Hkcu

     
*
Josh Rickard  Thu, Apr 13 2017Thu, May 25 2017  powershell, powershell scripts, registry  7
If you have supported software in an organization of any size, trying to lớn remove HKEY_CURRENT_USER (HKCU) registry keys from all user accounts more than likely has posed a challenge. Whether your goal is to remove software-related keys or to địa chỉ cửa hàng configuration items to lớn all user accounts, it can become tricky. In this article, I will discuss how to vì chưng this with PowerShell.

Bạn đang xem: Hkcu



Josh"s primary focus is in Windows security & PowerShell automation. He is a GIAC Certified Windows Security Administrator (GCWN) and GIAC Certified Forensic Analyst (GCFA). You can reach Josh at MSAdministrator.com or on Twitter at

Traditionally you could accomplish this by using the User Configuration option in a Group Policy object, but with PowerShell you don"t have to. Don"t get me wrong—Group Policy may be the best option in your situation. If you want to lớn remove software or a configuration thành công almost immediately, và you bởi not want to lớn wait until users log in lớn their systems to apply it, then PowerShell is your answer. PowerShell is nothing but flexible.


There may be many reasons why you would want lớn remove registry keys from unloaded profiles, but more than likely it is because you need lớn remove HKCU registry keys that a piece of software left behind. By writing a PowerShell script or function, you can load all unloaded HKCU user hives, make your change, & unload those hives. The general process to do this in PowerShell is to:

Find all unloaded user hives on a system.Iterate through each of them.Make the necessary change.Unload each loaded user hive.

Xem thêm: Top 4 Tour Du Lịch Phú Quốc Trọn Gói 4 Ngày 3 Đêm Trọn Gói, Du Lịch Phú Quốc 3 Ngày 2 Đêm Trọn Gói


*

Loading an user hive lớn HKU


To find all the unloaded user hives on a system, we first need to find all HKCU hives on the machine. We can find all profiles on a machine by looking in the registry:

() $ProfileList = Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionProfileList*" | Where-Object $_.PSChildName ‑match $PatternSID | Select
name = "Username"; expression = $_.ProfileImagePath -replace "^(.*<\/>)", "" Now that we know which user profiles are on the machine, we need khổng lồ filter out all the currently loaded profiles.

# Get all user SIDs found in HKEY_USERS (ntuser.dat files that are loaded)$LoadedHives = Get-ChildItem Registry::HKEY_USERS | ? $_.PSChildname ‑match $PatternSID | Select
name = "SID"; expression = $_.PSChildName For backward compatibility with PowerShell V2, we need lớn separate out the values from $LoadedHives & create a new PSCustomObject:

$SIDObject =
SID = $item.SID $TempSIDObject = New-Object -TypeName PSCustomObject -Property $props $SIDObject += $TempSIDObject }Now that we have two lists of SIDs, all HKCU hives, and the currently loaded HKCU hive(s), we need to lớn filter them so that we only load unloaded hives. Additionally, for backward compatibility, we need khổng lồ use the Measure-Object cmdlet instead of the traditional $var.count approach. In PowerShell V2, if you have an object of fewer than two items, the count property does not work properly, thus the use of Measure-Object:

# We need lớn use ($ProfileList | Measure-Object).count instead of just ($ProfileList).count# because in PS V2, if the count is less than 2, it doesn"t work. :)for ($p = 0; $p -lt ($ProfileList | Measure-Object).count; $p++) for ($l = 0; $l -lt ($SIDObject In the block bình luận above, you can search, add, modify, or remove any registry keys for that specific HKCU user hive. After we have made any additions or subtractions from the loaded user hive, we then need to vì chưng a little cleanup. You never want to leave items behind or in a state that has the potential to lớn cause issues or conflicts with other system calls. To do this, we just need to địa chỉ cửa hàng the following piece of code within our inner if statement:

Write-Verbose "Unloading registry hives for all users"# Unload ntuser.dat # Garbage collection và closing of ntuser.dat ###::Collect()reg unload "HKU$($ProfileList<$p>.SID)"That"s it! Next time you have a piece of software that leaves items around or you need to add registry keys/values lớn resolve an issue, PowerShell is the answer.

Initial research for this article was provided by Bryce McDonald.


*

Join the tuyetdenbatngo.com PowerShell group!

Your question was not answered? Ask in the PowerShell forum!

Learn PowerShell with our PowerShell guides!


Building a computer reporting script with PowerShellPsExec vs. The PowerShell remoting cmdlets Invoke-Command and Enter-PSSession