So I'm having trouble remotely grabbing some regkey info from a currentuser regkey. I cant figure out what I'm doing wrong I can pull this info on my machine but not remotely. Any input would be helpful thanks.
$session = New-PSSession -ComputerName $ComputerName
Invoke-Command -Session $session {$hotfix = Get-HotFix;
$Reg = [Microsoft.Win32.RegistryKey]::OpenBaseKey('CurrentUser','default');
$RegKey= $Reg.OpenSubKey("SOFTWARE\\Google\\Chrome\\BLBeacon");
$ChromeBuild = $RegKey.GetValue("VERSION");
return $ChromeBuild, $hotfix}
PowerShell will always run in the context of the user who started it.
You cannot use PowerShell to run as the remote logged on the current user because that is a Windows security boundary.
To run code as the logged-on user, create a scheduled task that will run when the user logs on or use MS SysteInternals psexec.exe which provides parameters to run as the logged-on user.
As per the docs ...
psexec -i Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session.
-u Specifies optional user name for login to remote computer.
There is a PowerShell module the leveraged psexec approach via the MS powershellgallery.com
With WMF 5 and up (to get the latest InvokePsExec module version available), simply run this command (requires an internet connection):
Find-Module -Name '*psexec*' | Format-Table -AutoSize
<#
Version Name Repository Description
------- ---- ---------- -----------
0.0.7 psexec PSGallery A small PowerShell module to run Sysinternals PsExec
1.2 InvokePsExec PSGallery Svendsen Tech's Invoke-PsExec for PowerShell is a function that lets you execute PowerShell and batch/cmd.exe code asynchro...
#>
Install-Module -Name InvokePsExec
All that being said, to get a remote regkey, you don't need to try and run anything as the current user, just hit the registry hive, and pull it, just as you would locally.
Also, no need to do this from scratch as a quick web search using 'PowerShell hkcu remotely' will give you a good list of folks trying this and what their results were.
Here is an example of results that shows how to mine a remote registry using a legacy module.
### query HKCU registry information remotely
<#
https://community.idera.com/database-tools/powershell/ask_the_experts/f/powershell_remoting-24/17743/query-hkcu-registry-information-remotely
Please check the below posted script. It requires get-regstring module. Its available in http://psremoteregistry.codeplex.com/
I used this script successfully to find a entry in proxyoverride settings of a each logged in user. You can change this script as per your need.
#>
$computer = Get-Content 'c:\test\hosts.txt '
Foreach ($comp in $computer)
{
$name = Get-WmiBbject Win32_ComputerSystem -computername $comp |
select username
$namesplit = $name.username.split('\')
$domainname = $namesplit[0]
$Username = $namesplit[1]
$objUser = New-Object System.Security.Principal.NTAccount("$domainname","$username")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$SID = $strSID.Value
$getRegStringSplat = @{
Key = "$SID\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Hive = 'users'
ComputerName = $comp
Value = 'proxyoverride'
}
$reg = Get-RegString @getRegStringSplat
$regoutput = $reg |
Select data
$searchstr = "somedomain.com"
$Sel = $regoutput |
Select-String $searchstr -SimpleMatch
If ($sel -eq $null)
{
"In $comp $username does not contain $searchstr." |
Out-file c:\test\proxy_output.txt -Append
}
Else
{
"Somedomain.com Found in $comp in $username" |
Out-file c:\test\proxy_output.txt -Append
}
}