Windows Registry, Viewing Remote User's Registry Settings when the user is logged on to remote system

Hi,

Is possible to view a user’s registry settings without mounting the user’s ntuser.dat file via regedit. We are talking about an AD environment here. The only way that I am able to do this is to make sure that the user is not logged onto the remote system, run regedit, mount the remote registry and mount the user’s ntuser.dat file. I do not know of any Active Directory way and I am not aware of any tool that can do this without having to logout the user? Is there a CLI way? I was considering using shadow copy but that is PITA and would really like to avoid it if possible.

I have been searching for some time now and I still do cannot get an answer this. Does anyone know?

You should just be able to go to <computer>\HKEY_USERS\<user_id> after mounting the remote registry?

1 Like

Hey @TheCakeIsNaOH,

thanks. I tried that a couple of times and was only seeing the default SIDs of S-1-5-18, S-1-5-19 AND S-1-5-20. Now I tried it again on the same machine and see more. Do you know if the user needs to be logged in for this or is it that the user needed to have logged in previously at least once?

I think the user must be logged in, if they are not logged in, then you have to mount the ntuser.dat file.

1 Like

Thank you very very much