Run as current User Vs. Run as logged on user

smalul · April 28, 2020, 7:40am

Hi,

i need to run some registry manipulations for keys under the HKCU hive, and i came across an issue.

These days that many users use RDP to connect to their office machines brings into focus the “Current user” (which is the console user) Vs. “Logged on user” (which also includes RDP users).

So i created this fixlet to run:

action uses wow64 redirection false

delete __createfile
delete ZimRegFix.reg

createfile until @endregfile
Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\DisabledItems]
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\DoNotDisableAddinList]
"Zignature"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Addins\Zignature]
"LoadBehavior"=dword:00000003

@endregfile

move __createfile ZimRegFix.reg
prefetch RunAsCurrentUser.exe sha1:ee47505ebfb2790b9da8a20ed70e67158e9753d0 size:342528 http://software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.3.1.exe sha256:1a9b518c775e2a85a7c47801e9b8221df338a65ad8df326485e4cd2aea22fe52
utility __Download\RunAsCurrentUser.exe
waithidden "__Download\RunAsCurrentUser.exe" --w regedit /s "ZimRegFix.reg"

when i run this fixlet the log exits with exit code -1:

Command succeeded (Exit Code=-1) waithidden "__Download\RunAsCurrentUser.exe" --w regedit /s "ZimRegFix.reg" (action:369489)

but the action is not actually done (no changes in the registry)

if i run the REG file directly from _C:\Program Files (x86)\BigFix Enterprise\BES Client_BESData\CustomSite_Workstations\ZimRegFix.reg, the action executes successfully. (Registry keys changed)

the test computer has a “logged on user”, but not “current user”:

q: name of current user
E: Singular expression refers to nonexistent object.

q: names of logged on users
A: <name of RDP user>
T: 1.691 ms
I: plural string

so how can i run a REG key for logged on user, as opposed to Current user?
My environment is still 9.5.8, if that matters.

sorry for the long post

brolly33 · April 29, 2020, 3:51pm

@smalul

Check out the OVERRIDE command in action script and see if the RunAs command helps your scenario.

https://developer.bigfix.com/action-script/reference/execution/override.html

difference between current user and logged on user is usually significant when the user is remoted into the system instead of at the physical keyboard.

akira · April 29, 2020, 4:31pm

You might want to manipulate user hive using user key of logged on user, rather than go through RunAsCurrentUser/Override with HKEY_CURRENT_USER.

AlanM · April 29, 2020, 7:33pm

I’d definitely use the inspector to get the user you want and manipulate its hive directly rather than running as that user

See https://developer.bigfix.com/relevance/reference/logged-on-user.html#user-key-of-logged-on-user-registry-key

smalul · April 30, 2020, 6:44am

Thank you all for your replies.
the reason i used RunAsCurrentUser is that i also need to delete a complete reg KEY and not just values (as i said, i am still at 9.5.8, RegKeyDelete only applies to 9.5.13 and up). i do usually try to avoid using RunsCurrentUser.
my task works for CurrentUser, but the combination of delete reg key and running as logged on user when the user is in RDP still poses a challange.

akira · April 30, 2020, 4:07pm

When you call reg delete or regedit, you can still use user key of logged on user to specify target without RunAsCurrentUser or Override.

smalul · May 12, 2020, 8:01am

Thanks for your replies.
i ended up using @akira’s suggestion and did something like that:

waithidden reg.exe delete {user key of logged on user}\Software\Microsoft\...

This worked.
Thanks!