Accessing HKCU and HKCR from Remote Registry

When you open registry editor and connect to a remote system, the only hives you will see are HKEY_LOCAL_MACHINE and HKEY_USERS. The other two hives, HKEY_CLASSES_ROOT and HKEY_CURRENT_USER are there too, but are under the two visible hives. So for all purposes, I am only going to explain here how to access the once that are not openly evident.


This hive is located under HKEY_LOCAL_MACHINE\SOFTWARE\Classes


This hive is more tricky to find because you have to correlate what the SID is to the user. This can be done by going to HKEY_USERS and parsing through each SID. Ignore the SIDs that have only 4 sets of numbers (i.e. S-1-5-18). These are system accounts. The best way I found to parse through and find who the user is is to go to HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Run. Under this key will be a list off applications that are set to run when the system is booted up. You can look at the data field and there will usually be a few apps that will say “c:\users\<username>”, which will give away who the user of that SID is.

There is another way and that would be to remotely run a WMI query to find out who the current user is and the SID for that user.

DISM: Edit Bootimage WinPe

Dism /mount-wim /wimfile:s:\winpe\boot_W10_x64.wim /index:1 /mountdir:s:\winpe\mount

Dism /image:s:\winpe\mount /add-driver /driver:s:\winpe\drivers /recurse

Dism /image:s:\winpe\mount /Set-InputLocale:nl-BE

Dism /image:s:\winpe\mount /Set-SysLocale:nl-BE

Dism /image:s:\winpe\mount /Set-UserLocale:nl-BE

Dism /Unmount-Wim /MountDir:s:\winpe\mount /Commit

Dism /Cleanup-WIM