Remove HKCU registry keys of multiple users with PowerShell

If you have supported software in an organization of any size, trying to remove HKEY_CURRENT_USER (HKCU) registry keys from all user accounts more than likely has posed a challenge. Whether your goal is to remove software-related keys or to add configuration items to all user accounts, it can become tricky. In this article, I will discuss how to do this with PowerShell.
Profile gravatar of Josh Rickard

Josh Rickard

Josh's primary focus is in Windows security and PowerShell automation. He is a GIAC Certified Windows Security Administrator (GCWN) and GIAC Certified Forensic Analyst (GCFA). You can reach Josh at MSAdministrator.com or on Twitter at @MS_dministrator.
Profile gravatar of Josh Rickard

Traditionally you could accomplish this by using the User Configuration option in a Group Policy object, but with PowerShell you don't have to. Don't get me wrong—Group Policy may be the best option in your situation. If you want to remove software or a configuration item almost immediately, and you do not want to wait until users log in to their systems to apply it, then PowerShell is your answer. PowerShell is nothing but flexible.

There may be many reasons why you would want to remove registry keys from unloaded profiles, but more than likely it is because you need to remove HKCU registry keys that a piece of software left behind. By writing a PowerShell script or function, you can load all unloaded HKCU user hives, make your change, and unload those hives. The general process to do this in PowerShell is to:

  1. Find all unloaded user hives on a system.
  2. Iterate through each of them.
  3. Make the necessary change.
  4. Unload each loaded user hive.
Loading an user hive to HKU

Loading an user hive to HKU

To find all the unloaded user hives on a system, we first need to find all HKCU hives on the machine. We can find all profiles on a machine by looking in the registry:

Now that we know which user profiles are on the machine, we need to filter out all the currently loaded profiles.

For backward compatibility with PowerShell V2, we need to separate out the values from $LoadedHives and create a new PSCustomObject:

Now that we have two lists of SIDs, all HKCU hives, and the currently loaded HKCU hive(s), we need to filter them so that we only load unloaded hives. Additionally, for backward compatibility, we need to use the Measure-Object cmdlet instead of the traditional $var.count approach. In PowerShell V2, if you have an object of fewer than two items, the count property does not work properly, thus the use of Measure-Object:

In the block comment above, you can search, add, modify, or remove any registry keys for that specific HKCU user hive. After we have made any additions or subtractions from the loaded user hive, we then need to do a little cleanup. You never want to leave items behind or in a state that has the potential to cause issues or conflicts with other system calls. To do this, we just need to add the following piece of code within our inner if statement:

That's it! Next time you have a piece of software that leaves items around or you need to add registry keys/values to resolve an issue, PowerShell is the answer.

Initial research for this article was provided by Bryce McDonald.

Take part in our competition and win $100!

3+

Users who have LIKED this post:

  • avatar

Related Posts

1 Comment
  1. avatar
    Itamar 2 weeks ago

    Can you send or share the entire code?

    and how do I do this remoting

    Tnx

    2+

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017
Do NOT follow this link or you will be banned from the site!

Log in with your credentials

or    

Forgot your details?

Create Account