Efficient Registry Cleanup Tech. Genix. This article will demonstrate how to script a registry cleanup or modification for all user profiles on a given computer for instance to do a virus sweep. We will also see how this approach can be used together with a computer startup script within a computer Group Policy Object to modify all user profiles in the domain, site or OU. Yes, we can actually modify user registry settings by using a computer startup scriptIn some cases you can be required to delete, add or modify some part of the registry for all users on a computer at once. In most cases we would prefer to use a Group Policy Object GPO on the users to add or modify a given value, but when it comes to removing values we sometimes have to use scripts unfortunately, you might say. Also, sometimes we want to perform a cleanup task in a single process without having to wait for all users to log on. This article will show how to do this in a fairly easy way. We will see how it is possible to do the registry modification by using a very efficient registry script and to combine this with a GPO on the machine level startup or shutdown, instead of using a GPO on the user object logon or logoff. Why would I want to do this So, why is that a smart approach Well, maybe you want to do the cleanup during the night, you might want to make sure that a certain value is modified deleted, added or changed by the next morning typically the Run or Run. Once keys in the user part of the registry after a virus attack so combined with a Wake On Lan WOL procedure you can be ready to go home in no time In other cases the user might not have the required privileges to perform the cleanup or modification task. The registry key you want to change might be protected by a security permission, making it impossible to use a user GPO as it will run in the user context. Forums/getfile/559797' alt='Cannot Load Software Registry Hive Files' title='Cannot Load Software Registry Hive Files' />My wife and I try to divide our household chores equally She cooks, I do the dishes. She buys groceries, I do the laundry. My easiest chore is setting the table. It. Sometimes it happens that disk check always starts to check the file system on one or more drives for consistency. If any key is pressed, the disk checking. The great thing is that computer startup scripts execute in the context of the System account that can be very useful to keep in mind in many situations Warning The code presented in this article is produced for testing purpose only use in production is at your own risk. The included code is simplified a bit to be easier to understand and read. Please be sure you confirm the script functionality in your test environment before implementing this in production. You can include additional error handling, logging and additional functionality modify as you wantI am not saying the code does not work, just making sure you understand that execution is at your own risk. The background. Before we take too deep a dive into the code, a few things about the registry must be perfectly clear. It is very common that people think the HKEYUSERS part of the registry is a place where you can see all local profiles on a given computer. However, this is not the case. The HKEYUSERS lists profiles that are currently loaded on the machine, so to speak the profiles that are active in memory. As soon as a user logs on to a computer, an entry will be visible in this part of the registry. XCBsNvMNHLf0QMxxpakWLI=/768x0/filters:no_upscale()/hkey-local-machine-57c76bc73df78c71b65aac0e.png' alt='Cannot Load Software Registry Hive Files' title='Cannot Load Software Registry Hive Files' />Runtime Error Program Files Fix, Clean RUNTIME ERROR PROGRAM FILES And Optimize PC SPEED Up Your PC FREE Scan Now Recommended. System Center Reporting Manager 2006 Jeep there. Registry Fix. Figure 1. As shown in Figure 1 you will normally be able to see a few profiles loaded even though only one user is logged on to the console. When a user logs off, the Registry Hive is unloaded and is no longer visible under HKEYUSERS. Here is a short explanation on the loaded hives. DEFAULT is the default user profile NOT something that all users will see like a Public or All Users profile and NOT a registry profile that is copied to all new users on the computer these are common misunderstandings. This is however the standard profile in use, even when nobody is logged on hence the startup profile loaded before you even reach the desktop. By setting values in this profile you can change options such as desktop background during the logon screen CtrlAltDelete, the initial NumCaps Lock settings etc. S 1 5 1. System Security Identifier SIDS 1 5 1. Local. Service SIDS 1 5 2. Network. Service SIDA profile or SID starting with S 1 5 2. How to recover from a corrupted registry that prevents Windows XP from starting. In the Windows 98, CE, NT, and 2000 operating systems, a registry key is an organizational unit in the Windows registry, an internal database the comput. SID of the built in Administrator account. The real and active user profiles are all other entries in the HKEYUSERS part of the registry. In the script examples included in this article the above specified profiles are NOT touched only regular users are touched you could change that easily by deleting a few lines in the code. Load My HiveSo, what if I want to modify a profile of a user that is not currently logged onWell, we have at least two options 1 to manually load the hive in Regedit. Let us look at the first option first. If you open Regedit Start Run Regedit and browse to the HKEYUSERS entry you have to click or mark it, then go to the File menu, you should now be able to choose Load Hive see Figure 2Figure 2. At this point we are prompted to enter a path to an NTUSER. DAT file see Figure 3. Figure 3. The NTUSER. DAT file is located in the user profile folder. Above, we can see the NTUSER. DAT file of the user test. That file is located right below the C Documents and Settingstest. Windows Vista, user profiles are typically stored below the C Users folder. If you cannot see the NTUSER. DAT file as we can in Figure 3, you should go to Tools Folder options and select Show hidden files and folders. When loading a hive temporarily we need to give it a name make your own choice. In Figure 4 and the script examples we are using the name Tmp. Load. Hive. Figure 4. Click OK and the hive hierarchy should be visible, and expandable, as shown in Figure 5. Figure 5. In Figure 5 Tmp. Load. Hive has been expanded to show the structure of a loaded user hive it should look exactly like any other user registry. It is identical to what the user will have in his or her HKEYCURRENTUSER HKCU when logged on to the machine. When done, remember to unload the user hive again by marking the Tmp. Load. Hive hive and going to the File menu Unload Hive as in Figure 6. Important If you do not unload the hives, you cannot load that hive again until after a reboot, because you cannot load an already loaded hive this also goes for logged on users including Fast User switching users. This will also make the script fail loading the hive. Figure 6. That procedure would be very annoying if you had to do it for all user profiles on all computers in your domain, right Luckily we have another method by using our good old friend REG. EXE. An old friend to the rescue. The REG. EXE command has two very useful parameters LOAD and UNLOAD. They do exactly the same stuff as we did manually above. We just have to specify the temporary hive name and a full path to the NTUSER. DAT file we want to load into memory. You want a script exampleOk, to set the background for the Default User profile we could run the following code REG. EXE LOAD HKUDef. U C Documents and SettingsDefault Userntuser. REG. EXE ADD HKUDef. UControl PanelDesktop v Wallpaper d C WindowsWallpaper. REG. EXE UNLOAD HKUDef. UThe above code will first LOAD the hive for the Default User profile into a temporary hive called Def. U in the HKEYUSERS part of the registry database. Then it will set a registry value for the desktop background for the Default User profile, which is the profile that is copied automatically when new users are created the first time they log on. Finally, it will UNLOAD the temporary hive. So how can I find the Ntuser.