HKEY_CURRENT_USER stored where?
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: HKEY_CURRENT_USER stored where?

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    500

    HKEY_CURRENT_USER stored where?

    Ok, I searched a bit for this but haven't found the answer i'm looking for yet...

    You can see what is in hkey_current_user while loged in as that user, but my question is: Where is that information stored when your not log'd on as that user? Say I want to see what is in hkey_current_user for account: cross and I am log'd in as Administrator. Is there a way to find out whats there other then logging on as that user?

    Thanks in advance!
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It's stored in the user's profile. It's the ntuser.dat file.

    If the user is currently logged on you can find his/her SID under HKEY_USERS.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    May 2004
    Posts
    27
    u can find it here :

    Goto start --> Run and type Regedit

    just dont ***** alot with it , u may crash ur computer

  4. #4
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,251
    regedt32

    highlight Current_User

    File
    Load Hive

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    Originally posted here by dinowuff
    regedt32

    highlight Current_User

    File
    Load Hive
    This sounds like what I needed, but I can only "Load Hive" under Hkey_users. when hkey_current_user is highlighted the Load Hive option is greyed out.
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  6. #6
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,251
    I'm sorry, you have to unload the hive first. You have to be logged on as Local Admin. Just like me to leave out steps - my bad
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  7. #7
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    Originally posted here by dinowuff
    I'm sorry, you have to unload the hive first. You have to be logged on as Local Admin. Just like me to leave out steps - my bad
    Ok, Unload hive is grey'd out on all hives, and Load hive is only selectable on Hkey_users and Hkey_current_config. I am loged in as Administrator, and this is WinXP pro if that makes any difference. I know what your saying to do is probably what I need but it's not working!
    Thanks again for all the replies!
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Posts
    500
    c'mon guys!
    Sounded like we almost had the right answer, but as I said, the options i need are greyed out!!! Anyone know what to do?
    Ron Paul: Hope for America
    http://www.ronpaul2008.com/

  9. #9
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,251
    You're logged in as the local admin or as a network admin?

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    What dinowuff is saying definately works..

    I used regedt32.exe instead of regedit... I dunno if it makes a difference...


    1. Open regedt32.exe (or try regedit.exe)
    2. Click on HKU
    3. Go to File --> Load Hive
    4. Browse to the other users profile and select ntuser.dat
    5. Enter the username (or any other unique name... just username makes it easily identifiable) in the dialog-box.
    6. Expand HKU and you'll see a the name you entered...
    7. Expand the username key
    8. Expand HKCU. (Notice that the HKU\<username> and HKCU have the same keys.... It's that users HKCU hive, you just have to load/mount it under HKU)
    9. Play with HKU\<username> to your hearts content.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •