How we investigated the settings that were configured in a users registry

So a couple of weeks ago we had a strange situation where a certain user registry setting was being updated somehow.  We really did not know how to tackle this problem. The only clue that we knew was that some users were affected and some users were not affected. Eventually it was decided to take a ‘non affected’ user and compare their registry settings with an ‘affected’ user.

To give a bit of background, we were hosting a shared application on a Windows 2012 server. The users were concurrently accessing the application using RDS (Remote Desktop Services). The application is dependent on configuration data which is stored in the users registry (HKEY_CURRENT_USER).  The configuration in the users registry kept being changed by some unknown source.

When trying to look for differences in the registry of affected and unaffected users we came across the problem that all the users profiles were hidden under SID’s (HKEY_USERS) and it was going to be an impossible task to decrypt and locate the specific users profiles.

To solve the immediate problem I decided to write a quick tool which uses a windows username to fetch the associated user SID.

The tool is very simple, it just has 2 fields. One field to enter the username, and another field to output the SID. Here is a screen shot of what the tool looks like.

GetUserSID

This tool turned out to be very helpful in our investigation, and I thought I would like to give it away to you for free. Just click the link here to download it.

After a while we were able to determine that a particular value inside the users registry was being changed.

The next key to solving our problem was to use a tool called ‘Process Monitor‘ to monitor applications which were reading\modifying the registry.

Using the Process Monitor we were able to establish that a group policy script was updating the value in the users registry.

Feel free to download my UserSID tool, and remember to let me know if you found it useful.