Here’s a trick that some people don’t know about. You can load a registry hive of an offline user for editing in regedit.exe. This lets you look at another user’s registry without having to change their password and log in as them. It’s also commonly used to edit the Default User’s registry when setting up a remote desktop session host (RDSH – formerly ‘terminal server’), so that new users have registry settings automatically applied to their profiles.
The user-specific portion of the registry is stored in the user profile directory as NTUSER.DAT, a file known as a ‘registry hive’. This corresponds to the HKCU portion of the registry when you load up regedit.
Suppose we want to check the registry settings or add some keys for the user BlueCompute on one of our servers. We log in as an administrator (or any user with permissions on BlueCompute’s profile), launch regedit, navigate to the HKEY_USERS key and go File > Load Hive:
Enter a descriptive name for the hive you are loading:
And now you can carry out any operations you wish on the loaded registry hive:
It’s very important that once you have finished editing the registry you unload the user’s registry, otherwise they will receive a temporary profile when they try to log in. If you leave the default user registry hive loaded then new user profile creation will fail, ie. newly created users will be unable to login. Unload the hive like so:
If you are customising the default user registry then you will want to load the NTUSER.DAT from C:\Users\Default (this is a hidden directory). Newly created users will acquire a copy of this as their initial registry hive, so any changes you make here will propagate to new user profiles. This is an easy way of customising profiles for Remote Desktop Services or Citrix without using Group Policy.
Hopefully this will be useful for someone out there.