Read HKEY_USERS and HKEY_CURRENT_USERS

Question

$strIPAddrTmp = "172.28.27.200"
$strKeyIEConnections = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\"
$strRegType = [Microsoft.Win32.RegistryHive]::CurrentUser
$strRegKey  = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($strRegType, $strIPAddrTmp)
$strRegKey  = $strRegKey.OpenSubKey($strKeyIEConnections)

I used the PS script above to try to read the contents of:

HKCU::Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

I was just trying to check the IE proxy settings of a target remote machine. I found out that the script always returns the contents from HKEY_USERS instead of HKEY_CURRENT_USERS. What did I did wrong?

Answer 1

This should be the answer!

1) Find out the SID of the user logged onto the machine.

$strSID = (Get-WmiObject -Class Win32_UserAccount  -Filter "Domain = '$domain' AND Name = '$name'").SID 

2) Use the SID to find out the info in HKEY_USER:

$strKeyIEConnections = "$strSID\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\"
$strRegType = [Microsoft.Win32.RegistryHive]::Users
$strRegKey  = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($strRegType, $strIPAddrTmp)
$strRegKey  = $strRegKey.OpenSubKey($strKeyIEConnections)

Answer 2

The subkeys of HKEY_USERS are the places where the user registry hives (ntuser.dat from their profiles) are actually mounted after a user logs in. HKEY_CURRENT_USER is just an alias for HKEY_USERS\S-1-5-..., where S-1-5-... is the SID of the currently logged-in user.

Answer 3

You cannot connect to the current user hive remotely. You can if you know the user's sid and connect to it via the HKEY_USERS hive.