When you open registry editor and connect to a remote system, the only hives you will see are HKEY_LOCAL_MACHINE and HKEY_USERS. The other two hives, HKEY_CLASSES_ROOT and HKEY_CURRENT_USER are there too, but are under the two visible hives. So for all purposes, I am only going to explain here how to access the once that are not openly evident.
HKEY_CLASSES_ROOT
This hive is located under HKEY_LOCAL_MACHINE\SOFTWARE\Classes
HKEY_CURRENT_USER
This hive is more tricky to find because you have to correlate what the SID is to the user. This can be done by going to HKEY_USERS and parsing through each SID. Ignore the SIDs that have only 4 sets of numbers (i.e. S-1-5-18). These are system accounts. The best way I found to parse through and find who the user is is to go to HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Run. Under this key will be a list off applications that are set to run when the system is booted up. You can look at the data field and there will usually be a few apps that will say “c:\users\<username>”, which will give away who the user of that SID is.
There is another way and that would be to remotely run a WMI query to find out who the current user is and the SID for that user.
http://mickitblog.blogspot.be/2012/03/accessing-all-hives-from-remote.html
Leave a Reply