Reading and writing values to the HKEY_LOCAL_USER hive in the registry is easy, because this hive is the same for all users. How would you read or write values the HKEY_CURRENT_USER hive for a user that is not you?
Let’s assume you are admin and want to add registry values to the HKEY_CURRENT_USER hive of another user.
First you need to mount the user hive of that person. That hive is located in the NTUSER.DAT file inside the user profile of that person. As an administrator, this is what you need to run from PowerShell to mount the user hive for a user named UserTobias:
PS C:\> REG LOAD HKEY_Users\UserTobias "C:\Users\Tobias\NTUSER.DAT"
The user hive would surface in the registry in HKEY_USERS as key UserTobias, and PowerShell can access this place like this:
PS C:\> Get-ChildItem -Path Registry::HKEY_USERS\UserTobias
Hive: HKEY_USERS\UserTobias
Name Property
---- --------
AppEvents
Console ColorTable00 : 789516
ColorTable01 : 14300928
ColorTable02 : 958739
ColorTable03 : 14521914
ColorTable04 : 2035653
ColorTable05 : 9967496
ColorTable06 : 40129
Now it’s easy to read or even write keys and values to that particular users’ hive. This line would create a new registry key:
PS C:\> $null = New-Item -Path Registry::HKEY_USERS\UserTobias\Software\Microsoft\Windows\CurrentVersion\Test
And here is how you can read and/or write a value:
PS C:\> Get-ItemProperty -Path Registry::HKEY_USERS\UserTobias\Software\Microsoft\OneDrive EnableDownlevelInstallOnBluePlus : 0 EnableTHDFFeatures : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_USERS\UserTobias\Software\Microsoft\OneDrive PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_USERS\UserTobias\Software\Microsoft PSChildName : OneDrive PSProvider : Microsoft.PowerShell.Core\Registry PS C:\> Set-ItemProperty -Path Registry::HKEY_USERS\UserTobias\Software\Microsoft\OneDrive -Name EnableDownlevelInstallOnBluePlus -Value 1 -Type DWord PS C:\> Get-ItemProperty -Path Registry::HKEY_USERS\UserTobias\Software\Microsoft\OneDrive EnableDownlevelInstallOnBluePlus : 1 EnableTHDFFeatures : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_USERS\UserTobias\Software\Microsoft\OneDrive PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_USERS\UserTobias\Software\Microsoft PSChildName : OneDrive PSProvider : Microsoft.PowerShell.Core\Registry
Once you are done manipulating the HKEY_USERS registry hive, don’t forget to unload it:
PS C:\> $null = REG UNLOAD HKEY_Users\UserTobias
Note that this command will raise an “Access Denied” error if you either do not have Admin privileges, or if the registry hive is in use by someone else. If you have launched regedit.exe, for example, while the user hive was mounted, regedit.exe will also show the mounted hive, and while regedit is open, the hive is locked and cannot be closed.
