tags:

views:

764

answers:

5
+1  Q: 

How to map HKEY_USERS subkeys and Windows usernames?

I thought the key names immediately below HKEY_USERS were supposed to be the usernames of whoever logged in at this machine at some time. But in my machine what appears is:

S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN
S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN_Classes

I'd like to be able to determine which subtree corresponds to which user. How can I do that?

Edit: WHat I need is to get the usernames from the SIDs. I want to inspect the configurations of each user that has ever logged on, and I need to know their names. For example, in the registry above, I need to be able to, based on the string "S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN", find out that it correspond to DOMAIN\somebody, or LOCALMACHINENAME\somebodyelse.

+1  A: 

I believe those numbers are the user's security ID (SID). You can use SysInternals to get the SIDs of users:

http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

steamer25  2009-06-22 20:39:47
I need the opposite -- get the usernames from the SIDs. I want to inspect the configurations of each user that has ever logged on, and I need to know their names.
JCCyC  2009-06-22 20:43:29
A: 

HKLM\System\CurrentControlSet\Control\hivelist will show you where the hives are mounted from. While not a direct mapping, usually the mount point has the user name in the path.

I'm sure there is a better answer than this though...

Cooper  2009-06-22 20:40:44
A: 

When doing it manually (without extra tools), the easiest way is to open permissions for that key. The only user who has full permissions is the owner of the key.

When from a program, you will need a way to convert SIDs to account names. In C# (or PowerShell), have a look at the SecurityIdentifier and NtAccount class for that.

mihi  2009-06-22 20:44:20
+2  A: 

Check out the answer to this question :)

Andy Mikula  2009-06-22 21:02:19
That did it. Thanks!
JCCyC  2009-06-22 21:49:26
A: 

in C# there is appears to be an answer to translating username to SID here http://community.bartdesmet.net/blogs/bart/archive/2006/09/08/4394.aspx but its only for local PCs.

For AD I converted it to:

using System;
using System.DirectoryServices;
using System.Security.Principal;

class Program {
    static void Main(string[] args) {
        string path = "LDAP://" + args[0];
        DirectoryEntry root = new DirectoryEntry(path, args[1], null, AuthenticationTypes.Secure);
        string sid = new SecurityIdentifier((byte[])root.Properties["objectSID"][0], 0).Value;
        Console.WriteLine(sid);
    }
}

The usage is : programname.exe DOMAIN username

e.g. programname.exe somecompany.com preet_sangha

Preet Sangha  2009-06-22 21:09:33

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)