0
votes

I got a certain registry key (created by our software) which needs to be removed on each local user account at some point. Thus, I try to load the users hive and then use SHDeleteKey (as the key is not empty) to get the job done. However, SHDeleteKey always returns LSTATUS 2 (ERROR_FILE_NOT_FOUND).

The Registry key for each user is placed under HKCU\Software\XYZ

First, I set the required privileges within my code, which seems to work (return val is TRUE):

    (...)
HANDLE th;
LUID rsto;
LUID bckp;
TOKEN_PRIVILEGES tp;
TOKEN_PRIVILEGES tp2;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &th);
LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &rsto);
LookupPrivilegeValue(NULL, SE_BACKUP_NAME, &bckp);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = rsto;
tp2.PrivilegeCount = 1;
tp2.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp2.Privileges[0].Luid = bckp;
BOOL p = AdjustTokenPrivileges(th, 0, &tp, 1024, 0, 0);
BOOL p2 = AdjustTokenPrivileges(th, 0, &tp2, 1024, 0, 0);
    (...)

Then I use RegloadKey to load the users hive. std::string connection contains the path to the respective ntuser.dat file. username is the local user account name. So the hive should be loaded under HKEY_USERS\username:

    (...)
DWORD result = RegLoadKey(HKEY_USERS, username.c_str(), connection.c_str());
return result == ERROR_SUCCESS;
    (...)

Now, I try to delete:

    (...)
    k = username + "\\Software\\XYZ";
    result = SHDeleteKey(HKEY_USERS, k.c_str());

And now result has value of 2. But the key exists.

What am I doing wrong? Thank you in advance...

UPDATED INFO: I realized the problem needs to be somewhere on RegLoadKey. When I load the hive via command line (REG.exe load "HKU\username" ...), I can see the node "username" under HKEY_USERS within regedit.exe. All child nodes are loaded under that node. When I pause my program after RegLoadKey, the node "username" is also shown under HKEY_USERS, but the node is visualized as empty, so no child nodes are available. How can this happen? This problem is driving me nuts.

1
Have you tried \\Software\\Wow6432Node\\XYZ?PhilMY
It's a 32-bit system, forgot to mention that. Sorry.mbue
I wrote a small helper EXE to do this (delete key from all profiles), but it has a lot of hard-coded info. I can clean it up and post it later tonight if no one else has provided a solution).Mahmoud Al-Qudsi
Thank you very much, but it won't be neccessary. Look at my answer below :Smbue
Why not simplify and run the code at logon. The key will not be used until then anyway. Have it start in startup and it could be as simple as a regedit.exe /s regfile.reg that has a "-" hyphen in front of the key name.Beached

1 Answers

0
votes

Looked at my code again today and I just saw that I loaded "ntuser.BAT" instead of "ntuser.DAT" (both files exist).

I'm really sorry that I wasted your time. :-/