Question about HKEY_USERS

[Guest]

Does HKEY_USERS contain the HKEY_CURRENT_USER tree for all users that
exist on the system? And when any user logs in, his tree under
HKEY_USERS gets copied to HKEY_CURRENT_USER?

Or does HKEY_USERS only contain the HKCU trees for the users who are
logged in right now? If that is the case, then what happens to a
user's HKCU tree when he logs off? Where is it stored? This could be
a problem when doing virus/spyware scans. If a scanner wants to check
HKCU keys, then it can only check it for the current user. If other
users' HKCU trees are not kept under HKEY_USERS, then you cannot scan
the system just one time, you will have to log in under every single
user and scan.

 

[John John (MVP)]

The registry has five subtrees:

- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
- HKEY_CURRENT_CONFIG

Only two of these are "real" keys:

- HKEY_LOCAL_MACHINE
- HKEY_USERS

The others keys are created from these two keys, they are symbolic links.

The HKEY_CURRENT_USER subkey is created from the HKEY_USERS key. The
HKEY_USERS subtree contains all the actively loaded user profiles on the
computer. The HKU\<SID> keys are created from the ntuser.dat files in
the user's profile folders.

John

 

[Guest]

The registry has five subtrees:

- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
- HKEY_CURRENT_CONFIG

Only two of these are "real" keys:

- HKEY_LOCAL_MACHINE
- HKEY_USERS

The others keys are created from these two keys, they are symbolic links.

The HKEY_CURRENT_USER subkey is created from the HKEY_USERS key.  The
HKEY_USERS subtree contains all the actively loaded user profiles on the
computer.  The  HKU\<SID> keys are created from the ntuser.dat files in
the user's profile folders.

When you say "actively loaded", what do you mean exactly? I just
created a limited user, logged in, and then logged off, and as the
Administrator, I can see his profile under HKU. So that means HKU
contains all the user profiles even if they are not logged in.

 

[John John (MVP)]

When you say "actively loaded", what do you mean exactly? I just
created a limited user, logged in, and then logged off, and as the
Administrator, I can see his profile under HKU. So that means HKU
contains all the user profiles even if they are not logged in.

No, the HKU key contains only the profiles of the actively logged on
users, reboot your machine and you will only see your user profile there
along with the Local System, Local Service and Network Service SIDs.

What you are seeing is caused by Terminal Services, the service may hold
the logged off profile in memory/registry for Fast User Switching. When
you log off and log on with different users during the same Windows
session Terminal Services may keep the information and you may see the
different user SIDs kept in the HKU branch, although the users have
logged off, because of TS these users may be sort of considered to be
still logged on. Disable Terminal Services and reboot the computer and
try your experiment again and you will see a different behaviour.

John

 

[Guest]

No, the HKU key contains only the profiles of the actively logged on
users, reboot your machine and you will only see your user profile there
along with the Local System, Local Service and Network Service SIDs.

What you are seeing is caused by Terminal Services, the service may hold
the logged off profile in memory/registry for Fast User Switching.  When
you log off and log on with different users during the same Windows
session Terminal Services may keep the information and you may see the
different user SIDs kept in the HKU branch, although the users have
logged off, because of TS these users may be sort of considered to be
still logged on.  Disable Terminal Services and reboot the computer and
try your experiment again and you will see a different behaviour.

Looks like you are right. I have Terminal Services running (it is an
XP machine), although Fast User Switching is not running. But I
restarted the computer, and the administrator can no longer see the
limited user under HKU.

But is the behavior different under Vista? Last night I checked a
Vista Home Premium computer - I turned it on and logged in as the
administrator, and I could see both of the limited users under HKU.
Perhaps that is because the Fast User Switching service was running?

Now this makes me wonder if running virus/spyware scans only under
Administrator is enough. Sometimes viruses/spyware will modify
registry keys under HKCU, and if a limited user gets a virus/spyware,
the scan under Administrator wouldn't detect those changes. I guess
it's not a big deal, because if a limited user gets a virus, it
wouldn't affect the system, and the scan should still detect any files
that were downloaded.

 

[John John (MVP)]

Looks like you are right. I have Terminal Services running (it is an
XP machine), although Fast User Switching is not running. But I
restarted the computer, and the administrator can no longer see the
limited user under HKU.

Terminal Services is really what makes Fast User Switching possible, it
provides the multi-session environment that makes FUS possible, without
Terminal Services there is no Fast User Switching. The Fast User
Switching Compatibility service is not responsible for FUS, although,
because of its namesake, it would be easy to understand why folks would
think that this service would be responsible for FUS. In fact you can
disable the Fast User Switching Compatibility service and you will still
be able to do Fast User Switching. All that the Fast User Switching
Compatibility service does is provide assistance to programs that cannot
run in a multiple user environment, granted if you do FUS it is
important that your programs keep running when you change sessions but
the service is not strictly required to do Fast User Switching, it
doesn't provide the multi-session environment required for FUS.

But is the behavior different under Vista? Last night I checked a
Vista Home Premium computer - I turned it on and logged in as the
administrator, and I could see both of the limited users under HKU.
Perhaps that is because the Fast User Switching service was running?

For more in depth information you should ask this in a Vista help group,
but the basics are still the same for Vista, Terminal Services is
responsible for multi-session environments.

Now this makes me wonder if running virus/spyware scans only under
Administrator is enough. Sometimes viruses/spyware will modify
registry keys under HKCU, and if a limited user gets a virus/spyware,
the scan under Administrator wouldn't detect those changes. I guess
it's not a big deal, because if a limited user gets a virus, it
wouldn't affect the system, and the scan should still detect any files
that were downloaded.

The AV experts could comment on that but one may assume that the better
AV programs would have a method of scanning all the ntuser.dat files,
but even if they don't it usually doesn't stop a user from logging on
when orphaned entries are left behind after virus removal, most of the
time the user will get a message saying that a certain file could not be
found and the computer will boot without problems. Also, most virus
writers target the system and will have their virus put their entries in
the HKLM branch as opposed to the HKCU branch, the ntuser.dat files
mostly only contains user preferences, there isn't much there of
interest to malicious virus writers.

John