04-10-2019, 09:05 PM
Would be great to export this registry key for each user, as this comes into play in business environments anytime someone has redirected folders, or their shell folders have been moved to a new location. Having this info on file is really useful for forensics, or any time there's a new server install/migration, to have a list of where people's folders are actually located at, instead of hitting each box.
We already have a custom script that we can run to get this info, but it would be really nice to see each user's Shell Folder paths in SIW. This info is stored in each user's HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ registry key.
Also, each user's network printers would be nice too, that's in a similar key:
HKCU\Printers\Connections
Note, for users that are signed in, these registry hives are loaded into the HK\Users\ hive, but for users that are not signed in, you need to (ideally) copy their %userprofile%\ntuser.dat file, then mount that ntuser.dat file into the regsitry, then read the registry entry and unmount it, something like this:
REG LOAD "HKU\TempHive" "C:\Users\<userprofile>\NTUSER_TEMP.DAT
REG QUERY "HKU\TempHive\Printers\Connections"
That is, unless you have some way to directly read data from a registry .dat file without mounting it.
We already have a custom script that we can run to get this info, but it would be really nice to see each user's Shell Folder paths in SIW. This info is stored in each user's HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ registry key.
Also, each user's network printers would be nice too, that's in a similar key:
HKCU\Printers\Connections
Note, for users that are signed in, these registry hives are loaded into the HK\Users\ hive, but for users that are not signed in, you need to (ideally) copy their %userprofile%\ntuser.dat file, then mount that ntuser.dat file into the regsitry, then read the registry entry and unmount it, something like this:
REG LOAD "HKU\TempHive" "C:\Users\<userprofile>\NTUSER_TEMP.DAT
REG QUERY "HKU\TempHive\Printers\Connections"
That is, unless you have some way to directly read data from a registry .dat file without mounting it.