Using SIDs in Remote Registry queries

Started by RMPF2

RMPF2

Using SIDs in Remote Registry queries   14 September 2022, 05:37

Is it possible to use something like this for HKEY_USERS to read a value from an specific key?
[Logged SIDs]\SOFTWARE\Microsoft\Exchange
Where [Logged SIDs] is a variable of the current user SID logged on the remote computer.
SoftPerfect Support forum - Andrew avatar image

Re: Using SIDs in Remote Registry queries   15 September 2022, 10:40

You can use VB scripting for that under Options - Remote Scripting.

Here is a sample script that prints logged SIDs with their %PATH% variable read from the registry:
const HKEY_USERS = 2147483651

'Connect using current user
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & Input.Current & "\root\cimv2")

'Get interactive session

Set colSessions = objWMI.ExecQuery _
("Select * from Win32_LogonSession Where LogonType = 2") 
If colSessions.Count = 0 Then
  'No interactive session found
  Output.Write "No interactive user found"
Else
  'Interactive session found
  For Each objSession in colSessions
  Set colList = objWMI.ExecQuery("Associators of " _
  & "{Win32_LogonSession.LogonId=" & objSession.LogonId & "} " _
  & "Where AssocClass=Win32_LoggedOnUser Role=Dependent" )

  'Setup registry access
  Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & Input.Current & "\root\default:StdRegProv")

  'Query registry for those SIDs
  For Each objItem in colList
    errCode = objReg.GetStringValue(HKEY_USERS, objItem.SID & "\Environment", "Path", Value)
    If errCode = 0 Then
      Output.Write "Logged SID: " & objItem.SID
      Output.Write "%PATH% Value: " & Value
    End If
  Next
  Next
End If
Attachments:
open | download – enum-sid-read-path.zip (677 bytes)
RMPF2

Re: Using SIDs in Remote Registry queries   16 September 2022, 01:35

Ok. Thanks.

Just to clarify, to understand how it works: How exactly the "Options - Remote Registry" feature behaves in the case when the desired query is against HKEY_Users? Because if we open the Registry Browser, the only SIDs there are the local ones in relation to the user that is running NetScan.
SoftPerfect Support forum - Andrew avatar image

Re: Using SIDs in Remote Registry queries   16 September 2022, 08:56

In the Options - Remote Registry feature the Registry Browser operates on the local machine. It is present merely for convenience and allows you to choose a path to query from the local registry.

If you need to query a value or key that is not on the local machine, you will need to type it manually.

Reply to this topic

Sometimes you can find a solution faster if you try the forum search, have a look at the knowledge base, or check the software user manual to see if your question has already been answered.

Our forum rules are simple:

  • Be polite.
  • Do not spam.
  • Write in English. If possible, check your spelling and grammar.

Author:

Email:

Subject

A brief and informative title for your message, approximately 4–8 words:

     

Spam prevention: please enter the following code in the input field below.

 **    **  **     **  **    **  **     **   ******   
  **  **   **     **  ***   **  **     **  **    **  
   ****    **     **  ****  **  **     **  **        
    **     **     **  ** ** **  *********  **   **** 
    **      **   **   **  ****  **     **  **    **  
    **       ** **    **   ***  **     **  **    **  
    **        ***     **    **  **     **   ******   

Message: