PSEXEC - Updating HKEY_CURRENT_USER when both accounts are different

1
votes

I read this from a posting in the Windows SysInternals forum.

The HKCU - hive key current user - will point to that user's hive key who authenticated on the remote machine with the help of psexec. It will not point to the user's hive key who has logged on interactively to the machine's desktop, unless both accounts happen to be identical.

I am facing the same problem with trying to push the signer and cert associated with a self signed certificate to the HKEY_CURRENT_USER/Software/Microsoft/SystemCertificates/Root/Certificates folder in the Windows registry for the user signed onto the remote machine.

If the userid and password used with PsExec are the same as the user currently logged onto the remote machine everything works fine. The PKCU registry entries get added as expected.

Since we can't ask each end-user for their AD password I am trying to sort out how I can get this to work when both accounts aren't identical. I have a Windows service account that has admin rights on all the PCs in the domain I am trying to push the cert and signer out to. If I use that account with psexec the registry entries do not get added for the user logged onto the remote PC.

Is there any way I can I write to HKEY_CURRENT_USER using psexec when both accounts aren't identical? That is, when the account used with the psexec command is not the account that is currently logged onto the remote PC.

example:

User remoteuser is logged onto the remote PC on which we want to install the cert entry into the HKCU hive but we use a different user/account with psexec. We do this because we don't know the AD passwords for all the remote users we want to update the HKCU hive for. That would be a serious security issue.

In this example we use the psexecuser account to start the psexec service on the remote PC that the AD user remoteuser is logged onto.

C:\psexec @C:\remoteUserPCList.txt -u ourdomain\psexecuser -p psececuserpassword -d -c -f C:\InstallSSLCertinHKCU.bat

The HKCU registry entries do not get added for the remoteuser account on the remote PC.

Any fixes that would work with psexec would be a great help. I suspect we could use AD GPO but I am hopeful that there is some trick out there that can be used with PsExec.

regards

1
psexec

1 Answers

1
votes

psexec can't impersonate the logged-on user. But you don't need to push a self-signed certificate to the user's profile on the remote machine, you can push it to the computer account instead, and you can even do that with group policy.