Reputation: 16622
I thought the key names immediately below HKEY_USERS were supposed to be the usernames of whoever logged in at this machine at some time. But in my machine what appears is:
S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN
S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN_Classes
I'd like to be able to determine which subtree corresponds to which user. How can I do that?
Edit: WHat I need is to get the usernames from the SIDs. I want to inspect the configurations of each user that has ever logged on, and I need to know their names. For example, in the registry above, I need to be able to, based on the string "S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN", find out that it correspond to DOMAIN\somebody, or LOCALMACHINENAME\somebodyelse.
Upvotes: 5
Views: 17586
Reputation: 1461
Please use powershell:
$mydocuments = [Environment]::GetFolderPath("mydocuments")
gwmi win32_userprofile | ft localpath, sid, status -AutoSize | Out-File $mydocuments\userprofiles.txt
Upvotes: 0
Reputation: 101
For PowerShell this is quick:
gwmi win32_userprofile | ft localpath, sid
Ashley McGlone Microsoft PFE http://aka.ms/GoateePFE
Upvotes: 3
Reputation: 4852
It is possible to query this information from WMI. The following command will output a table with a row for every user along with the SID for each user.
wmic useraccount get name,sid
You can also export this information to CSV:
wmic useraccount get name,sid /format:csv > output.csv
I have used this on Vista and 7 (according to the comments it works on 2008 R2 as well). For more information see WMIC - Take Command-line Control over WMI.
Upvotes: 9
Reputation: 65555
in C# there is appears to be an answer to translating username to SID here http://community.bartdesmet.net/blogs/bart/archive/2006/09/08/4394.aspx but its only for local PCs.
For AD I converted it to:
using System;
using System.DirectoryServices;
using System.Security.Principal;
class Program {
static void Main(string[] args) {
string path = "LDAP://" + args[0];
DirectoryEntry root = new DirectoryEntry(path, args[1], null, AuthenticationTypes.Secure);
string sid = new SecurityIdentifier((byte[])root.Properties["objectSID"][0], 0).Value;
Console.WriteLine(sid);
}
}
The usage is : programname.exe DOMAIN username
e.g. programname.exe somecompany.com preet_sangha
Upvotes: 0
Reputation: 6735
When doing it manually (without extra tools), the easiest way is to open permissions for that key. The only user who has full permissions is the owner of the key.
When from a program, you will need a way to convert SIDs to account names. In C# (or PowerShell), have a look at the SecurityIdentifier and NtAccount class for that.
Upvotes: 0
Reputation: 1340
HKLM\System\CurrentControlSet\Control\hivelist will show you where the hives are mounted from. While not a direct mapping, usually the mount point has the user name in the path.
I'm sure there is a better answer than this though...
Upvotes: 1
Reputation: 9563
I believe those numbers are the user's security ID (SID). You can use SysInternals to get the SIDs of users:
http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
Upvotes: 2