Who's who in the registry?

[Idontwantspam]

When using the registry key HKEY_USER\..., how do you know which user is which? Is there anywhere where you can find out who the heck ?-?-?-?? is? Because if I'm going to make changes to a user, I want to make those changes to the right user. I don't want to stop ME from changing my password or using CMD.exe, but I sure want to change my little, irresponsible brother's rights to those sorts of things!

So the big question is: WHO IS WHO IN THE REGISTRY??

[mau-yong]

the S-1-5-21-xxxxxxxxxx-xxxxxxxx-xxxxxxxxxx-500 is "The Administrator".

other users are S-1-5-21-xxxxxxxxxx-xxxxxxxx-xxxxxxxxxx-1000, -1001, -1002, etc.

[Idontwantspam]

other users are S-1-5-21-xxxxxxxxxx-xxxxxxxx-xxxxxxxxxx-1000, -1001, -1002, etc.

Thanks, but how do I know which user is 1000, which is 1001, etc? I suppose I could just go and logon as those users and use the HKEY_CURRENT_USER, make a change, then go back to the HKEY_USER and see which one it is, but I was hoping there was an easier way.

[mau-yong]

Use USER2SID:

C:\WINDOWS\system32\user2sid johndoe

S-1-5-21-1768365203-848856506-3795044739-1006

Number of subauthorities is 5

Domain is THISDOMAIN

Length of SID in memory is 28 bytes

Type of SID is SidTypeUser

...and while logged on to your brother's account you might want to use DisableRegistryTools to disable execution of Regedt32.exe and Regedit.exe for him not to use the registry (evil ).

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"DisableRegistryTools"=dword:00000001

Be sure to have an HKCU "enable" .reg in place just in case of emergency.

Edited March 21, 2007 by mau-yong

[Idontwantspam]

:angrym: :angrym:

Well, I went and did the user2sid.exe thing, and that worked fine. However, it seems that whenever I open regedit - as an Admin, User, even THE Administrator, I only see one, two at the most SIDs shown, usually the one belonging to the logged on user, and sometimes one or two others. I'm not sure why... It's really bizarre. It happens regardless of which user it is, even in Safe Mode. I know there are ways (I think?) to edit the registry via the command prompt, but I don't really feel comfortable doing that, at least not without more information. Any clue why this happens? When I get a chance, I will try it on some other machines. Right now, I'm using:

Dell Inspiron e1505

Intel Core Duo

1 Gb RAM

Windows XP Media Center 2005, SP2

All updates, etc. applied

No, it's not pirated.

Help me someone, please!

[maxXPsoft]

S-1-5-19 LocalService

S-1-5-20 NetworkService

Most the time you will see yourself also along with your Classes key. I forget the others and don't load them by default in my program but a bunch of stuff needed.

Thats not really the spot where most reg tweaks are performed or done. HKEY_USERS is a Temporary key sort of. Each time you login it loads your NTUSER.DAT. On a safe shutdown it will save that data and next logon it will be to your HKEY_CURRENT_USER key. If you look real close HKEY_CURRENT_USER and HKEY_USERS\your sid will match kinda close.

You can load his Hive in XP and edit it from your profile but you must unload it afterwards. Learn a lot more before you attempt that though.

[Idontwantspam]

All I want to do is edit the registry settings for some users but not all users. Yeah, I could go in as them and use HKCU, but I'd rather be able to do it all from one (administrator) account and not have to get them to give me their passwords or reset them. I'm looking at the standard Windows registry editor, regedit.exe. Under HKCU, I see pretty much the same thing I see under HKU\my sid. I am running regedit as an Admin from my regular User account. I see my SID and the Admin SID. No one else. So what exactly is the HKU key? I guess I thought it had settings for all the users, but now I'm confused. Seems maybe the best thing is to just use HKCU from now on. Is there any way to edit the registry for ANY user on the computer? I'm so confused.

[Idontwantspam]

UPDATE:

OK, here's the deal, as I just read on Microsoft TechNet:

The HKEY_USERS subtree contains all actively loaded user profiles. HKEY_USERS has at least three keys:

• .DEFAULT, which stores the profile used when no users are logged on to the computer (such as when the CTRL+ALT+DELETE logon prompt is displayed).
  
• A subkey named for the Security Identifier (SID) of the current local user. This subkey contains the current user's profile. If the user is logged on remotely, the data for the user's profile is stored in the registry of the user's local computer. The data in HKEY_USERS\ SID also appears in HKEY_CURRENT_USER.
  
• A subkey named for the Security Identifier (SID) of the current local user with the _Classes suffix. This subkey contains the current user's Classes. The data in HKEY_USERS\ SID \_Classes is also contained in HKEY_CLASSES_ROOT.
  

So, the reason some are there only some of the time depends on if their profile is loaded. Which explains it, since I often run some tasks as one user and some as another user, and all the while logged on as me the user. So now the question is, how do I change the registry settings for users that aren't active at the moment without logging in as them? Is there any way? Or maybe are there any alternative registry editors I can use that let me do this? I would appreciate any help.

[Yzöwl]

Since it has not yet been mentioned, what you should be doing is loading the individual users hives, (NTUSER.DAT), and editing them directly.

[Idontwantspam]

Since it has not yet been mentioned, what you should be doing is loading the individual users hives, (NTUSER.DAT), and editing them directly.

How?

[Yzöwl]

Will this help?

[Idontwantspam]

Will this help?

Yes, thank you.

[trickytwista]

Will this help?

nice one.

[Idontwantspam]

So now I have another question. Where would the registry information for groups be? As in settings for all the Users, all the Administrators, all the Guests, etc. Any idea? I know they have SIDs, because when I use the user2sid.exe tool and put in Administrators, it gives me an SID, and when I put in Users, Guests, Power Users, etc, I get SIDs for those, too. Oh, and can I make changes to the default user by editing the NTUSER.DAT file in C:/Documents and Settings/Default User? I would assume so, though I probably don't want to mess with that anyways.

[Yzöwl]

There probably aren't any!

What are you trying to do?

Have you heard of Group Policies, Administrative Templates, Access Control, Security Permissions and even Set Program Access and Defaults.