How to load registry hive for a newly created windows user who have never login?

0

I created a new windows user using C# and I would like to restrict list of apps to run through setting registry using C#. But the user profile and its registry is not initialized yet, since the user has never login, it will not have registry hive loaded and I cannot make changes.

I have tried Process.start() and set LoadUserProfile=true. I can see that the folder for the user is created under C:\Users\ However, if I get the user's sid and check HKEY_USERS\ , there is no such entry. I learned that when a user login, windows will load the registry hive, and unload when log out. Therefore I need to load the registry hive without user login.

Reference:

Editing registry value for newly created user

Load registry hive from C# fails

Get sid

NTAccount user = new NTAccount(username);
SecurityIdentifier s =  (SecurityIdentifier)user.Translate(typeof(SecurityIdentifier));
string sidString = s.ToString();

Load Registry

public class RegistryTest
{
    [StructLayout(LayoutKind.Sequential)]
    private struct LUID
    {
        public uint LowPart;
        public int HighPart;
    }

    [StructLayout(LayoutKind.Sequential)]
    private struct LUID_AND_ATTRIBUTES
    {
        public LUID pLuid;
        public UInt32 Attributes;
    }

    [StructLayout(LayoutKind.Sequential, Pack = 1)]
    private struct TokPriv1Luid
    {
        public int Count;
        public LUID Luid;
        public UInt32 Attr;
    }

    private const Int32 ANYSIZE_ARRAY = 1;
    private const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002;
    private const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
    private const UInt32 TOKEN_QUERY = 0x0008;

    private const uint HKEY_USERS = 0x80000003;
    private const string SE_RESTORE_NAME = "SeRestorePrivilege";
    private const string SE_BACKUP_NAME = "SeBackupPrivilege";

    [DllImport("kernel32.dll")]
    static extern IntPtr GetCurrentProcess();

    [DllImport("advapi32.dll", SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);

    [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
    [return: MarshalAs(UnmanagedType.Bool)]
    static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);

    [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
    static extern bool AdjustTokenPrivileges(
        IntPtr htok,
        bool disableAllPrivileges,
        ref TokPriv1Luid newState,
        int len,
        IntPtr prev,
        IntPtr relen);

    [DllImport("advapi32.dll", SetLastError = true)]
    static extern int RegLoadKey(UInt32 hKey, String lpSubKey, String lpFile);

    [DllImport("advapi32.dll", SetLastError = true)]
    static extern int RegUnLoadKey(UInt32 hKey, string lpSubKey);

    private IntPtr _myToken;
    private TokPriv1Luid _tokenPrivileges = new TokPriv1Luid();
    private TokPriv1Luid _tokenPrivileges2 = new TokPriv1Luid();

    private LUID _restoreLuid;
    private LUID _backupLuid;

    public RegistryTest(string sid)
    {
        if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out _myToken))
            Console.WriteLine("OpenProcess Error");

        if (!LookupPrivilegeValue(null, SE_RESTORE_NAME, out _restoreLuid))
            Console.WriteLine("LookupPrivilegeValue Error");

        if (!LookupPrivilegeValue(null, SE_BACKUP_NAME, out _backupLuid))
            Console.WriteLine("LookupPrivilegeValue Error");

        _tokenPrivileges.Attr = SE_PRIVILEGE_ENABLED;
        _tokenPrivileges.Luid = _restoreLuid;
        _tokenPrivileges.Count = 1;

        _tokenPrivileges2.Attr = SE_PRIVILEGE_ENABLED;
        _tokenPrivileges2.Luid = _backupLuid;
        _tokenPrivileges2.Count = 1;

        if (!AdjustTokenPrivileges(_myToken, false, ref _tokenPrivileges, 0, IntPtr.Zero, IntPtr.Zero))
            Console.WriteLine("AdjustTokenPrivileges Error: " + Marshal.GetLastWin32Error());

        if (!AdjustTokenPrivileges(_myToken, false, ref _tokenPrivileges2, 0, IntPtr.Zero, IntPtr.Zero))
            Console.WriteLine("AdjustTokenPrivileges Error: " + Marshal.GetLastWin32Error());

        // --> RegLoadKey fails with return value 32<--
        int retVal = RegLoadKey(HKEY_USERS, sid, @"C:\Users\Default\NTUSER.DAT");
        if (retVal != 0)
            Console.WriteLine("RegLoadKey Error:" + retVal);
    }
}

The RegLoadKey API should return 0 but I got 32

c#
windows
asked on Stack Overflow Nov 5, 2019 by LancelotGHX

1 Answer

0

I have find a way to do it, I load default registry hive in C:\Users\Default. After I change it to C:\Users\[username]\NTUSER.DAT and then the registry hive is loaded.

answered on Stack Overflow Nov 6, 2019 by LancelotGHX • edited Nov 6, 2019 by LancelotGHX

User contributions licensed under CC BY-SA 3.0