Scanning for entries in user hives in registry

Hello,

I'm wondering about the feasibility of delivering values of user hive keys in Network Scanner, as this would definitely be a powerful feature.
I am aware that any given device may have more than one user hive loaded, or none, or one that has failed to unload correctly etc, which of course is where the challenge starts. I presume that delivering this feature would probably also increase overhead / scan times.

I am wondering if, for example, when defining a USER key/value to fetch in the 'Remote registry' settings, Network scanner could offer you a setting option telling it to load either the first, second, third etc loaded user key it finds in the registry, and, as well as displaying the value (or none if the selection makes no sense) to also translate the SID to the friendly username, for example outputting a display like "Logged User: <key value>".

That way, if you decided to view another user's key/data value on a PC with multiple user's logged on, it would be a snitch to reset the 'which user hive to scan' option and rescan until their account and registry value was returned.

Of course, for the majority of cases it is likely that only one user will be logged on, and therefore the default should be to load the first user hive found. As the key value returned would show which user it related to it would be easy to work with.

So, would this be easy to implement, or has anyone designed their own work-around that could be shared?

Regards

Harry

IMHO: I think this is a completely separate tool/software, that I would like to see developed. I like the idea and I can think of many uses.

For things like this (in other words beyond the scope of the software) I have written CMD, VBScript or PowerShell Scripts that can do many extra things.

An example: I have added items under the "Open Computer...". Currently I have items like "and Schedule Remote Shutdown" or "With Remote CMD Prompt". These are all accomplished with scripting and I have the ability to make the scripts do it however we need. I am sure you could write a script that would get the user information you need or load a hive etc. etc. -WS

WindowStar, thanks for your input.
The Custom applications feature under program Options is indeed one of the most powerful features in my opinion, and saves me vast amounts of time and effort. However, unless a feature is provided that will enable a custom column displaying the outputs of a custom script, then there remains no way to see at-a-glance the values of user hive keys, a very useful feature when managing hundreds of hosts across multiple subnets.
Personally I am convinced that the feature I propose does fit with this tool, rather than another.

I suppose it would be possible to retrieve user registry keys by doing the following

1. Enumerating currently logged on users (as already implemented)
2. Converting those user name to SIDs (for which LookupAccountName might work).
3. Reading HKEY_USERS\SID-VALUE-HERE\...

I will publish this as an experimental feature shortly.

In the latest build, we have implemented retrieving HKCU as shown below:



It attempts to enumerate logged on users, obtain their SIDs and then read their user hives from HKEY_USERS.

For a singe logged on user, it should print just a value from the registry, whereas if there's more than one user, each value is prefixed with a user name.

Andrew,
That works just fine! Definitely a powerful leap forward.
And then leads me to the obvious consequence
I now discover I have over 300 hundred users currently online for whom I wish to edit a value in their user hives (or, in this case, delete)
While I'm sure to hear cries of 'do it via AD', it would be very pretty if the facility existed in Network Scanner (and probably quicker too, lol ).
So there's the next challenge, pulling the device-relative user SID's so they can be referenced in a user-defined application to be run against selected multiple devices. Perhaps SID's could be held in another set of Global parameters %A, %B, %C for example? And if so, how to identify which SID (or holding parameter) is for which User?
I hope this idea seems worthy of the effort.
I remain a serious advocate for the app.
H

The global parameters are static values, I don't think we can use them here.

Perhaps another column that will display the logged user's SID sounds like a good idea?

Andrew,

As you have already provided the means to reference a column value in a custom command via [column title], I can see this will definitely deliver.

How would you propose splitting the SIDs though, as there'll need to be only one referenced per [column title] to avoid a headache where there are multiple users logged into a device and not all to be acted upon?

Another potential problem I see is where there are a very great number of logged users such as on a scanned Citrix server, potentially with hundreds of users. However I doubt such a device would be a candidate for this particular user hive functionality, but mention it as whatever solution is proposed should be able to handle this scenario.

Perhaps an approach would be to create variables such as IPADDRESS_LOGGEDUSER1, IPADDRESS_LOGGEDUSER2 and assigning each SID to it.

We would need an unambiguous method of passing the variable to a custom command. From an end-user standpoint I'd just want to specify the SID by reference as Logged User 1, two or three etc. It would be a simple matter to group devices by whether I wished to act on user hive 1, two or three before firing off a command to each group.

But now I'm pretty much back at my original suggestion which I believe you have ruled out.

Even if we restrict ourselves to devices with one Logged User, this will still be a very useful feature. It is a simple enough matter to launch a registry editor against the remaining devices and do this by hand, or use the batch script writing facility and edit the script accordingly.

Many thanks for the user hive reading feature, and in the meantime, "yes please" to a column for the SID of the Logged User, as I can put this to use immediately.

Harry

I have added looking up user SID(s) in the latest version (5.5.3).

It's available at the Workstaton tab in the settings.

Hopefully it can be useful as is, and later we'll find a good way to access a particular value in comma separated columns.

In fact, there're quite a a few columns that likewise can return more than one value, and in that case it's comma-separated.

I hope to provide a flexible way to access an individual value from a comma-separated list in the future release.

Andrew,
Many thanks for incorporating these features.
At first use it has provided a simple 'quick fix' for several hundred users across a wide geographical area who were unable to open pdf's in their browsers.
Thanks from me, for them.
Regards
Harry