Write to HKCU from the system account

In this scenario, I needed to be able to write to the currently logged on users’ HKCU registry, but from a process being run as local system. Afterwards I even had to write the HKCU for every user that will ever logon to the machine, and for every user that already logged-on before.

The solution for these, was a script that accepts a .reg file’s path and the mode that the script needs to run in.

The script simply reads the .reg file, then replaces the registry hive and/or path as needed, saves the new file temporarily and imports it with the /s switch in regedit.exe.

if it needs to write to the default profile’s HKCU, it first loads the ntuser.dat file as a hive, imports the reg file, and unloads the hive (using reg.exe).


So for example, let’s say you need to import the following to the logged-in user’s registry:

Windows Registry Editor Version 5.00


(Note that the registry key needs to be listed under the HKEY_CURRENT_USER hive)


1. Save the contents to a text file, and set the extension to .reg (e.g. C:\Temp\myApp.reg)

2. Run the script with the CurrentUser switch:

PowerShell.exe -File C:\scripts\WriteToHkcuFromSystem.ps1 -RegFile C:\Temp\myApp.reg -CurrentUser

If you need to write to the default profile (for every user that will ever logon to the machine), use the DefaultProfile switch, or for all the users that already have a profile on the machine, use the AllUsers switch.

The modes can be combined, to cover all the options:

 PowerShell.exe -File C:\scripts\WriteToHkcuFromSystem.ps1 -RegFile C:\Temp\myApp.reg –CurrentUser –AllUsers –DefaultProfile


The WriteToHkcuFromSystem.ps1 script can be downloaded from the PowerShell script repository:





Comments (7)

  1. shawnwat says:

    How does this work for the currently logged in user which has their HKCU portion locked?

    1. No. If the user is logged in, the NTUSER.dat cannot be loaded.
      The method described in the script will work for a machine login script, a script deployed by SCCM, or a similar method.

  2. Rich says:

    what is the content of C:\scripts\WriteToHkcuFromSystem.ps1

  3. Roy says:

    Hi Martin,

    Does your script work with 64bit OS ?

    if i am deploying through SCCM , i should be using something like that ?
    %WinDir%\SysWOW64\windowsPowershell\v1.0\Powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -File .\WriteToHkcuFromSystem.ps1 -RegFile .\myApp.reg –AllUsers


    1. @Roi, Yes, the script is architecture agnostic.
      But if you want to run the 64bit PowerShell from a 32bit app (e.g. the SCCM client or cmd.exe) you should call the PowerShell.exe from the sysnative folder. e.g.

  4. Raphael says:

    This is such a great script. It allows for very nice automation at logon! For example writing to HKCU when the logged in user doesn’t have rights to alter registry. Beautiful Martin thank you !

Skip to main content