From: Ketchup on
First, I apologize if I am posting this in the wrong newsgroup. I searched
for a while and couldn't figure out where this go.

I am trying to figure out if I can open a registry storage file and read
data from it. The files that I specifically need to open are the ones for
users that are not currently logged on, the NTUSER.DAT files. I am
assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
have been reading the win32 documentation on the Registry and can't quite
figure out how to do this. RegLoadAppKey function appears to be able to
load entire hives, but the documentation says that the keys cannot be
enumerated. How do I load an entire hive into memory and retrieve values
from it?

thanks!


From: Pavel A. on
Ketchup wrote:
> First, I apologize if I am posting this in the wrong newsgroup. I searched
> for a while and couldn't figure out where this go.
>
> I am trying to figure out if I can open a registry storage file and read
> data from it. The files that I specifically need to open are the ones for
> users that are not currently logged on, the NTUSER.DAT files. I am
> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
> have been reading the win32 documentation on the Registry and can't quite
> figure out how to do this. RegLoadAppKey function appears to be able to
> load entire hives, but the documentation says that the keys cannot be
> enumerated. How do I load an entire hive into memory and retrieve values
> from it?
>

Use RegLoadKey. RegLoadAppKey requires Vista or Win2008.

--PA
From: Alan Carre on
"Ketchup" <ketchup(a)ketchup.com> wrote in message
news:ObAswEhXJHA.868(a)TK2MSFTNGP06.phx.gbl...
> First, I apologize if I am posting this in the wrong newsgroup. I
> searched for a while and couldn't figure out where this go.
>
> I am trying to figure out if I can open a registry storage file and read
> data from it. The files that I specifically need to open are the ones for
> users that are not currently logged on, the NTUSER.DAT files. I am
> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
> have been reading the win32 documentation on the Registry and can't quite
> figure out how to do this. RegLoadAppKey function appears to be able to
> load entire hives, but the documentation says that the keys cannot be
> enumerated. How do I load an entire hive into memory and retrieve values
> from it?
>
> thanks!

If that's all you plan to do (I mean open NTUSER.DAT for various users) then
you could launch your app "as that user" and then use the regular registry
functions (RegOpenKeyEx, RegQueryValueEx and so on). If you want to do this
on-the-fly then I think you can "impersonate" another user with functions
like SetThreadToken et al (see Access Control functions). Once you've
managed to impersonate another user, I believe the registry functions will
retrieve data from the impersonated user's NTUSER.DAT file.

You can always re-launch your program as another user at the command line
using "runas" or programatically using CreateProcessAsUser. As administrator
I think you can bypass the password requirement (after all, you can change a
user's password if you're logged on as admin).

That would be my guess anyway...

- Alan Carre

BTW. If you want to enumerate all users for a specific machine just take
your own SID and start walking from user # 500 upwards (500 ==
administrator) to about 2000 and check for user existence of those SID's. By
"user #" I mean the last entry in the SID, for instance on my machine
Administrator has

SID = S-1-5-21-1957994488-859874398-725244543-500

or something like that. The preceeding digits are the same for all users.



From: Tommy on
Ketchup wrote:
> First, I apologize if I am posting this in the wrong newsgroup. I searched
> for a while and couldn't figure out where this go.
>
> I am trying to figure out if I can open a registry storage file and read
> data from it. The files that I specifically need to open are the ones for
> users that are not currently logged on, the NTUSER.DAT files. I am
> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
> have been reading the win32 documentation on the Registry and can't quite
> figure out how to do this. RegLoadAppKey function appears to be able to
> load entire hives, but the documentation says that the keys cannot be
> enumerated. How do I load an entire hive into memory and retrieve values
> from it?

I was just able to do it from an embedded XP boot CD with this
application:

http://regeditpe.sourceforge.net/

This comes with source code, but it asked to many questions, which
hive, what users, etc, and there was 2nd editor which was quick to
load (I don' remember off hand the name). However, I see now from the
web page, the one I had was a 2006 version and the new one at the
above web site is a 2007 version and from the instructions, no
QUESTIONS are ask, it just loads like the other one I was using.

Of course, this is offline when the OS is locking the files. But
maybe you can see from the source code what it is doing.

--
From: m on
This is a very bad idea!



Changing passwords to read from some unloaded registry hive would be a
'feature' of your software that no user would enjoy.



Inferring users from SID layout is utter stupidity when there are documented
APIs that will give you exact information without hacking the undocumented
and subject to change SID format - look at NetUserEnum in MSDN.



"Alan Carre" <alan(a)twilightgames.com> wrote in message
news:uycnpZiXJHA.2440(a)TK2MSFTNGP06.phx.gbl...
> "Ketchup" <ketchup(a)ketchup.com> wrote in message
> news:ObAswEhXJHA.868(a)TK2MSFTNGP06.phx.gbl...
>> First, I apologize if I am posting this in the wrong newsgroup. I
>> searched for a while and couldn't figure out where this go.
>>
>> I am trying to figure out if I can open a registry storage file and read
>> data from it. The files that I specifically need to open are the ones
>> for users that are not currently logged on, the NTUSER.DAT files. I am
>> assuming that the procedure would be similar for SYSTEM and SOFTWARE. I
>> have been reading the win32 documentation on the Registry and can't quite
>> figure out how to do this. RegLoadAppKey function appears to be able to
>> load entire hives, but the documentation says that the keys cannot be
>> enumerated. How do I load an entire hive into memory and retrieve
>> values from it?
>>
>> thanks!
>
> If that's all you plan to do (I mean open NTUSER.DAT for various users)
> then you could launch your app "as that user" and then use the regular
> registry functions (RegOpenKeyEx, RegQueryValueEx and so on). If you want
> to do this on-the-fly then I think you can "impersonate" another user with
> functions like SetThreadToken et al (see Access Control functions). Once
> you've managed to impersonate another user, I believe the registry
> functions will retrieve data from the impersonated user's NTUSER.DAT file.
>
> You can always re-launch your program as another user at the command line
> using "runas" or programatically using CreateProcessAsUser. As
> administrator I think you can bypass the password requirement (after all,
> you can change a user's password if you're logged on as admin).
>
> That would be my guess anyway...
>
> - Alan Carre
>
> BTW. If you want to enumerate all users for a specific machine just take
> your own SID and start walking from user # 500 upwards (500 ==
> administrator) to about 2000 and check for user existence of those SID's.
> By "user #" I mean the last entry in the SID, for instance on my machine
> Administrator has
>
> SID = S-1-5-21-1957994488-859874398-725244543-500
>
> or something like that. The preceeding digits are the same for all users.
>
>
>