Contents

Method

RegistryEnumerateUserValues

ModuleNativeServices
LibraryCore
Action

Get all registry values under a given key for every user under HKU.

Parameters

Subkey (string): The registry key to look for.

All values both directly under this key and all its subkeys are fetched.

Return values

Name (string): Full location of the value being retrieved.

ValueType (string): "REG_DWORD" etc. as appropriate.

Value (string): The actual value of an appropriate type, converted to a string if not one already.

Sid (string): SID the value was found under.

Username (string): Domain\Username of the aforementioned SID.

Example
 NativeServices.RegistryEnumerateUserValues(Subkey:"Control Panel\\Accessibility\\MouseKeys");
Platforms
  • Windows
Notes

REG_NONE keys are not supported.

From v4.1, REG_MULTI_SZ values are displayed with a '|' between each string; up to v4.0 only the first string was displayed.

There is a limit of 8192 values being returned. This limit applies to all users in total, not per user. This is currently not changeable.

If information is retrieved from the .DEFAULT key or a _Classes key, the Username will be reported as "Unknown". It is possible to determine the owner of a _Classes key from the SID that precedes it (which will have a correct Username).

Registry values of type REG_EXPAND_SZ are not expanded, so for example the variable with Name "TEMP" in the subkey "ENVIRONMENT" usually has a value of "%USERPROFILE%\AppData\Local\Temp". This is because the Tachyon Agent does not have sufficient privilege to impersonate user accounts for security reasons.

Warning

This method may attempt to call AD to translate a SID to a username.