Write to HKCU from the system account


In this scenario, I needed to be able to write to the currently logged on users’ HKCU registry, but from a process being run as local system. Afterwards I even had to write the HKCU for every user that will ever logon to the machine, and for every user that already logged-on before.

The solution for these, was a script that accepts a .reg file’s path and the mode that the script needs to run in.

The script simply reads the .reg file, then replaces the registry hive and/or path as needed, saves the new file temporarily and imports it with the /s switch in regedit.exe.

if it needs to write to the default profile’s HKCU, it first loads the ntuser.dat file as a hive, imports the reg file, and unloads the hive (using reg.exe).

 

So for example, let’s say you need to import the following to the logged-in user’s registry:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\myApp]
"License"="93BF5737-EF78-4B1D-A676-649C2798A158"

(Note that the registry key needs to be listed under the HKEY_CURRENT_USER hive)

 

1. Save the contents to a text file, and set the extension to .reg (e.g. C:\Temp\myApp.reg)

2. Run the script with the CurrentUser switch:

PowerShell.exe -File C:\scripts\WriteToHkcuFromSystem.ps1 -RegFile C:\Temp\myApp.reg -CurrentUser

If you need to write to the default profile (for every user that will ever logon to the machine), use the DefaultProfile switch, or for all the users that already have a profile on the machine, use the AllUsers switch.

The modes can be combined, to cover all the options:

 PowerShell.exe -File C:\scripts\WriteToHkcuFromSystem.ps1 -RegFile C:\Temp\myApp.reg –CurrentUser –AllUsers –DefaultProfile

 

The WriteToHkcuFromSystem.ps1 script can be downloaded from the PowerShell script repository:

https://gallery.technet.microsoft.com/scriptcenter/Write-to-HKCU-from-the-3eac1692

 

Update 2018/01/01:
There was a bug in the script, where it wouldn't update the registry for the users that already had a profile. It's fixed now.

 

 

HTH,

\Martin.

Comments (14)

  1. shawnwat says:

    How does this work for the currently logged in user which has their HKCU portion locked?

    1. No. If the user is logged in, the NTUSER.dat cannot be loaded.
      The method described in the script will work for a machine login script, a script deployed by SCCM, or a similar method.

  2. Rich says:

    what is the content of C:\scripts\WriteToHkcuFromSystem.ps1

  3. Roy says:

    Hi Martin,

    Does your script work with 64bit OS ?

    if i am deploying through SCCM , i should be using something like that ?
    %WinDir%\SysWOW64\windowsPowershell\v1.0\Powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -File .\WriteToHkcuFromSystem.ps1 -RegFile .\myApp.reg –AllUsers

    Thanks

    1. @Roi, Yes, the script is architecture agnostic.
      But if you want to run the 64bit PowerShell from a 32bit app (e.g. the SCCM client or cmd.exe) you should call the PowerShell.exe from the sysnative folder. e.g.
      %WinDir%\sysnative\WindowsPowershell\v1.0\Powershell.exe

  4. Raphael says:

    This is such a great script. It allows for very nice automation at logon! For example writing to HKCU when the logged in user doesn’t have rights to alter registry. Beautiful Martin thank you !

  5. Abhishek Singh says:

    Hi Martin, it is really a nice script.
    I ran the script with PowerShell.exe -File C:\scripts\WriteToHkcuFromSystem.ps1 -RegFile C:\Temp\myApp.reg –CurrentUser –AllUsers –DefaultProfile…… But it adds the HKCU registry to only current user, not to all other users present on the machine. I have used system context to run the script… Any suggestion on this ?

    1. Ooops… There was a tiny bug in this version, and I forgot to update the gallery.
      I’ll update it, and reply here again.
      Thank you.

      1. Chris Ecklar says:

        Hello Martin. Has the script in the gallery been updated for the bugfix? Looks like the updated date is still 2016.

        1. I updated the script in the gallery now, and added a note in this post as well.
          Thank you.

          1. Parizj1 says:

            I tried the update script and was able to write the HKCU key for the current user and default for new profiles. Existing profiles with the Allusers does not seem to work. I am executing the command with the System account in SCCM. If I use an account to execute with administrative rights, it seems to work. The same results will happen if I use the System account with PSexec.

          2. Parizj1 says:

            I reviewed the script and found in the section where all users profiles are being applied. The user profile environment variable $env:USERPROFILE was causing it to not get the list of user profiles if using the system account such as SCCM. The System account uses the following environment variable: USERPROFILE=C:\WINDOWS\system32\config\systemprofile. All other profiles uses USERPROFILE=C:\Users\.

            I fixed my copy of your script with the environment variable from $env:USERPROFILE to $env:PUBLIC corrected the issue with the System account. The PUBLIC environment variable is there for all profiles including the System account. The public environment variable is set to C:\Users\Public. This allows the script look at the parent directory C:\Users to enumerate through all the profiles that have logged into the machine.

          3. Great catch. I’ll update the script and republish it in the gallery.
            Thanks!

Skip to main content