Deploying a Registry Key / Value to HKEY_CURRENT_USER (HKCU) or All Users in HKEY_USERS (HKU)

A question that comes up periodically is “How can I deploy a registry key or value to the HKEY_CURRENT_USER (HKCU) hive of the registry on a target computer or group of computers?”

If you were to follow the tutorial at this link to deploy a .reg file to target computers, you might have unexpected results if the key/value described inside the .reg file is intended for the HKCU hive of the target computer registry. If you deploy the .reg file and then take a look in HKCU, you might not see the key/value created. There are a couple of reasons for this.

Understanding the HKEY_CURRENT_USER (HKCU) Registry Hive

First, HKCU represents the registry hive of the current user. When you deploy a .reg file in BatchPatch, the current user is going to be the user that executed the deployment. However, you probably want the registry key/value to end up in the current user hive for the user who logs on to the target computer, not the user who deploys the registy key/value in BatchPatch. So, if you are trying to deploy to HKCU, then you would need to execute the deployment with the same user account under which you want to be able to see the registry key/value exist on the target computer.

Second, if you are deploying a registry key/value, using the method linked above, directly to HKCU, then you need to set your BatchPatch ‘remote execution context’ for the deployment to ‘Elevated token‘ as opposed to ‘SYSTEM‘. More details on configuring the ‘remote execution context’ here: ‘Remote Execution Context‘. If you deploy to HKCU under the ‘SYSTEM’ remote execution context, the registry key/value will actually end up under the Local System account’s registry hive, which is not what you want. However, below I demonstrate a more effective and simpler way of deploying a registry key/value to HKCU by not actually deploying directly to HKCU but instead deploying to HKU for each user that has logged on to the computer.

It’s important to understand that the HKEY_CURRENT_USER (HKCU) hive of the registry is really just a view or mirror of a particular SID’s subkey under HKEY_USERS (HKU). That is to say that under HKU you will see one SID for each user account that has been created on the computer. In the screenshot below you can see the SIDs for the built-in accounts above the SIDs for the actual user accounts that have logged on to the computer.

The most effective way of deploying a registry key/value to HKCU is to actually not deploy directly to HKCU but rather to deploy to HKEY_USERS\SID of the desired user(s). Realistically in most cases if you are trying to deploy a registry key/value to HKCU, you want that registry key/value to be deployed for all users of the computer, not just a particular one. Although we may add functionality in a future version of BatchPatch that enables the administrator to easily deploy a registry key/value to all SIDs under HKEY_USERS, currently the only way to do this is with a custom script. Below you can see the script that I have written to handle this process.

Script to Create a Registry Key and Value Under All SIDs in HKEY_USERS

strComputer = "."
strRegPathSuffix = "\Software\Microsoft\Office\15.0\Common\Identity"
strRegValueName = "EnableADAL"
intRegValuDec = "1"
Const HKEY_USERS = &H80000003
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = ""
oReg.EnumKey HKEY_USERS, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys
    'wscript.echo subkey
	'We only want to do something if the subkey does not contain any of the following: .DEFAULT or S-1-5-18 or S-1-5-19 or S-1-5-20 or _Classes
	If NOT ((InStr(1,subkey,".DEFAULT",1) > 0) OR (InStr(1,subkey,"S-1-5-18",1) > 0) OR (InStr(1,subkey,"S-1-5-19",1) > 0) OR (InStr(1,subkey,"S-1-5-20",1) > 0) OR (InStr(1,subkey,"_Classes",1) > 0)) Then
		'Create desired registry key/value
		strKeyPath = subkey & strRegPathSuffix
		'wscript.echo strKeyPath
		oReg.CreateKey HKEY_USERS, strKeyPath
		oReg.SetDWORDValue HKEY_USERS, strKeyPath, strRegValueName, intRegValuDec
	End If

If you run the above script on a single computer as-is, it will enumerate all of the subkeys under HKEY_USERS, and then it will insert the desired registry key and value (the reg key and value are defined at the top of the script) into each of the HKEY_USERS subkeys for any actual user who has logged on to the computer. We skip any subkeys that contain “.DEFAULT” or “S-1-5-18” or “S-1-5-19” or “S-1-5-20” or “_Classes” so that we only end up inserting the desired key/value into the subkeys that correspond to actual users of the computers.

Executing the Script

If you want to run the script, save the script text to a text file with a .vbs extension. For the sake of this example we’ll just call it script.vbs. You could double-click on script.vbs to run it on a single computer. However, if you want to deploy the script to numerous computers, using BatchPatch, it’s very quick and easy to that. Of course the first thing you should do is modify the script so that the registry key and value that will be deployed are the key and value that you are trying to deploy. Modify the values for strRegPathSuffix, strRegValueName, and intRegValuDec so that you can deploy the desired key and value.

Note, on the target computer when the script runs the key must be created first in order for the value to be created successfully, so in the script you can see that we create the key first and then we create the value immediately after that. You will not be able to create the value if the key does not already exist and you do not create it.

To deploy the registry key/value to numerous computers using BatchPatch, all we really have to do is deploy the script to those computers. When the script is executed on those computers, the registry key/value will be created for each user that has logged on to the computer, based on the SIDs that the script finds in HKEY_USERS. Select the desired computers in the BatchPatch grid, and then click on ‘Actions > Deploy > Create/modify

Your deployment should look like the screenshot above. When you execute it, BatchPatch will copy the script.vbs file to each of the highlighted target computers, and then it will execute the script on each of those computers too. The result will be that each user who has ever logged on to any of the target computers will see the registry key/value under his/her own HKCU hive of the registry. NOTE: If a user has not ever logged on to one of the target computers, then when he/she logs on for the first time he/she will not see the key/value under his/her own HKCU hive of the registry because the script cannot create the key/value for users who don’t already exist on the computer. In such a case you would have to re-run the script after a new user has logged on to the computer for the first time, because that user’s SID will only exist in HKEY_USERS *after* he/she logs on to the computer for the first time.

This entry was posted in Blog, General, Tutorials and tagged , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.