Check value in HKEY USER in PowerShell

Question

Some registry settings was done by Batch Script in the past on multiple devices. Now I need to check those settings still exist or not.

I am creating a PowerShell script and trying to get the value of that path.

Below are the values configured in the past by Batch script:

REG ADD "HKU\DefUser\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 0x1 /f

You can see these settings are created under HKEY USERS and have created NTUSER.DAT.

PowerShell command which I am trying.

Get-ItemPropertyValue 'Registry::HKEY_USERS\defuser\Software\Policies\Microsoft\Internet Explorer\Control Panel ' -Name HomePage

This command is returning error:

Get-ItemPropertyValue : Cannot find path 'HKEY_USERS\defuser\Software\Policies\Microsoft\Internet Explorer\Control Panel ' because it does not exist.
At line:6 char:1
+ Get-ItemPropertyValue 'Registry::HKEY_USERS\defuser\Software\Policies ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (HKEY_USERS\defu...\Control Panel :String) [Get-ItemPropertyValue], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyValueCommand
 

I am not sure do I need to check inside HKEY Current User? How HKU and HKCU are connect?

Answer 1

Below code should give you a list of objects where the registry value could be found

$regPath  = 'Software\Policies\Microsoft\Internet Explorer\Control Panel'
$regValue = 'HomePage'
$result   = Get-ItemProperty -Path "Registry::HKEY_USERS\*\$regPath" -Name $regValue | 
    Where-Object { $_.PsPath.Split("\")[2] -match '^(S-1-5-21-[\d-]+\d+)$' } |          #"# dummy comment to fix syntax highlighting in SO
    Foreach-Object {
        $sid = $matches[1]
        $user = [System.Security.Principal.SecurityIdentifier]::new($sid).Translate([System.Security.Principal.NTAccount]).Value
        [PsCustomObject]@{
            UserName  = $user
            UserSID   = $sid
            $regValue = $_.$regValue
        }
    }

# output on screen
$result | Format-Table -AutoSize

# output to CSV
$result | Export-Csv -Path 'HomePage.csv' -NoTypeInformation

Answer 2

The HKEY_USERS hive isn't mounted by default in Powershell. Try this before your code line:

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

It should do the trick

And correct your code line with:

Get-ItemPropertyValue 'HKU:\defuser\Software\Policies\Microsoft\Internet Explorer\Control Panel' -Name HomePage

If you don't know what defuser is and you want to parse every SIDs, you can do something like that:

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

$SIDs = Get-ChildItem -Path HKU:\ -Name | Where-Object { ($_.Length -gt 8) -and ($_ -NotLike '*Classes*')}

ForEach($user in ($SIDs))
{
    If((Get-ItemPropertyValue "HKU:\$($user)\Software\Policies\Microsoft\Internet Explorer\Control Panel" -Name HomePage -ErrorAction SilentlyContinue) -Eq 1)
    {
        Write-Host 'HomePage is OK'
    }
    Else
    {
        Write-Host 'HomePage is not OK'
    }
}

Remove-PSDrive -Name HKU

Answer 3

This is a very nice article about USERS hive: https://www.lifewire.com/hkey-users-2625903

Don't think defuser key exists in that hive. Unless you created your own, then you need to change the path. Try the code below.

#username
$Username = "DefUser"
#key without HIVE or SID to export e.g. SOFTWARE\Microsoft\Windows
$key = "Software\Policies\Microsoft\Internet Explorer\Control Panel"
#value in the key above to retrieve
$valuetoget = "HomePage"

### get sid from username
$User
$sid
try {
    $User = New-Object System.Security.Principal.NTAccount($Username)
    $sid = $User.Translate([System.Security.Principal.SecurityIdentifier]).value
}
catch {
    Write-Output "Failed to get SID for username: $UserName."
    return
}

#check whether the user hive is loaded
if (Test-Path "Registry::HKEY_USERS\$sid" -PathType Container) {
    #it is loaded, check the key
    if (Test-Path "Registry::HKEY_USERS\$sid\$key") {
        Write-Output "The specified key was found under: $UserName."
        $value = Get-ItemPropertyValue "Registry::HKEY_USERS\$sid\$key" -Name $valuetoget -ErrorAction SilentlyContinue
        if ($value) {
            Write-Output "The value of property $valuetoget is:$value"
        } else {
            Write-Output "The property $valuetoget was not found or is empty."
        }
    }
    else {
        Write-Output "The specified key does not exist under: $UserName"
    }
}
Else {
    #it isnt loaded, load it
    & "$env:windir\system32\reg.exe" "LOAD HKU\TEMP `"$env:SystemDrive\Users\$UserName\NTUSER.DAT`""
    #export the key if the key exists
    if (Test-Path "Registry::HKU\TEMP\$key") {
        Write-Output "The specified key was found under: $UserName."
        $value = Get-ItemPropertyValue "Registry::HKU\TEMP\$key" -Name $valuetoget -ErrorAction SilentlyContinue
        if ($value) {
            Write-Output "The value of property $valuetoget is:$value"
        } else {
            Write-Output "The property $valuetoget was not found or is empty."
        }
    }
    else {
        Write-Output "The specified key does not exist under: $UserName"
    }
    #unload it
    & "$env:windir\system32\reg.exe" "LOAD HKU\TEMP"
}