@Utsav Shah if you are running osquery as sudo/root it should be able to pull from any SID in HKEY_USERS

hmm. I am noticing that users seem to be disappearing from HKEY_USERS from time to time. maybe they're disappearing for other reasons

are these local or domain accounts?

type=local

. i'm filtering out the

roaming

accounts

The users' registry hives are not mounted when they are logged out, so they are not accessible from the Registry tree.

thank you @Mike Myers, that's what I suspected

darn for some reason i thought HKEY_USERS contained all of the user keys 🙁 regardless of logon status it looks like the only way to parse the other reg hives i think is to parse the registry files manually? 🤕 i was actually working on a raw reg parsing feature for osquery originally the focus was going to be on amcache :) but it may be worth expanding it to making sure it works on all reg files

Directly loading the hive of a logged off user is possible, and has been discussed before occasionally. It would enable a wide variety of tables that want to access per-user values stored in each user's registry keys. Doing this could hypothetically interfere with the system also trying to load the registry hive, but since the

RegLoadKey

API exists I assume it can be used safely (requires Admin permission and a process with Backup permissions on its process token and maybe some other stuff).