I have a registry key visible when queried as a normal user account using powershell or in regedit., But when I run powershell or regedit as an admin, it does not appear:
Non-admin:
PS C:\> Get-ChildItem HKLM:\software\microsoft\windows\currentversion\uninstall | % {Get-ItemProperty $_.PSPath} | ? { $_.DisplayName -eq "Docker Desktop" }
DisplayIcon : C:\Program Files\Docker\Docker\Docker Desktop Installer.exe
DisplayName : Docker Desktop
DisplayVersion : 2.2.0.4
Version : 43472
InstallLocation : C:\Program Files\Docker\Docker
NoModify : 1
NoRepair : 1
Publisher : Docker Inc.
ChannelName : stable
ChannelUrl : https://download.docker.com/win/stable/appcast.xml
UninstallString : "C:\Program Files\Docker\Docker\Docker Desktop Installer.exe" uninstall
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\unin
stall\Docker Desktop
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\unin
stall
PSChildName : Docker Desktop
PSProvider : Microsoft.PowerShell.Core\Registry
Admin:
PS C:\> Get-ChildItem HKLM:\software\microsoft\windows\currentversion\uninstall | % {Get-ItemProperty $_.PSPath} | ? { $_.DisplayName -eq "Docker Desktop" }
PS C:\>
The same behaviour is observed when running regedit as an admin and a non-admin. I am using Avecto DefendPoint to run a command prompt (and regedit) as admin - I am not a member of the local admins group. This might have something to do with it but I am able to create and delete keys under this registry path. Interestingly, I can create a "Docker Desktop" key as an admin, it doesn't fail due to a key already existing. I have tried RegDelNull but it's not an embedded null problem.
I am trying to delete the registry key as Docker Desktop is still in Add/Remove Programs. I wasn't able to uninstall it from there but followed the steps in https://success.docker.com/article/how-to-completely-remove-docker-in-windows-10
There are "automagic" bitness redirections in the registry.
For instance HKLM\SORTWARE\Mirosoft\Windows\Currentversion\Uninstall
might be mapped to HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
on 64 bit systems, depending on the API used to retrieve the registry keys.
I experienced a lot of strange registry behavior when it comes to bitness mapping depending on the user (see https://github.com/poweradminllc/PAExec/issues/29 for instance).
I'd suggest you use Microsoft PSTools PSexec to invoke regedit (or your powershell script) as system user, than have a look at both of the above locations.
C:\>PSExec.exe -i -s regedit
Hope this helps :)
Edit:
Although very unlikely, you may also have a look at the user specific registry hives, ie HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
as standard user.
Once regedit is launched as admin, navigate to HKEY_USERS\S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall
where the SID (S-1-5-21-*-1001) is the SID of your non admin user.
The SID can be obtained with whoami /user
command.