John Lee John Lee - 3 months ago 26
PowerShell Question

Read HKEY_USERS and HKEY_CURRENT_USERS

$strIPAddrTmp = "172.28.27.200"
$strKeyIEConnections = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\"
$strRegType = [Microsoft.Win32.RegistryHive]::CurrentUser
$strRegKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($strRegType, $strIPAddrTmp)
$strRegKey = $strRegKey.OpenSubKey($strKeyIEConnections)


I used the PS script above to try to read the contents of:

HKCU::Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings


I was just trying to check the IE proxy settings of a target remote machine.
I found out that the script always returns the contents from
HKEY_USERS
instead of
HKEY_CURRENT_USERS
.
What did I did wrong?

Answer

This should be the answer!

1) Find out the SID of the user logged onto the machine.

$strSID = (Get-WmiObject -Class Win32_UserAccount  -Filter "Domain = '$domain' AND Name = '$name'").SID 

2) Use the SID to find out the info in HKEY_USER:

$strKeyIEConnections = "$strSID\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\"
$strRegType = [Microsoft.Win32.RegistryHive]::Users
$strRegKey  = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($strRegType, $strIPAddrTmp)
$strRegKey  = $strRegKey.OpenSubKey($strKeyIEConnections)
Comments