Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HKCU how does it work..???? 1

Status
Not open for further replies.

Highland

MIS
Jul 4, 2001
451
GB
I've read a few articles recently describing various fixes which involve updating a settings on keys within HKCU...can anyone describe how these changes are then filtered to each user...??? Does the registry change this Key for each active logon...???

thanks........
 
I don't believe that changes in this key are filtered to other users. HKCU (HKey_Current_User) only applies to the CURRENT USER that is logged on the machine or in the case of Terminal Server, the CURRENT USER in a session who is running the registry editor.
For example, if two users logon to one Terminal Server and then they both run the registry editor, they would see different settings under HKCU. The reason is that each user would be looking at their own registry settings.

You can actually look at all the ACTIVE users registry settings under HKey Users. Unfortunately, the users Keys are displayed by their SIDs, not their username.

If you want to make a registry change that is applied to all users, you will need to use a System Policy. Even then, it only applies to a user when they logon. Not when they are activley logged on.
Dave Namou, MCSE CCEA
 
DaveNamou is correct that HKEY_CURRENT_USER only applies to the currently logged on user and does not filter out to all users.

Chances are that the changes you need to apply are not contained in any standard policy templates. Therefore you will either have to create your own policy templates (.ADM files) and then apply the settings. These will then be applied to each user next time they logon. Or you can create a .REG file which contains your changes. This .REG file can then be merged transparrently next time a user logs on.
 
Thanks....I think I follow what you are saying...!!!

One further question, how are these initial CU settings applied to new users...?? If I follow what you are saying, how would 2 users have different settings to these keys if they both "start" with the same settings, where would the differences have been applied from (if we ignore Policies)...???....also!! where are they held when the users logoff..??? Is it Ntuser.dat...????

Thanks........
 
The initial settings are applied by using the "Default User" Ntuser.dat (Located in the Profile Directory).

On the issue of the two users, they shouldn't have different settings if they logon one after the other. But the two users could have different settings for many other reasons.

(1) They changed the settings themselves.
(2) If the users logged on at different times. And in between that time something was changed on the system. You see, every time you install an app, it makes changes to the DEFAULT Ntuser.dat to apply to the new users. So if one user logged on before you installed the app, he "might" get different settings from the user who logged on after you installed the app.
(3) The 3rd reason only applies to Terminal Server. If you as an admin make any changes while you are in INSTALL mode. (CHANGE USER /INSTALL) you have just passed your changes to the next users that logon. This usually happens when an Admin puts the server in INSTALL mode and after the app install is complete, forgets to put it back in EXECUTE mode.

To your last question, the answer is yes. These settings are stored in NTUSER.dat in the users profile. By the way, if you want to look at the NTUSER.dat file while the user is not logged on, you can use REGEDT32.exe to load the file (Load Hive option).

Hope that helps!!
Dave Namou, MCSE CCEA
 
Thanks for all your replies.....it sounds as if HKCU simply holds a snapshot of the users settings from ntuser.dat, any editing on this key won't be "filtered" to the user at logoff...????

So.....!! Is there a quick way of identifying each user's SID (as shown in HKUsers) the only way I know of identifying it is to check each key using the "security" tab..??? Is this changed at each logon or is consistent across the "life" of each Domain Account...???

Thanks again...........
 
No, that's not True. It's not at all a snapshot. It is the actual KEY. If a user has the registry editor open and then edits the HKCU, it does filter to that user at logoff.
IF you yourself logon with your account and make a change to HKCU, you made a change to your NTUSER.DAT.


SIDs
a. No, the SID never changes for the user, even if you change the account name.

b. I'm sure their is a tool out their that could read the SIDs. Does anyone else know of a tool to match a SID to a user?

Dave Namou, MCSE CCEA
 
Thanks Dave....

So at the moment of actual logon is it a duplicate of the key held in HKUsers....????

Is it true, in a server environment, you could never guarantee which users key you were viewing in HKCU...???..if I logon as administrator and then someone logs-on after me before I open HKCU which environment will I see in HKCU...???

Sorry 4 all the questions...!!!...and thanks for your patient explanations.!!!
 
No Problem Highland! The registry is a bit confusing. That's why you always see HUGE WARNINGS about backing it up whenever someone suggest a change in the registry. Anyway...

It isn't a duplicate. It is the actual file. You are just looking at the file through a registry editor. It's kind of like a Word document. When you open a Word document using Microsoft WORD, and make changes, your making changes directly to the Word document. Well when you open the registry editor, you are actually opening the NTUSER.dat file. The only difference is that when you open the registry editor, you are looking at several different NTUSER.dat files, and some other types of system files as well. For example the HKey_Local_Machine Key is actually the "System" file located in WINNT\System32\Config.

To your second question, you always know whose user key your looking at. When you look at HKCU in regedit, it is always the key of the user who is logged on that machine at that time. Now when you are talking about Terminal Server and several users are logged on at the same time, then this is the best way to explain it...

3 users logon to a Terminal Server (User1, User2, and User3). They all open regedit. When User1 looks at HKCU, he is actually looking at NTUSER.dat for User1. When User2 looks at HKCU, he is actually looking at NTUSER.dat for User2. And the same thing goes for User3. So if 50 people run the registry editor on a Terminal Server then they all see a different HKCU, because each user is looking at his/her own NTUSER.dat.

Here is a Microsoft website that describes the functionality of the registry that should help more.


Choose "Windows 2000 Registry Reference" in the TOC
Dave Namou, MCSE CCEA
 
Thanks again Dave...!!!

That helps a great deal, I've never had to edit the HKCU key before and was looking at a problem with Word97 which suggested editing the HKCU for Live Scrolling in Word, it seems easier to change the same key in HKUsers in a server environment though..??? (Assuming the required users are logged in..!!!)

Ok, last question on this subject....

Is it possible to edit the ntuser.dat file from the users home directory....???

thanks..........
 
Yes, you can use REGEDT32.EXE (NOT Regedit.exe) to load a Hive (NTUSUR.DAT) and edit the file.

1. Launch REGEDT32
2. Make sure that the HKey_Local_Machine Window is in the foreground.
3. Highlight the HKey_Local_Machine
4. Click Registry --> Load Hive
5. Locate the NTUSER.DAT file you want to load and edit, then click -Open-.
6. Give it a KEY name (I always use TEST, the name does not matter), and click -OK-
7. You should now have a TEST key under HKLM. And you can make changes to that registry key which will directly be applied to the NTUSER.DAT file itself.
NOTE: When your done, you must UNLOAD the hive. Otherwise the user will not be able to logon to that server. Also, the user cannot be logged when you attemp to load the hive.

Good luck! Dave Namou, MCSE CCEA
 
Thanks Dave, that's been really helpful......really appreciate the time you have spent explaining ALL the above....CHEERS...!!!!
 
With regard to determining which user is which in hkey users, I just expand each hive, then the the volatile environment folder. Since the user usually has a home drive mapped, the %username% is resolved in one of the drive mappings.

It only takes a minute or two to find the one I want.

 
If u use regedt32 u can also highlight each "sub-key" within the HK-Users hive and select security/permissions to view the "owner".....

 
you can get the sid with the getsid command.
must beable in the reskit, so i think.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top