JCCyC
JCCyC

Reputation: 16622

How to map HKEY_USERS subkeys and Windows usernames?

I thought the key names immediately below HKEY_USERS were supposed to be the usernames of whoever logged in at this machine at some time. But in my machine what appears is:

S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN
S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN_Classes

I'd like to be able to determine which subtree corresponds to which user. How can I do that?

Edit: WHat I need is to get the usernames from the SIDs. I want to inspect the configurations of each user that has ever logged on, and I need to know their names. For example, in the registry above, I need to be able to, based on the string "S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN", find out that it correspond to DOMAIN\somebody, or LOCALMACHINENAME\somebodyelse.

Upvotes: 5

Views: 17586

Answers (7)

amuliar
amuliar

Reputation: 1461

Please use powershell:

$mydocuments = [Environment]::GetFolderPath("mydocuments")
gwmi win32_userprofile | ft localpath, sid, status -AutoSize | Out-File $mydocuments\userprofiles.txt

Upvotes: 0

For PowerShell this is quick:

gwmi win32_userprofile | ft localpath, sid

Ashley McGlone Microsoft PFE http://aka.ms/GoateePFE

Upvotes: 3

dcharles
dcharles

Reputation: 4852

It is possible to query this information from WMI. The following command will output a table with a row for every user along with the SID for each user.

wmic useraccount get name,sid

You can also export this information to CSV:

wmic useraccount get name,sid /format:csv > output.csv

I have used this on Vista and 7 (according to the comments it works on 2008 R2 as well). For more information see WMIC - Take Command-line Control over WMI.

Upvotes: 9

Preet Sangha
Preet Sangha

Reputation: 65555

in C# there is appears to be an answer to translating username to SID here http://community.bartdesmet.net/blogs/bart/archive/2006/09/08/4394.aspx but its only for local PCs.

For AD I converted it to:

using System;
using System.DirectoryServices;
using System.Security.Principal;

class Program {
    static void Main(string[] args) {
        string path = "LDAP://" + args[0];
        DirectoryEntry root = new DirectoryEntry(path, args[1], null, AuthenticationTypes.Secure);
        string sid = new SecurityIdentifier((byte[])root.Properties["objectSID"][0], 0).Value;
        Console.WriteLine(sid);
    }
}

The usage is : programname.exe DOMAIN username

e.g. programname.exe somecompany.com preet_sangha

Upvotes: 0

mihi
mihi

Reputation: 6735

When doing it manually (without extra tools), the easiest way is to open permissions for that key. The only user who has full permissions is the owner of the key.

When from a program, you will need a way to convert SIDs to account names. In C# (or PowerShell), have a look at the SecurityIdentifier and NtAccount class for that.

Upvotes: 0

Cooper
Cooper

Reputation: 1340

HKLM\System\CurrentControlSet\Control\hivelist will show you where the hives are mounted from. While not a direct mapping, usually the mount point has the user name in the path.

I'm sure there is a better answer than this though...

Upvotes: 1

steamer25
steamer25

Reputation: 9563

I believe those numbers are the user's security ID (SID). You can use SysInternals to get the SIDs of users:

http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

Upvotes: 2

Related Questions