New and Improved: Dealing with HKEY_CURRENT_USER branch

Content Authoring
1

(imported topic written by BenKus)

Hi everybody,

There has been a lot of activity in our other posts regarding HKEY_CURRENT_USER (HKCU) branches of the registry and how to query/change them so I thought I would start a new post thread with some updated info.

Here are some previous threads for reference:

http://forum.bigfix.com/viewtopic.php?id=11

http://forum.bigfix.com/viewtopic.php?id=1187

Quick recap:

The HKEY_CURRENT_USER branch of the registry is very tricky to query/set for two reasons: 1) there can be no users/multiple users logged on AND 2) the BigFix Agent runs as the SYSTEM account so its HKCU key is not the same as the logged in users.

Here is a brief tutorial on how to query logged on users’ HKCU branch in BigFix:

Querying the HKCU registry

Here is a simple query of the logged on user(s) IE start pages:

values “Start Page” of keys “Software\Microsoft\Internet Explorer\Main” of current user keys (logged on users) of registry

Notes:

  • This will return “” if the value doesn’t exist or if the key doesn’t exist or if no users are logged on.
  • This should handle multiple users logged on by returning multiple results.
  • Works only in BigFix 7.0+ Agents
  • If you try this in the Fixlet Debugger, you will get an error “E: The expression could not be evaluated: Windows Error: A required privilege is not held by the client.”, this is normal because only the SYSTEM account can query another user’s registry (if you want to test, try running the Fixlet Debugger as the SYSTEM account: http://forum.bigfix.com/viewtopic.php?id=1098)

Here is a way to return all of the values from all users (logged on or not) from the registry:

values “Start Page” of keys “Software\Microsoft\Internet Explorer\Main” of keys of key “HKEY_USERS” of registry

Notes:

  • There might be a complication with the registry key hives not being loaded if the users haven’t logged in, but I am not sure about the exact details of how this works (maybe someone who knows will want to chime in?).

Changing the HKCU registry

Here is how to change the registry for the logged on user:

appendfile REGEDIT4
appendfile
appendfile HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
appendfile “Start Page”=“http://www.google.com/”

copy __appendfile temp.reg

prefetch RunAsCurrentUser.exe sha1:a72371f4e968da7ead24f0f4e68c14b234ac94f6 size:184320 http://software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.exe
utility __Download\RunAsCurrentUser.exe

waithidden __Download\RunAsCurrentUser.exe regedit /s temp.reg

Notes:

  • Only works if a user is logged on.
  • If multiple users are logged on, the user logged in at the computer’s console will have their registry updated.

Hope that helps everyone,

Ben

1 Like
2

(imported comment written by Richard_Betts)

There is an easy way to right to the HKCU hive built into Windows. It’s called ‘Active Setup’

Active Setup processes commands once for each user that logs onto the computer. This allows HKCU keys to be written or in fact any other process to be run for each user under the users context. An example of using active setup is detailed below;

Create a new key, name does not matter under;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

Create a string value under the new key called ‘StubPath’

In the value, enter the name of an executable you want to call when a user logs on to the computer, for example;

StubPath=c:\windows\notepad.exe

In real life this would be regedit, example;

StubPath=c:\windows\system32\regedit.exe /s “path to reg file”

As each user logs onto the system the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components branch of the registry will be read and any commands listed that have not been run previously will be executed. In XP the process is silent on Vista you get a box detailing that it is setting up personal settings.

Some notes and gotcha’s

• It only runs the commands under the current user context so the user must have rights to do what you need. Don’t try writing to the HKLM if the users don’t have rights.

• Once run it will copy the key to ‘HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components’. It will not run again unless deleted from each users hive. This is how it is meant to work, but if you get something wrong you will need to delete the entry under HKLM and then create a new key with the correct command.

• If you get the command wrong you will see no error message and no log to say it failed, or at least I can’t find one.

• Make sure whatever you run is silent or the user will be presented with dialogs as normal, unless you want it to be that way.

• This is standard Microsoft stuff, its how office sets up stuff each time a new user logs on.

Hope it helps you deal more easily with HKCU areas of the registry.

3

(imported comment written by mleeser91)

The above post for the Active Setup keys worked great for me on Windows XP.

If you like to cut and paste note that the XP path to regedit is actually C:\Windows\regedit.exe

Thanks for the info!

4

(imported comment written by SystemAdmin)

Hello, I am having some trouble writing to HKCU. I tried the Active Setup method, but this does not work. Probably because of the Secure Desktop security software we run on our systems. This runs Windows under a different shell.

When I try the method in the top post my actions always get stuck at “Pending Downloads.” Anyone have any ideas?

5

(imported comment written by labuski91)

13roadway

Hello, I am having some trouble writing to HKCU. I tried the Active Setup method, but this does not work. Probably because of the Secure Desktop security software we run on our systems. This runs Windows under a different shell.

When I try the method in the top post my actions always get stuck at “Pending Downloads.” Anyone have any ideas?

can the current users write to the registry in your environment? if not the above will not work. see this

thread

it has an example at the bottom.

6

(imported comment written by SystemAdmin)

Yes, the current user has rights to change the registry. It looks like the script does not start though. The status never changes from “Pending Download.”

7

(imported comment written by BenKus)

What error do you get? (Make sure you use the full url because the forum truncates it…)

Ben

8

(imported comment written by SystemAdmin)

Ben,

There are 3 versions of RunAsCurrentUser.exe that I can tell that can be used…

prefetch RunAsCurrentUser.exe sha1:ee47505ebfb2790b9da8a20ed70e67158e9753d0 size:342528 http://software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.3.1.exe
prefetch RunAsCurrentUser.exe sha1:5512ef51a98dff1aa910a8189a0361c161fa703f size:212992 http://software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.2.exe
prefetch RunAsCurrentUser.exe sha1:9fd47b14aee681a6bad6579d30d6fb3fa4cc3ae3 size:131072 http://support.bigfix.com/download/bes/util/RunAsCurrentUser.exe

From a lot of testing today with a CMD prompt running as the local system, it seems that…

version 2.0.2 or 2.0.3.1

Only works on Vista or Windows 7

Able to run cmd.exe

version 1.1.0.0 (the one downloaded as just RunAsCurrentuser.exe)

Only works on XP or Windows 2000

Doesn’t seem to be able to run cmd.exe

Could you guys check to see why the latest one doesn’t work with XP/2000? I also don’t know if v1.1.0.0 can even use the --q switch. Also it just means that I need to add additional action relevance to make sure the right version is used.

I’m also assuming we should forget about using 2.0.2 since 2.0.3.1 is there.

Also, for those new to RunAsCurrentUser, here’s the syntax of the switches:

RunAsCurrentUser.exe /?

or

RunAsCurrentUser.exe -?

Usage: RunAsCurrentUser.exe

–w

–q

–w: RunAsCurrentUser only returns after returns

–q: RunAsCurrentUser runs hidden

Paul

9

(imported comment written by JackCoates91)

Hey Paul,

Version 2.0.3.1 should not have issues running on different versions of Windows. There’s a few subtleties that you might be running into, I’ve put a KB article update into the queue that should help clear things up (article 392, look for it in the next day or two). I’m not entirely sure what you’re seeing, but I used it on XP and Win7 systems today when writing the article update.

10

(imported comment written by SystemAdmin)

Hi Jack,

I tried a really simple test since I couldn’t get version 2.x to work on XP. I launched a cmd prompt as local system, using “psexec -i -s cmd.exe”. If I used 2.0.2 or 2.0.3.1 under XP, I couldn’t get anything to run at all. Using 1.1.0.0, anything launches fine.

Which explains why I could get “RunAsCurrentUser --w --q reg.exe IMPORT whatever.reg” working under Vista/Win7 via a BigFix action, but under XP it looks like it ran, however RunAsCurrentUser actually did nothing for me and my HKCU settings wouldn’t import.

That’s why I was questioning 2.x on anything below Vista.

Paul

11

(imported comment written by SystemAdmin)

(Posting this for the archives)

For more fun, check out my other thread on dealing with RunAsCurrentUser and HKCU:

http://forum.bigfix.com/viewtopic.php?id=6045

-Paul