Write to HKCU from the system account


In this scenario, I needed to be able to write to the currently logged on users’ HKCU registry, but from a process being run as local system. Afterwards I even had to write the HKCU for every user that will ever logon to the machine, and for every user that already logged-on before.

The solution for these, was a script that accepts a .reg file’s path and the mode that the script needs to run in.

The script simply reads the .reg file, then replaces the registry hive and/or path as needed, saves the new file temporarily and imports it with the /s switch in regedit.exe.

if it needs to write to the default profile’s HKCU, it first loads the ntuser.dat file as a hive, imports the reg file, and unloads the hive (using reg.exe).

 

So for example, let’s say you need to import the following to the logged-in user’s registry:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\myApp]
"License"="93BF5737-EF78-4B1D-A676-649C2798A158"

(Note that the registry key needs to be listed under the HKEY_CURRENT_USER hive)

 

1. Save the contents to a text file, and set the extension to .reg (e.g. C:\Temp\myApp.reg)

2. Run the script with the CurrentUser switch:

PowerShell.exe -File C:\scripts\WriteToHkcuFromSystem.ps1 -RegFile C:\Temp\myApp.reg -CurrentUser

If you need to write to the default profile (for every user that will ever logon to the machine), use the DefaultProfile switch, or for all the users that already have a profile on the machine, use the AllUsers switch.

The modes can be combined, to cover all the options:

 PowerShell.exe -File C:\scripts\WriteToHkcuFromSystem.ps1 -RegFile C:\Temp\myApp.reg –CurrentUser –AllUsers –DefaultProfile

 

The WriteToHkcuFromSystem.ps1 script can be downloaded from the PowerShell script repository:

https://gallery.technet.microsoft.com/scriptcenter/Write-to-HKCU-from-the-3eac1692

 

HTH,

\Martin.

Comments (4)

  1. shawnwat says:

    How does this work for the currently logged in user which has their HKCU portion locked?

    1. No. If the user is logged in, the NTUSER.dat cannot be loaded.
      The method described in the script will work for a machine login script, a script deployed by SCCM, or a similar method.

  2. Rich says:

    what is the content of C:\scripts\WriteToHkcuFromSystem.ps1

Skip to main content