# Registrey Keys

## Recommended Posts

I'm trying to find this key on say 50 computers ..

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

The " S-1-5-21-3710774075-2757586091-1839342869-1190 " keeps changing on different pcs... can I regread with like an * or something like that ???/

##### Share on other sites

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

EDIT: This will pull from the locally loaded hive

Edited by danwilli

##### Share on other sites

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

EDIT: This will pull from the locally loaded hive

Thanks but it has to be --> S-1-5-21-3710774075-2757586091-1839342869-1190 <-- only the last 4 digits change it seems...

##### Share on other sites

why does it have to be "S-1-5-21-3710774075-2757586091-1839342869-1190" ???

What are you trying to do. The key I gave you allows read/write...

##### Share on other sites

the changes in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs will be reflected in

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

and the other way around too

EDIT: maybe I am missunderstanding

Edited by danwilli

##### Share on other sites

the changes in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs will be reflected in

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

and the other way around too

EDIT: maybe I am missunderstanding

OK I'm trying to read the \HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

key because I can't see the local one on a remote machine.. but when I try it on a different machine the path changes.. from \HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

to

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-????\Software\Microsoft\Internet Explorer\TypedURLs

how can I get the last 4 digits ... without getting this key either S-1-5-21-3710774075-2757586091-1839342869-1274_Classes

it has the stupid _Classes at the end....

##### Share on other sites

hmm, I will look into it, but as of now I am no help... Sorry

##### Share on other sites

could you use question marks as the last 4 digits?

##### Share on other sites

the user number ID can be found here: HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

but still, if you have no access to HKEY_CURRENT_USER, it does you no good

##### Share on other sites

FYI, its not always 4 digits

##### Share on other sites

FYI, its not always 4 digits

oh great .... This is going to suck... can I stringlen or something like that and remove _classes and go left to the beggining to get the string ???

##### Share on other sites

ISn't there a way to read * or search for everything in that line starting with ???

##### Share on other sites

From Help File:

It is possible to access remote registries by using a keyname in the form "\\computername\keyname". To use this feature you must have the correct access rights on NT/2000/XP/2003, or if you are using a 9x based OS the remote PC must have the remote registry service installed first (See Microsoft Knowledge Base Article - 141460).

##### Share on other sites

I'm trying to find this key on say 50 computers ..

\HKEY_USERS\S-1-5-21-3710774075-2757586091-1839342869-1190\Software\Microsoft\Internet Explorer\TypedURLs

The " S-1-5-21-3710774075-2757586091-1839342869-1190 " keeps changing on different pcs... can I regread with like an * or something like that ???/

I had to do something similar to this a week ago but for Outlook keys. I'm sure this code is pretty drawn out and lengthy for what it does, but I am still learning and I did get it working. I hope this is remotely close to what you are looking for. Long live AutoIT

For $z = 1 to 100$Ivar = RegEnumKey("HKEY_USERS", $z) If @error <> 0 then ExitLoop If StringLeft($Ivar, 41) = "S-1-5-21-484763869-1708537768-1177238915-" Then $tempvar = StringRight($Ivar, 6)
$tempvar = Number($tempvar)
If $tempvar <> 0 then Call ("Continue") Next Func Continue () For$a = 1 to 100
$var = RegEnumKey("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" &$tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES", $a) If @error <> 0 then ExitLoop For$b = 1 to 100
$var2 = RegEnumKey("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" &$tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES" & "\" & $var,$b)
If @error <> 0 then ExitLoop

For $c = 1 to 100$var3 = RegEnumVal("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" & $tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\" &$var & "\" & $var2,$c)
If @error <> 0 then ExitLoop

$var4 = RegRead("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" &$tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\" & $var & "\" &$var2 & "\", $var3) If StringInStr($var4,"oldserver") Then $tempvar2 = StringReplace($var4,"oldserver","newserver")

RegWrite("HKEY_USERS\S-1-5-21-484763869-1708537768-1177238915-" & $tempvar & "\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\" &$var & "\" & $var2,$var3, "REG_SZ", $tempvar2) EndIf Next Next Next EndFunc Edited by WhiteSpace #### Share this post ##### Link to post ##### Share on other sites I'm not the brightest bulb in the pack by far, but couldn't you use a RegEnum function that I've seen around here on the HKEY_USERS key, and just go through them all, and then use string compares to find the exact one you need if there's more? But yeah, RegEnumKey or something similar should be able scan all Keys into an array that can be searched for the one you need, or just use them all in a loop to scan every key that may be right. #### Share this post ##### Link to post ##### Share on other sites Here is a program that I made to grab the SID of a local user on the computer. You could just as easily replace @Computername with the name of the computer you want to grab the information. Hope you find it helpful. #NoTrayIcon ;Create a Com error handler$oMyError = ObjEvent("AutoIt.Error", "ErrorHandler")
$UsernameFound = False If$CmdLine[0] = 0 Or $CmdLine[0] >= 3 Then MsgBox(16, "Usage", "Usage: " & @ScriptName & " /USER=Username" & @CRLF & _ "Place the username on commandline which you want to get their SID") ElseIf$CmdLine[0] = 1 Then
If StringInStr(StringUpper($CmdLine[1]), "/USER=") Then FindSid() Else MsgBox(16, "Usage", "Usage: " & @ScriptName & " /USER=Username" & @CRLF & _ "Place the username on commandline which you want to get their SID") Exit EndIf ElseIf$CmdLine[0] = 2 Then
If StringUpper($CmdLine[1]) = "/S" Or StringUpper($CmdLine[2]) = "/S" Or StringInStr(StringUpper($CmdLine[1]), "/USER=") Or StringInStr(StringUpper($CmdLine[2]), "/USER=") Then
FindSid()
EndIf
EndIf

Func FindSid()
$Username = StringSplit($CmdLine[1], "=")
If @error Then
$Username = StringSplit($CmdLine[2], "=")
EndIf

$objWMIService = ObjGet("winmgmts:\\" & @ComputerName & "\root\cimv2")$colAccount = $objWMIService.ExecQuery ("Select * FROM Win32_Group where LocalAccount = 'True'") For$objGroup In $colAccount$oGroup = ObjGet("WinNT://" & @ComputerName & "/" & $objGroup.Name) For$oUserGroup In $oGroup.Members If StringLower($oUserGroup.Name) = StringLower($Username[2]) Then$UsernameFound = True
EndIf
Next
Next

If $UsernameFound Then$objWMIService = ObjGet("winmgmts:\\" & @ComputerName & "\root\cimv2")
$colAccount =$objWMIService.ExecQuery ("Select Name,SID from Win32_UserAccount where name = '" & $Username[2] & "'") For$objAccount in $colAccount If$objAccount.Name = $Username[2] Then RegWrite("HKEY_LOCAL_MACHINE\Software\GFS\SID",$Username[2], "REG_SZ", $objAccount.SID) ExitLoop EndIf Next ;if registry key exists then export reg exists to registry$var = RegEnumKey("HKEY_USERS\" & $objAccount.SID, 1) If @error <> 0 Then RegWrite("HKEY_LOCAL_MACHINE\Software\GFS\SID", "RegExists", "REG_SZ", False) Exit Else RegWrite("HKEY_LOCAL_MACHINE\Software\GFS\SID", "RegExists", "REG_SZ", True) EndIf Else If Not StringInStr($CmdLineRaw, "/s") Then
MsgBox(16, "Username not found", "The username " & $Username[2] & " was not found on the computer.") EndIf EndIf EndFunc Func ErrorHandler() If Not StringInStr($CmdLineRaw, "/s") Then
$HexNumber = Hex($oMyError.number, 8)
Msgbox(16, "Error", "There was an error." & @CRLF & @CRLF & _
"Error description is: " & @TAB & $oMyError.description & @CRLF & _ "Error number is: " & @TAB &$HexNumber & @CRLF & _
"Error scriptline is: " & @TAB & $oMyError.scriptline & @CRLF) Exit EndIf Endfunc Edited by wkain1 #### Share this post ##### Link to post ##### Share on other sites When I've had to change certain settings for multiple profiles on a machine, I had to put together a script that loaded each userhive, made the changes, unloaded the hive. I could prolly find the script if you want to have a look and if it's relevant to what you want...? #### Share this post ##### Link to post ##### Share on other sites When I've had to change certain settings for multiple profiles on a machine, I had to put together a script that loaded each userhive, made the changes, unloaded the hive. I could prolly find the script if you want to have a look and if it's relevant to what you want...? This frekin crazy... Why can't there be something in reg read that you can put in ?/? #### Share this post ##### Link to post ##### Share on other sites Alas, Windows doesn't work that way. If a user is not logged on, their particular Hive is not loaded (saves memory and is more secure I guess). So if you want to make changes to their Hive, you need to load it first. #### Share this post ##### Link to post ##### Share on other sites Its rather simple really, as a security feature against remotely changing settings for the currently logged on user M$ obviously found it pertinent to disable access to the HKEY_CURRENT_USER branch of the registry remotely.

HOWEVER, if you access the HKEY_USERS branch of the registry remotely, followed by the key that is named after the SID of the currently logged on user, you can see and manipulate any items you wish. the answer lies in using a modified version of the code that wkain1 posted (have no time to modify it atm, but i can see how easy it would be) and the pseudo code goes something like this:

feed your script the PCname to get registry of

pass name onto the GetSID function, along with the name of the currently logged on user (there is a way to get this via WMI aswell, will post VBS later if wanted)

Once the SID is returned, go ahead and access the following registry key:

That should pretty much cover it, i was looking at this as a way of disabling the proxy of a user on the fly to disable internet access, seeing as the users do not have access to enable / disable it via the tools menu in IE, however the noted flaw in the plan was that a user could simply logon and then back off, thus resetting the proxy via logon scripts.. still, an effective means of manipulating data, such as visited URLs in the way the OP wanted, i have been investigating many ways to develop the idea of having access to the users remote registry and this is worth looking into.

My major issue so far, has been my lacking of understanding in the way that Au3 operates with WMI calls, as i did not have a VBS and an Au3 script to compare, now with the example that Wkain1 has provided, i might make some headway in that department.

That about does it for my long winded rant, hope there was some useful info in that.

/tAK

## Create an account

Register a new account

×

• Wiki

• Back

• Git