Support loading windows user registry hive directly from ntuser.dat file #5221
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
All the checks that rely on registry values being set under
HKEY_USERS{SID}
can effectively only work when a user is "logged in" e.g. their hive is "loaded"
Once a user logs out all entries under HKEY_USERS{SID} are "unloaded"
Some customers have windows systems where users aren't logged in during scan time, so all of these checks will not produce any results.
If we could load the user hive from
NTUSER.DATon our own we can run the checks without having to rely on a user being logged in.Windows essentially loads C:\Users<username>\ntuser.dat on login too, so we'd be doing the same
Describe the solution you'd like
Ideally this would extend the registry resource, maybe under a different property? Something that can load ntuser.dat for each user?
Describe alternatives you've considered
There isn't really an alternative to this, other than having checks fail or return no result
The text was updated successfully, but these errors were encountered: