A colleague was trying to modify a user’s registry remotely – specifically a key in their HKey_Current_User (HKCU) hive. Whilst opening regedit and connecting to the remote system worked without issue, he could not see HKCU. The solution turned out to be fairly simple.
In Windows, each user gets a unique Security IDentifier, or SID. That SID stays the same even if you rename the account. It controls access to network shares (I’m simplifying here, of course), files, etc. In a domain environment, Active Directory manages the user information.
Okay great! What does this have to do with our problem? A profile gets created on a machine when a user logs in for the first time. This profile contains the ntuser.dat file which is loaded into the registry under HKey_Users and is named after the SID. When a user logs in Windows uses the SID to know which HKey_Users hive (ntuser.dat) to map to HKey_Current_User. This contains the personalised registry configuration for that user’s login.
The HKey_Users hive
Let’s take a look at the HKey_Users hive on my machine:
You’ll see that there are two long entries – one of which ends in _Classes. The SID is the same for these two – so that must be my SID. What about the other entries though? These are specific default Windows accounts, and you can find more information about them from Microsoft.
On a terminal server you might see a lot of entries under HKey_Users. How do we work out which SID is for a specific user?
It’s not as difficult as you might think. You can use the wmic useraccount command to get all the information you need!
Identifying a user’s SID from their username
For a local user, i.e. one on a computer that is not joined to a domain, or an account on the machine that isn’t tied to the domain, you can use the following commands.
To list all the local users:
wmic useraccount get name, sid
What if you have a lot of users, you know the username, and just want to list that specific SID? A minor modification to the command, et voila!
wmic useraccount where name='AliceSmith' get name, sid
If you want to get the SID of the current logged in user, you can use the whoami command:
You can, of course, also use wmic to get the information:
wmic useraccount where name='%USERNAME%' get sid
That’s great for local users, but what about a power user such as administrator?
wmic useraccount where (name='administrator' and domain='%COMPUTERNAME%') get name, sid
If you want to get the domain administrator’s SID, you would replace %COMPUTERNAME% with either the domain name, or %USERDOMAIN%.
Who owns that SID?
It’s all well and good being able to look up a SID from a given username, but what about when you want to do the reverse – say you logged on to a machine but don’t know which users have logged in previously and left their profile in the registry and on disk. You can use wmic to once again save the day! You just adjust the “where” parameter, and you can pull the data out.
wmic useraccount where sid='INSERT SID HERE' get name, sid
Of course there is more information you can pull out of these queries, but that’s best left to another post.