Scanning for entries in user hives in registry
Started by HarryH
HarryH
Scanning for entries in user hives in registry 08 November 2013, 19:55 |
I'm wondering about the feasibility of delivering values of user hive keys in Network Scanner, as this would definitely be a powerful feature.
I am aware that any given device may have more than one user hive loaded, or none, or one that has failed to unload correctly etc, which of course is where the challenge starts. I presume that delivering this feature would probably also increase overhead / scan times.
I am wondering if, for example, when defining a USER key/value to fetch in the 'Remote registry' settings, Network scanner could offer you a setting option telling it to load either the first, second, third etc loaded user key it finds in the registry, and, as well as displaying the value (or none if the selection makes no sense) to also translate the SID to the friendly username, for example outputting a display like "Logged User: <key value>".
That way, if you decided to view another user's key/data value on a PC with multiple user's logged on, it would be a snitch to reset the 'which user hive to scan' option and rescan until their account and registry value was returned.
Of course, for the majority of cases it is likely that only one user will be logged on, and therefore the default should be to load the first user hive found. As the key value returned would show which user it related to it would be easy to work with.
So, would this be easy to implement, or has anyone designed their own work-around that could be shared?
Regards
Harry
Scanning for entries in user hives in registry 09 November 2013, 04:30 |
Registered: 13 years ago Posts: 154 |
For things like this (in other words beyond the scope of the software) I have written CMD, VBScript or PowerShell Scripts that can do many extra things.
An example: I have added items under the "Open Computer...". Currently I have items like "and Schedule Remote Shutdown" or "With Remote CMD Prompt". These are all accomplished with scripting and I have the ability to make the scripts do it however we need. I am sure you could write a script that would get the user information you need or load a hive etc. etc. -WS
HarryH
Re: Thoughts on scanning for entries in user hives in registry 14 November 2013, 01:32 |
The Custom applications feature under program Options is indeed one of the most powerful features in my opinion, and saves me vast amounts of time and effort. However, unless a feature is provided that will enable a custom column displaying the outputs of a custom script, then there remains no way to see at-a-glance the values of user hive keys, a very useful feature when managing hundreds of hosts across multiple subnets.
Personally I am convinced that the feature I propose does fit with this tool, rather than another.
Re: Thoughts on scanning for entries in user hives in registry 14 November 2013, 08:34 |
Admin Registered: 18 years ago Posts: 3 518 |
- Enumerating currently logged on users (as already implemented)
- Converting those user name to SIDs (for which LookupAccountName might work).
- Reading HKEY_USERS\SID-VALUE-HERE\...
I will publish this as an experimental feature shortly.
Re: Thoughts on scanning for entries in user hives in registry 14 November 2013, 09:51 |
Admin Registered: 18 years ago Posts: 3 518 |
It attempts to enumerate logged on users, obtain their SIDs and then read their user hives from HKEY_USERS.
For a singe logged on user, it should print just a value from the registry, whereas if there's more than one user, each value is prefixed with a user name.
HarryH
Re: Thoughts on scanning for entries in user hives in registry 15 November 2013, 20:33 |
That works just fine! Definitely a powerful leap forward.
And then leads me to the obvious consequence
I now discover I have over 300 hundred users currently online for whom I wish to edit a value in their user hives (or, in this case, delete)
While I'm sure to hear cries of 'do it via AD', it would be very pretty if the facility existed in Network Scanner (and probably quicker too, lol ).
So there's the next challenge, pulling the device-relative user SID's so they can be referenced in a user-defined application to be run against selected multiple devices. Perhaps SID's could be held in another set of Global parameters %A, %B, %C for example? And if so, how to identify which SID (or holding parameter) is for which User?
I hope this idea seems worthy of the effort.
I remain a serious advocate for the app.
H
Re: Thoughts on scanning for entries in user hives in registry 15 November 2013, 21:04 |
Admin Registered: 18 years ago Posts: 3 518 |
HarryH
Re: Thoughts on scanning for entries in user hives in registry 16 November 2013, 02:55 |
As you have already provided the means to reference a column value in a custom command via [column title], I can see this will definitely deliver.
How would you propose splitting the SIDs though, as there'll need to be only one referenced per [column title] to avoid a headache where there are multiple users logged into a device and not all to be acted upon?
Another potential problem I see is where there are a very great number of logged users such as on a scanned Citrix server, potentially with hundreds of users. However I doubt such a device would be a candidate for this particular user hive functionality, but mention it as whatever solution is proposed should be able to handle this scenario.
Perhaps an approach would be to create variables such as IPADDRESS_LOGGEDUSER1, IPADDRESS_LOGGEDUSER2 and assigning each SID to it.
We would need an unambiguous method of passing the variable to a custom command. From an end-user standpoint I'd just want to specify the SID by reference as Logged User 1, two or three etc. It would be a simple matter to group devices by whether I wished to act on user hive 1, two or three before firing off a command to each group.
But now I'm pretty much back at my original suggestion which I believe you have ruled out.
Even if we restrict ourselves to devices with one Logged User, this will still be a very useful feature. It is a simple enough matter to launch a registry editor against the remaining devices and do this by hand, or use the batch script writing facility and edit the script accordingly.
Many thanks for the user hive reading feature, and in the meantime, "yes please" to a column for the SID of the Logged User, as I can put this to use immediately.
Harry
Re: Thoughts on scanning for entries in user hives in registry 21 November 2013, 22:36 |
Admin Registered: 18 years ago Posts: 3 518 |
It's available at the Workstaton tab in the settings.
Hopefully it can be useful as is, and later we'll find a good way to access a particular value in comma separated columns.
In fact, there're quite a a few columns that likewise can return more than one value, and in that case it's comma-separated.
I hope to provide a flexible way to access an individual value from a comma-separated list in the future release.
HarryH
Re: Thoughts on scanning for entries in user hives in registry 27 November 2013, 21:45 |