user with

Set-Location HKU:\ThatUserName

Or call New-PSDrive to give the user's registry it's own drive, like so:

New-PSDrive -Name HKThatUser -PSProvider Registry -Root HKU\ThatUserName 
Set-Location HKThatUser:

Be sure to unload the registry, and do garbage collection to ensure the hive is released when done:

reg unload hku\ThatUserName
[gc]::collect()

See this post for more info