Version: 20
restore

Contents

Method

RegistryGetUserValues

ModuleNativeServices
LibraryCore
Action

Fetch a registry value for every user under HKU.

ParametersSubkey (string): The registry key to look for.
Name (string): The name of the registry value for which to fetch its value. Use an empty string to get the (default) value.
UsersOnly (bool, optional, default false): Get values only for keys representing "real" users (and not for keys representing system pseudo-users or groups).
Return valuesName (string): Full location of the value being retrieved.
ValueType (string): "REG_DWORD" etc. as appropriate.
Value (string): The actual value of an appropriate type, converted to a string if not one already.
Sid (string): SID the value was found under.
Username (string): Domain\Username of the aforementioned SID.
Example
 NativeServices.RegistryGetUserValues(Subkey:"Console", Name:"FaceName");
Platforms
  • Windows
Notes

REG_NONE keys are not supported.

From v4.1, REG_MULTI_SZ values are displayed with a '|' between each string; up to v4.0 only the first string was displayed.

There is a limit of 8192 values being returned. This limit applies to all users in total, not per user. This is currently not changeable.

If the subkey or registry value name does not exist, then the method will return Success (no content).

If searching for the (default) value and it is 'not set', then the method will return Success (no content).

Empty values are returned; empty values are not the same as 'not set'.

If information is retrieved from the .DEFAULT key or a _Classes key, the Username will be reported as "Unknown". It is possible to determine the owner of a _Classes key from the SID that precedes it (which will have a correct Username).

Registry values of type REG_EXPAND_SZ are not expanded, so for example the variable with Name "TEMP" in the subkey "ENVIRONMENT" usually has a value of "%USERPROFILE%\AppData\Local\Temp". This is because the Tachyon Agent does not have sufficient privilege to impersonate user accounts for security reasons.

Warning

This method may attempt to call AD to translate a SID to a username.