What is the path for the NT AUTHORITY\SYSTEM registry hive?

windows windows-registry

If I open the registry with the SYSTEM account in Windows by using the PSExec tool from SysInternals:

psexec -i -s regedit

and I change an entry, for example, here:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

... I presume that a corresponding NTUSER.DAT file will be modified.

What is the path to this NTUSER.DAT file?


Solution 1:

Contrary to common intuition, the ntuser.dat file in LocalSystem's user profile folder (\Windows\System32\config\systemprofile) is not the source of HKEY_CURRENT_USER for applications running as SYSTEM. As far as I can tell, it's not actually used for anything, and it contains very little information.

In reality, the HKCU for applications running as SYSTEM is .DEFAULT under HKEY_USERS. (I'll address another common misconception: .DEFAULT isn't the template for new user profiles, ntuser.dat in \Users\Default is.) .DEFAULT is stored on disk in a file called \Windows\System32\config\DEFAULT. See the MSDN article on Registry-backing files.

Also interesting: the list of the backing files for the various Registry hierarchies, including .DEFAULT, can be found in HKLM\SYSTEM\CurrentControlSet\Control\hivelist.

Related

How to use ctags and vim to jump to java methods
What are unevaluated contexts in C++?
How to change Control-Y behavior in Excel-VBA's IDE
Small <1MB Word 2013 file takes too long to save
Is there a high-level roadmap for Chrome development? [closed]
Find in Files across multiple directories with Notepad++
Robocopy Log File Meaning of New File, New Dir
Why are try blocks expensive?
Installing a systemd service from an RPM?
How can I use mintty as the terminal emulator for MinGW/MSYS?
VLC’s subtitle sync delay function not working as expected
Does anyone know a good network/graph visualization software - just add data? [closed]