-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathRead-AllUserRegistryHives.ps1
More file actions
59 lines (49 loc) · 2 KB
/
Read-AllUserRegistryHives.ps1
File metadata and controls
59 lines (49 loc) · 2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Regex pattern for SIDs
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
#Pull Currently Loaded user hives (users who are logged in)
$LoadedHives = Get-ChildItem registry::Hkey_Users | Where-Object { $_.PSChildName -match $PatternSID } | Select-Object PSChildName
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object { $_.PSChildName -match $PatternSID } |
ForEach-Object {
[bool] $IsLoaded = $false
if ($LoadedHives.PSChildName -contains $_.PSChildName) {
$IsLoaded = $true
}
[PSCustomObject] @{
SID = $_.PSChildName
UserHive = "$($_.ProfileImagePath)\ntuser.dat"
UserName = $_.ProfileImagePath -replace '^(.*[\\\/])', ''
IsLoggedIn = $IsLoaded
}
}
# Add in the .DEFAULT User Profile
$DefaultProfile = "" | Select-Object SID, UserHive, UserName, IsLoggedIn
$DefaultProfile.SID = ".DEFAULT"
$DefaultProfile.Userhive = "C:\Users\Public\NTuser.dat"
$DefaultProfile.UserName = "Default"
$DefaultProfile.IsLoggedIn = $true
$ProfileList += $DefaultProfile
$ProfileList | ForEach-Object {
# Load User ntuser.dat if it's not already loaded
IF (-not $_.IsLoggedIn) {
$null = reg load HKU\$($_.SID) $($_.UserHive)
}
#Here we're just checking the screensaver settings, but you can do a bunch of stuff
try {
$ScreenSaveActive = Get-ItemPropertyValue "Registry::HKEY_USERS\$($_.SID)\Control Panel\Desktop" -Name 'ScreenSaveActive' -ErrorAction Stop
} catch { $ScreenSaveActive = 'N/A' }
try {
$ScreenSaverIsSecure = Get-ItemPropertyValue "Registry::HKEY_USERS\$($_.SID)\Control Panel\Desktop" -Name 'ScreenSaverIsSecure' -ErrorAction Stop
} catch { $ScreenSaverIsSecure = 'N/A' }
[pscustomobject] @{
User = $_.UserName
ScreenSaveActive = $ScreenSaveActive
ScreenSaverIsSecure = $ScreenSaverIsSecure
}
# Unload ntuser.dat
if (-not $_.IsLoggedIn) {
### Garbage collection and closing of ntuser.dat ###
[gc]::Collect()
$null = reg unload HKU\$($_.SID)
}
}