Which registry key would you use to discover the SID associated with a particular user?

Is there a way to connect between the values under HKEY_USERS to the actual username?
I saw some similar questions, but most [if not all] talks about C# code, and my need is in VBScript.

asked May 27, 2010 at 7:40

If you look at either of the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

You can find a list of the SIDs there with various values, including where their "home paths" which includes their usernames.

I'm not sure how dependable this is and I wouldn't recommend messing about with this unless you're really sure what you're doing.

answered May 27, 2010 at 7:57

Hans OlssonHans Olsson

53.4k14 gold badges91 silver badges113 bronze badges

2

It is possible to query this information from WMI. The following command will output a table with a row for every user along with the SID for each user.

wmic useraccount get name,sid

You can also export this information to CSV:

wmic useraccount get name,sid /format:csv > output.csv

I have used this on Vista and 7. For more information see WMIC - Take Command-line Control over WMI.

answered Jun 8, 2011 at 20:10

dcharlesdcharles

4,7322 gold badges30 silver badges29 bronze badges

4

1. Open Reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

2. make a loop to get all subkeys

3. the subkeys you are interested with are those started with [S-1-5-21-] which means user [see key name [ProfileImagePath] they are always started with a path c:\Users]

4. Those starting with [S-1-5-21-12] are all local users

5. Those starting with [S-1-5-21-13] are all network users [if joined to Domained network] that are previously logged on the machine.

answered Apr 25, 2012 at 7:26

StoneStone

1711 silver badge2 bronze badges

1

By searching for my userid in the registry, I found

HKEY_CURRENT_USER\Volatile Environment\Username

answered Sep 12, 2016 at 21:13

Alan FrankAlan Frank

891 silver badge2 bronze badges

2

You can use the command PSGetSid from Microsoft's SysInternals team.

Download URL: //technet.microsoft.com/en-gb/sysinternals/bb897417.aspx

Usage:

psgetsid [\\computer[,computer[,...] | @file] [-u username [-p password]]] [account|SID]
-u  Specifies optional user name for login to remote computer.
-p  Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Account PsGetSid will report the SID for the specified user account rather than the computer.
SID PsGetSid will report the account for the specified SID.
Computer    Direct PsGetSid to perform the command on the remote computer or computers specified. If you omit the computer name PsGetSid runs the command on the local system, and if you specify a wildcard [\\*], PsGetSid runs the command on all computers in the current domain.
@file   PsGetSid will execute the command on each of the computers listed in the file.

Example:

psgetsid S-1-5-21-583907252-682003330-839522115-63941

NB:

• Where the user is a domain/AD[LDAP] user, running this on any computer on the domain should give the same results.
• Where the user is local to the machine the command should either be run on that machine, or you should specify the computer via the optional parameter.

Update

If you use PowerShell, the following may be useful for resolving any AD users listed:

#create a drive for HKEY USERS:
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue

#List all immediate subfolders
#where they're a folder [not a key]
#and they's an SID [i.e. exclude .DEFAULT and SID_Classes entries]
#return the SID
#and return the related AD entry [should one exist].
Get-ChildItem -Path 'HKU:\' `
| ?{[$_.PSIsContainer -eq $true] `
-and [$_.PSChildName -match '^S-[\d-]+$']} `
| select @{N='SID';E={$_.PSChildName}} `
, @{N='Name';E={Get-ADUser $_.PSChildName | select -expand Name}}

You could also refine the SID filter further to only pull back those SIDs which will resolve to an AD account if you wished; more on the SID structure here: //technet.microsoft.com/en-us/library/cc962011.aspx

answered Jun 13, 2014 at 13:51

JohnLBevanJohnLBevan

21.4k9 gold badges93 silver badges171 bronze badges

In the HKEY_USERS\oneyouwanttoknow\ you can look at \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders and it will reveal their profile paths. c:\users\whothisis\Desktop, etc.

Kingsley

13.9k5 gold badges31 silver badges51 bronze badges

answered Dec 2, 2018 at 22:29

1

for /f "tokens=8 delims=\" %a in ['reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist" ^| find "UsrClass.dat"'] do echo %a

alecxe

450k114 gold badges1045 silver badges1168 bronze badges

answered May 21, 2013 at 19:16

DaLuaDaLua

111 bronze badge

1

Done it, by a bit of creative programming,

1. Enum the Keys in HKEY_USERS for those funny number keys...

2. Enum the keys in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

and you will find the same numbers.... Now in those keys look at the String value: ProfileImagePath = "SomeValue" where the values are either:

"%systemroot%\system32\config\systemprofile"... not interested in this one... as its not a directory path...

%SystemDrive%\Documents and Settings\LocalService - "Local Services" %SystemDrive%\Documents and Settings\NetworkService "NETWORK SERVICE"

or

%SystemDrive%\Documents and Settings\USER_NAME, which translates directly to the "USERNAME" values in most un-tampered systems, ie. where the user has not changed the their user name after a few weeks or altered the paths explicitly...

answered Mar 7, 2012 at 15:41

1

The proper way to do this requires leveraging the SAM registry hive [on Windows 10, this requires NT AUTHORITY\SYSTEM privileges]. The information you require is in the the key: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names.

Each subkey is the username, and the default value in each subkey is a binary integer. This value [converted to decimal] actually corresponds to the last chunk of the of the SID.

Take "Administrator" for example, by default it is associated with the integer 0x1f4 [or 500].

So, in theory you could take the build a list of SIDS based on the subkey names of the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList key and/or HKEY_USERS key, parse out the the value after the last hyphen [-], and compare that to the info from the SAM hive.

If you don't have NT AUTHORITY\SYSTEM privileges, the next best way to approach this may be to follow the other method described in the answers here.

reference: //learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

answered Oct 27, 2019 at 2:38

How do I find the SID of AD user?

Which registry key holds user profiles?

How do I find the SID of a security group?

What identifier is used to search users?