I understood that the HKEY_CURRENT_USER is actually a pointer to the spe开发者_运维知识库cific SID of the loged-in user at the HKEY_USERS. The HKEY_USER is holding only the users that loged-in at list once. do you know where can find the unloged-on users registry data?
HKEY_USERS hive contains all users' data. Each sub-hive under HKEY_USERS is named after the SID of user and contain user specific data. When a user logs on to the system, Windows loads the corresponding to logged on user's SID from HKEY_USERS to HKEY_CURRENT_USER.
So, if you want to access other (not logged in) user's data, you can do so by directly accessing HKEY_USERS\sid-of-user\ hive. Now, the question is how to get SID of a username? To do this, you need to enumerate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList hive. Each registry key under this hive is an SID. The value ProfileImagePath gives the username associated with it.
Examples:
http://support.microsoft.com/kb/154599
http://support.microsoft.com/kb/243330
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论