Author Posts

October 19, 2017 at 12:34 am

I have hit a problem I haven't been able to solve despite trying quite hard.

Basically I have created a PowerShell script to alter\change values in the HKU hive for a specific user on a remote Windows 10 Amazon WorkSpace. The script loads the hive and makes the changes perfectly but I am getting an error when trying to unload the hive. I have tried various methods as suggested on different forums but to no avail. Here is the part of the script I'm having trouble with:

$WorkSpace = "blahComputerName"
$PSS = New-PSSession -ComputerName $WorkSpace
$UserAcc = "XXXXX"
$SID = (Get-ADUser -server MyDomain.com -Identity $UserAcc).SID.Value

Invoke-Command -Session $PSS -ArgumentList $SID, $UserAcc -ScriptBlock {

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

reg load "HKU\$($args[0])" "D:\Users\$($args[1])\NTUser.Dat"

Clear-ItemProperty -Path
"HKU:\$($args[0])\SOFTWARE\Microsoft\Office\Common\UserInfo" -Name
"UserInitials"

[gc]::collect()
Start-Sleep -Seconds 5

reg unload "HKU\$($args[0])"

Remove-PSDrive -Name HKU

}

Remove-PSSession -Id $PSS.Id

I have also read that using $SomeThing.Handle.Close() will close any open handles PowerShell might still have with the provider which might be causing the error but I can't see how to use it in this context.

Here is the exact error:

ERROR: Access is denied. + CategoryInfo : NotSpecified: (ERROR: Access is denied.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError + PSComputerName : blahComputerName

I have manually observed the remote registry hive being loaded and then apparently unloaded but this error worries me and would like to solve it. I have proved that its reg unload "HKU\$($args[0])" that is causing the error but cant find the correct solution.

It seems the hive is successfully unloaded when the PSSesion is removed (Remove-PSSession -Id $PSS.Id ) – not sure if it really is though and I would expect the correct method is the one I am attempting – reg unload "HKU\$($args[0])"

The script runs with the required elevated privileges, so it's not that. The remote WorkSpace is in a logged off state.

Any advice would be greatly appreciated. Thank You

October 19, 2017 at 7:41 am

You may try to set "Remove-PSDrive" before "reg unload" and "[gc]::collect()", but you task is simple, so you can use "reg delete" instead of "Clear-ItemProperty", so powershell not involved in registry tasks and can't block unloading

October 19, 2017 at 8:32 am

Hi Max, thank you for your reply. I have tried every variation of "Remove-PSDrive" before "reg unload" and "[gc]::collect()" In any order it still fails to unload the hive until "Remove-PSSession -Id $PSS.Id" occurs.

As far as the tasks are concerned – In this example I just used one, the actual script performs a very large number of changes using different procedures on HKU. Loading the hive is unavoidable.

Here's another clue – If I RDP onto the target machine, I see the hive load as the script tells it to, but if I pause the script there I cannot manually unload the hive, it says access is denied, so PowerShell is definitely holding it open.

Any further advice would be greatly appreciated.

October 19, 2017 at 1:07 pm

so, you can run subprocess inside your session

{
  reg load
    powershell.exe yourscripthere...
  reg unload
}

this way other powershell lock your registry, but it closes before 'reg unload'

but I prefer using remote registry .net methods:

remotely: {
  reg load ...
}
locally:
{
  $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', $ComputerName)
  try {
    ...
  }
  finally {
    $reg.Close()
  }
}
remotely:
{
  reg unload ...
}

October 20, 2017 at 1:43 pm

Thanks Max, I will research what "subprocess inside your session" means because I am not sure, even with your example. I dont want to waste you're time but if you can – please expand my example script to describe what you mean.

Thanks a lot,
Ian

October 23, 2017 at 2:17 pm

something like this...

$WorkSpace = "blahComputerName"
 $PSS = New-PSSession -ComputerName $WorkSpace
 $UserAcc = "XXXXX"
 $SID = (Get-ADUser -server MyDomain.com -Identity $UserAcc).SID.Value

Invoke-Command -Session $PSS -ArgumentList $SID, $UserAcc -ScriptBlock {

reg load "HKU\$($args[0])" "D:\Users\$($args[1])\NTUser.Dat" 

powershell -command @'
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
Clear-ItemProperty -Path
 "HKU:\$($args[0])\SOFTWARE\Microsoft\Office\Common\UserInfo" -Name
 "UserInitials" 
Remove-PSDrive -Name HKU
@' -argumentlist $args[0]

[gc]::collect()
 Start-Sleep -Seconds 5

reg unload "HKU\$($args[0])" 

}

Remove-PSSession -Id $PSS.Id 

October 24, 2017 at 8:45 am

Thanks Max – I will try this out and let you know.
🙂