1

Hi everyone I am lost...

I have admin rights.

I want to modify registry key in HKEY_CURRENT_USER\Software.... on remote PC where another user is logged.

I don't want to use PowerShell because we don't have remote registry enabled.

I am stuck with cmd

Therefore I use PSexec.

If I want to change something in global HKLM its pretty easy

psexec \\COMPUTERNAME reg add HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\...... /t REG_DWORD

since I call the psexec as admin it allows me to change anything in HKLM on the remote machine

but when I need to change something in HKCU I need the SID of the user to plug it into HKEY_USERS\SID\SOFTWARE\ and that's where I hit a wall...

I tried something like this (it didn't work, the syntax is probably all wrong)

psexec \\COMPUTERNAME for /F "skip=1 tokens=1" %%i in ('query user') do set varusername=%%i

this was supposed to get remote logged users name into variable 'varusername' to later use it to get SID

something like this (again the syntax is probably wrong):

psexec \\COMPUTERNAME wmic useraccount where name='%varusername%' get sid

this completely blew up since wmic on the remote computer when executed as admin (via psexec) doesn't see the same users as query user...

here is the output of the respective commands

query user give me the logged user name 'johndoe'

USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME

johndoe console 1 Active none 9/10/2018 5:27

wmic useraccount get name, sid does not see the 'johndoe' at all

Name SID

DefaultAccount S-1-5-21-3285310242-2953612481-1302521585-503

defaultuser0 S-1-5-21-3285310242-2953612481-1302521585-1002

LocalAdmin S-1-5-21-3285310242-2953612481-1302521585-500

Guest S-1-5-21-3285310242-2953612481-1302521585-501

so as you can see I hit the wall

query user gives me logged user on remote PC "johndoe" but I have no way to get SID of "johndoe" using wmic useraccount to plug it into:

psexec \\COMPUTERNAME reg add HKEY_USERS\SID\SOFTWARE\Microsoft\...... /t REG_DWORD

any ideas how to get around this?

I just need to edit HKCU on remote PC for a currently logged user without using PowerShell

Improve this question

4 Answers 4

Reset to default
0

Firstly, if you have access to PowerShell, you may be able to use it to get the SID, to then run PSExec on your machine. Try running:

Get-AdUser USERNAME -Properties SID | Select name,Sid

in PowerShell, replacing USERNAME with the person's username you're trying to edit.

This should get the SID from the active directory, as local commands such as WMIC will not get what you are looking for.

Once you have the SID, you can whack it in your PSExec command and let loose the angels of hell.

I mention using PowerShell because even without remote registry enabled, you should be able to run this command as a System Administrator. If not, you can also just go into the Active Directory.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

In cmd you can get the SID with PsGetSid.

I'm trying the same process as admin..

Improve this answer

Comments

0

I suppose your target PC works in AD infrastructure.

This example demonstrates 3 main steps:

  • search for logged user - WMIC path Win32_LogonSession
  • get user domain and user login name - WMIC path Win32_LoggedonUser
  • finally search for user's SID - WMIC path Win32_UserAccount

P.S. If you plan to work with multiple users on terminal server make subroutine to work with many LogonId values - %Id% variable.

P.P.S. This example searches for two type of logged on users: Network (3) or RemoteInteractive (10): LogonType value in first line.

FOR /f "skip=1" %%i in ('WMIC path Win32_LogonSession where "LogonType=3 or LogonType=10" get LogonId ^|  findstr /r /v "^$" ') DO SET "Id=%%i"

FOR /f "usebackq skip=1 tokens=2,3 delims== " %%a in (`WMIC path Win32_LoggedonUser where " Dependent = '\\\\.\\root\\cimv2:Win32_LogonSession.LogonId="%Id%"' " get Antecedent`) DO SET "User=%%a%%b"
FOR /f tokens^=1-3^ delims^=^" %%a in ("%User%") do SET "domain=%%a" & set "User=%%c"

FOR /f "usebackq skip=1 " %%a in (`WMIC path Win32_UserAccount where " name='%user%' and domain='%Domain%' " get sid ^|  findstr /r /v "^$" `) DO SET "sid=%%a"

@echo %sid%
Improve this answer

Comments

0

You can use:

Reg load HKCU\UserTemp c:\users\<username>\NTUSER.DAT

And:

Reg unload HKCU\UserTemp
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.