Created
January 22, 2019 06:33
-
-
Save XPlantefeve/ac4316efba3ed894d1b1f0eb4c1e3aa1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Get-Profiles | |
| { | |
| <# | |
| .SYNOPSIS | |
| Gives a list of locally saved user profiles. | |
| .DESCRIPTION | |
| Gets a list of locally used profiles according to the registry and | |
| returns an object with information about the profile. | |
| .NOTES | |
| Requires the Microsoft.PowerShell.LocalAccounts module for the | |
| Get-LocalUser command. | |
| .INPUTS | |
| None | |
| .OUTPUTS | |
| An array of PSCustomObjects with the following four properties: | |
| SID: the user SID | |
| UserHive: the path to the NTUser.dat file for the user. | |
| Local: whether the user is a local user or not. | |
| Loaded: wheter the user hive is currently loaded or not. | |
| #> | |
| $ComputerSID = ( Get-LocalUser | Select-Object -First 1 -ExpandProperty SID ).AccountDomainSID.ToString() | |
| $Profiles = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | | |
| Select-Object -Property ( | |
| @{Name = 'SID'; Expression = {$_.PSChildName}}, | |
| @{Name = 'UserHive'; Expression = {('{0}\NTuser.dat' -f $_.ProfileImagePath)}}, | |
| @{Name = 'Local'; Expression = {$_.PSChildName -match ('{0}|^S-1-5-\d+$' -f $ComputerSID)}}, | |
| @{Name = 'Loaded'; Expression = { Test-Path -Path ('Registry::HKEY_USERS\{0}' -f $_.PSChildName) }} | |
| ) | |
| return $Profiles | |
| } | |
| function Import-UserRegistryHive | |
| { | |
| <# | |
| .SYNOPSIS | |
| Loads offline user(s) registry hive(s) | |
| .PARAMETER SID | |
| The user SID | |
| .PARAMETER UserHive | |
| The hive (NTUSER.dat) file path for the user. | |
| .EXAMPLE | |
| Import-UserRegistryHive -SID S-1-5... -UserHive C:\Users\johndoe.Domain\NTUSER.dat | |
| Accept pipeline if the objects have the correct properties: | |
| $Profiles | Import-UserRegistryHive | |
| .INPUTS | |
| Strings | |
| .OUTPUTS | |
| None | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 0)] | |
| [String]$SID, | |
| [parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 1)] | |
| [String]$UserHive | |
| ) | |
| process { | |
| Start-Process -FilePath 'REG.EXE' -ArgumentList ('LOAD HKU\{0} {1}' -f $SID, $UserHive) -Wait -WindowStyle Hidden | |
| } | |
| } | |
| # Unloads offline registry hive | |
| function Remove-UserRegistryHive () | |
| { | |
| <# | |
| .SYNOPSIS | |
| Unloads user(s) registry hive(s) | |
| .PARAMETER SID | |
| The user SID | |
| .EXAMPLE | |
| Remove-UserRegistryHive -SID S-1-5... | |
| Accept pipeline if the objects have the correct properties: | |
| $Profiles | Remove-UserRegistryHive | |
| .INPUTS | |
| String | |
| .OUTPUTS | |
| None | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 0)] | |
| [String]$SID | |
| ) | |
| process { | |
| Start-Process -FilePath 'REG.EXE' -ArgumentList ('UNLOAD HKU\{0}' -f $SID) -Wait -WindowStyle Hidden | |
| [gc]::collect() | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment