Title
#windows
f

fritz

07/06/2021, 8:30 PM
@Utsav Shah if you are running osquery as sudo/root it should be able to pull from any SID in HKEY_USERS
u

Utsav Shah

07/06/2021, 8:42 PM
hmm. I am noticing that users seem to be disappearing from HKEY_USERS from time to time. maybe they're disappearing for other reasons
f

fritz

07/06/2021, 8:52 PM
are these local or domain accounts?
u

Utsav Shah

07/06/2021, 8:54 PM
type=local
. i'm filtering out the
roaming
accounts
8:57 PM
it was my theory that logged out users are disappearing from
HKEY_USERS
because it claims to have only actively loaded profiles but I could be wrong (https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users)
Mike Myers

Mike Myers

07/06/2021, 10:32 PM
The users' registry hives are not mounted when they are logged out, so they are not accessible from the Registry tree.
u

Utsav Shah

07/06/2021, 10:51 PM
thank you @Mike Myers, that's what I suspected
10:54 PM
i'm guessing it's a terrible idea to manually trying to mount registry hives of users
10:55 PM
so i wonder if there's any other way to read user registry keys when they're logged out
puffycid

puffycid

07/06/2021, 11:24 PM
darn for some reason i thought HKEY_USERS contained all of the user keys 🙁 regardless of logon status it looks like the only way to parse the other reg hives i think is to parse the registry files manually? 🤕 i was actually working on a raw reg parsing feature for osquery originally the focus was going to be on amcache 😃 but it may be worth expanding it to making sure it works on all reg files
Mike Myers

Mike Myers

07/06/2021, 11:34 PM
Directly loading the hive of a logged off user is possible, and has been discussed before occasionally. It would enable a wide variety of tables that want to access per-user values stored in each user's registry keys. Doing this could hypothetically interfere with the system also trying to load the registry hive, but since the
RegLoadKey
API exists I assume it can be used safely (requires Admin permission and a process with Backup permissions on its process token and maybe some other stuff).
11:37 PM
It shouldn't be necessary to use this, but I'm sharing the link because it's interesting https://docs.microsoft.com/en-us/windows/win32/devnotes/about-the-offline-registry-library