Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Remove registry key from HKEY_CURRENT_USER for ALL users

9,649 views
Skip to first unread message

shashi

unread,
Aug 5, 2004, 11:03:10 AM8/5/04
to
Our product creates per user profile under key
HKEY_CURRENT_USER\Software\Our Company Name\. So for each user account
that uses our product on a system a new profile is created under their
own HKEY_CURRENT_USER.

While uninstalling our product I would like to remove the profiles for
all the users on that system. How can one achieve this? The assumption
is the user that uninstalls the product has Administrative privilege.

Any input is greatly appreciated.

Thanks in advance,

Shashi

Patrick Philippot

unread,
Aug 5, 2004, 11:37:27 AM8/5/04
to
shashi wrote:
> Our product creates per user profile under key
> HKEY_CURRENT_USER\Software\Our Company Name\. So for each user account
> that uses our product on a system a new profile is created under their
> own HKEY_CURRENT_USER.
>
> While uninstalling our product I would like to remove the profiles for
> all the users on that system. How can one achieve this? The assumption
> is the user that uninstalls the product has Administrative privilege.

Hi,

HKEY_CURRENT_USER is only an alias to the subkey of HKEY_USERS that
represents the current user (to be more accurate, the current user is
the user that owns the current process - not necessarily the interactive
user). The subkey is the user's SID. So HKEY_CURRENT_USER is just an
alias for HKEY_USERS\<user_SID>.

To enumerate all the subkeys of HKEY_USERS, you need to

- Enumerate all users (NetEnumUser)
- Get the SID for each user (LookupAccountName)
- Open the HKEY_USERS\<user_SID> key (provided your process has the
permission to do so)

--
Patrick Philippot - Microsoft MVP
MainSoft Consulting Services
www.mainsoft.fr


Torgeir Bakken (MVP)

unread,
Aug 5, 2004, 1:00:34 PM8/5/04
to
shashi wrote:

Hi

This is a bit tricky, you would need to load each users NTUSER.dat file
into a registry hive.

To get a list of all the users path to NTUSER.dat, enumerate the keys under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
and look for the value ProfileImagePath.


E.g. Reg.exe can be used to load and manipulate on a hive:

Reg.exe LOAD HKLM\TempHive "C:\Documents and Settings\Tor\NTUSER.DAT"


Reg.exe comes built in with WinXP and Win2k3.

Reg.exe for Win2k is in the Support Tools found on the Win2k CD,
\Support\Tools\Suptools.msi, or for the latest version of
Support Tools (should work on non-SP4 computers as well):

http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/supporttools.asp

Run "Reg.exe /?" in a command prompt for more help.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Torgeir Bakken (MVP)

unread,
Aug 5, 2004, 1:01:58 PM8/5/04
to
Patrick Philippot wrote:

> shashi wrote:
>
>>Our product creates per user profile under key
>>HKEY_CURRENT_USER\Software\Our Company Name\. So for each user account
>>that uses our product on a system a new profile is created under their
>>own HKEY_CURRENT_USER.
>>
>>While uninstalling our product I would like to remove the profiles for
>>all the users on that system. How can one achieve this? The assumption
>>is the user that uninstalls the product has Administrative privilege.
>
>

> HKEY_CURRENT_USER is only an alias to the subkey of HKEY_USERS that
> represents the current user (to be more accurate, the current user is
> the user that owns the current process - not necessarily the interactive
> user). The subkey is the user's SID. So HKEY_CURRENT_USER is just an
> alias for HKEY_USERS\<user_SID>.
>
> To enumerate all the subkeys of HKEY_USERS, you need to
>
> - Enumerate all users (NetEnumUser)
> - Get the SID for each user (LookupAccountName)
> - Open the HKEY_USERS\<user_SID> key (provided your process has the
> permission to do so)

Hi

Note that HKEY_USERS contains only a very limited amount of registry
data for the other users on the computer...

Patrick Philippot

unread,
Aug 6, 2004, 3:12:04 AM8/6/04
to
Torgeir Bakken (MVP) wrote:
> Note that HKEY_USERS contains only a very limited amount of registry
> data for the other users on the computer...

Hi Torgeir,

?? Could you elaborate a little? HKEY_USERS\<SID_of_current_user>
contains exactly the same data as HKEY_CURRENT_USER because it's
actually the same key (HKEY_CURRENT_USER doesn't actually exist). Just,
HKEY_USERS\<SID> keys for other users are not visible in RegEdit. Or did
I miss something?

"Martin v. Löwis"

unread,
Aug 6, 2004, 9:14:35 AM8/6/04
to
Patrick Philippot wrote:
> ?? Could you elaborate a little? HKEY_USERS\<SID_of_current_user>
> contains exactly the same data as HKEY_CURRENT_USER because it's
> actually the same key (HKEY_CURRENT_USER doesn't actually exist). Just,
> HKEY_USERS\<SID> keys for other users are not visible in RegEdit. Or did
> I miss something?

Yes. I think you missed the claim that HKEY_USERS\<SID> is different
for anybody *but* the current user, compared to what it would be
if the users were logged in. To confirm this, just dump HKEY_USER\<SID>
for a user who is currently not logged in, then log in as that user,
dump again, and compare the two dumps.

Regards,
Martin

Patrick Philippot

unread,
Aug 6, 2004, 11:22:17 AM8/6/04
to
Martin v. Löwis wrote:
> Yes. I think you missed the claim that HKEY_USERS\<SID> is different
> for anybody *but* the current user, compared to what it would be
> if the users were logged in. To confirm this, just dump
> HKEY_USER\<SID> for a user who is currently not logged in, then log
> in as that user, dump again, and compare the two dumps.

Martin,

There must be some misunderstanding there.

Do you mean accessing and dumping these keys via RegEdit or
programatically? In RegEdit, beside the system accounts currently logged
on, I'm unable to see (and therefore dump) any other user hive than
mine. If I log on as another user, I can only see that user's hive (+
the system accounts). I'm running XP.

If we are talking about the limitations of RegEdit, I'm aware that it
doesn't show all information. When I use another registry editor like
Resplendence Registrar, I see keys in that editor that RegEdit doesn't
show me.

Torgeir Bakken (MVP)

unread,
Aug 6, 2004, 12:04:40 PM8/6/04
to
Patrick Philippot wrote:

> Torgeir Bakken (MVP) wrote:
>
>>Note that HKEY_USERS contains only a very limited amount of registry
>>data for the other users on the computer...
>
>
> Hi Torgeir,
>
> ?? Could you elaborate a little? HKEY_USERS\<SID_of_current_user>
> contains exactly the same data as HKEY_CURRENT_USER because it's
> actually the same key (HKEY_CURRENT_USER doesn't actually exist). Just,
> HKEY_USERS\<SID> keys for other users are not visible in RegEdit. Or did
> I miss something?
>

Hi

You are correct that you will find your (current) HKEY_CURRENT_USER data
under HKEY_USERS, but you will not find all other users registry data
there (that was what I tried to say).

Shashi wanted to remove registry entries from all users HKEY_CURRENT_USER
in one sweep, to be able to do that, you will need to find each user's
NTUSER.DAT and load it as a registry hive in one way or another.

Patrick Philippot

unread,
Aug 6, 2004, 1:14:08 PM8/6/04
to
Torgeir Bakken (MVP) wrote:
> You are correct that you will find your (current) HKEY_CURRENT_USER
> data under HKEY_USERS, but you will not find all other users registry
> data there (that was what I tried to say).

Let's try this

1. Download this package: http://www.chem.msu.su/~rudnyi/NT/sid.zip

2. User2Sid is a command line interface to LookupAccountName. Enter the
following on the command line:

c:\>user2sid Administrator (or any other local user name - we assume
you're not logged on as this user)

This will display the Administrator's SID:

3. Use the REG utility as follows:

c:\> reg query HKU\<Admin_SID> /s

You'll get the contents of the Administrator's HKU hive. I did this as
an admin, however. The process may stop on some key requiring special
permissions.

Which demonstrates that the method I explained should work, at least for
"ordinary" keys not requiring special access rights. Martin claims that
you won't get the same information from the HKU hive depending on
whether the currently logged on user is the target user for the query. I
guess this is true in Regedit (that selects the displayed information),
but when done programmatically, the result should be the same.

Torgeir Bakken (MVP)

unread,
Aug 6, 2004, 2:59:58 PM8/6/04
to
Patrick Philippot wrote:

Hi

My understanding is that other users "HKEY_CURRENT_USER" is not available
unless you explicit load their's respective NTUSER.DAT.

Your procedure above does not work for me against the Administrator SID
(this from another user with local admin rights), see here:


E:\sid>user2sid.exe Administrator

S-1-5-21-1397591522-2243138800-104724495-500

Number of subauthorities is 5
Domain is Y9042770-69
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser

E:\sid>reg query HKU\S-1-5-21-1397591522-2243138800-104724495-500 /s

Error: The system was unable to find the specified registry key or value

E:\sid>

But this works:

E:\>reg load HKLM\TmpHive "C:\Documents and Settings\Administrator\NTUSER.DAT"

The operation completed successfully

E:\>reg query HKLM\TmpHive /s

[snip] big registry dump

Adrian Accinelli

unread,
Aug 6, 2004, 5:56:26 PM8/6/04
to
Shashi,

Torgeir's has the right idea -- basically enumerate the local profile list,
load the individual hives manually and make your changes.

However there are a few more things to worry about:
1. If the user account is roaming the hive might not be accessible at
uninstall (or time you enumerate profile list and attempt to load the hive).
2. Loading Hives for writing requires SE_RESTORE_NAME privilege which Admin
accounts don't have by default but can ask for (System Account has it by
default). IIRC a deferred MSI executable CA does not get this privilege by
default.
3. Reg.exe is console program and cannot be made silent (but you can do the
exact same thing with code using RegLoadKey/RegUnLoadKey functions).
4. On multi user 9x platforms the hive name is simply user.dat.
5. If the user has mandatory profile account the hive has .man extension
instead of .dat.
6. In a TSE/MultiUser environment, the hive might be in use and so the hive
load will fail.

I think there's a couple more cases where roaming could mess the hive load
up (especially if you are targeting NT4) but I can't seem to recall what
they are.

If your intent is more for internal use rather than for wide distribution,
another approach is to simply delete the HKCU values by running a script
during the user's logon process. You can remove the static HKCU entries in
many different ways including launching reg.exe in a .bat/.cmd, using any
type of Windows Script (vbs, etc), or even through a [-HKCU\key] section in
a .reg file launched by "regedit /s regfile".

BTW I was told in the past by Microsoft that the removal of per-user data
for secondary user accounts falls outside of the specifications for Windows
Installer itself.

Sincerely,
Adrian Accinelli


Patrick Philippot

unread,
Aug 9, 2004, 3:00:47 AM8/9/04
to
Torgeir Bakken (MVP) wrote:
> Your procedure above does not work for me against the Administrator
> SID (this from another user with local admin rights), see here:

So I'll have to determine why it works for me under the same conditions
:-)) This must be related to the security policy applied to the system.
I do know that my system certainly doesn't have standard settings in
this area. So your approach is likely to work in most cases and is
therefore preferable to mine.

Cheers.

John

unread,
Aug 11, 2004, 11:47:01 PM8/11/04
to
I would have a custom action or script or somer such that enums the folders
under the windows\profile doing RegLoadKey(windows\profile\user\ntuser.dat)
in each and then use RegOpenKey etc as normal. This has worked for me in the
past....

saksak24

unread,
Aug 12, 2004, 8:09:47 AM8/12/04
to
Most straightforward way would be a custom action that adds a silent exe or
vbs to delete if exists the appropriate HKCU key run from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry when the user
next logs on. Ensure you have an install ca to remove this key if there are
reinstalls.

"John" <Jo...@discussions.microsoft.com> wrote in message
news:56C906F9-09DA-42AA...@microsoft.com...

t.teja...@gmail.com

unread,
Mar 20, 2019, 4:32:06 AM3/20/19
to
Hi

i have an excel addin implemented. i want to delete the excel addin in all users. can you help me with the vbscript which deletes excel addin for all users
excel addin path: HKCU\software\microsoft\office\15.0\excel\options.
I need to check for the open key and delete it for all users.

timo...@gmail.com

unread,
Mar 20, 2019, 6:31:32 PM3/20/19
to
How is this question related to this ancient thread?

elizabeth R

unread,
Mar 24, 2019, 7:04:39 PM3/24/19
to
so Sha Shi why would someone want to do that?

sumedhago...@gmail.com

unread,
Apr 27, 2020, 6:42:15 AM4/27/20
to
On Thursday, August 5, 2004 at 8:33:10 PM UTC+5:30, shashi wrote:
0 new messages