Using Powershell to delete REG key for all users

KeithM said:

You code isn't identical to the posted code, so I'm glad I asked!

Try the following from an Admin PowerShell console from an account with Admin priviledges. If you're not running from the built-in Admin account, add that user folder name to the -notMatch string seperated by a pipe symbol: 'Public|Administrator|<YourUserFolder>'

Code:

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | out-null 

Get-ChildItem -Path c:\users | ? Name -notMatch 'Public|Administrator' | ForEach {
    reg load "HKU\$_.Name" "$_.FullName\NTUSER.DAT"
    Remove-Item -Path "HKU:\$($_.Name)\SOFTWARE\Solidworks" -Recurse -Force
    reg unload "HKU\$_.Name"
}

Once again, sorry for delays in response, my schedule is absolutely hectic.

This code does work better than the previous one. However, it still leaves me with the same error as before due to one simple fact: the user names are not the registry names. The registry names take the form of "S-1-5-XX".

Anyways, having said that, I now realise that it's basically easier to just go through those by hand and simply delete the key folder I need. There's only one that I need to.

Marking this as solved, even though the solution ended up being to not use Powershell.

- - - Updated - - -

Welp, scratched that immediately. Turns out if the other users aren't logged in, RegEdit doesn't even see them. Which means the user I thought would be affected is not even the right one (in fact I don't even know which user it did affect).

Back to trying to fix the Powershell script.

fenrir0wulf said:

Welp, scratched that immediately. Turns out if the other users aren't logged in, RegEdit doesn't even see them.

We already knew that! What did you think the purpose of Reg Load was???

The problem was a minor error in my code. Had you copied & pasted the errors you got wen running my code, I could have replied even more rapidly. You need to help those who are trying to help you!

I forgot that in expansion strings, we need to use "$($_.Name)" instead of just "$_.Name".

Here is the corrected code:

Code:

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | out-null 
Get-ChildItem -Path c:\users | ? Name -notMatch 'Public|Administrator|keith' | ForEach {
    $TempName    = $_.Name
    $TempHive    = Join-Path HKU $_.Name
    $ProfilePath = Join-Path $_.FullName NTUSER.DAT
    reg load       $TempHive $ProfilePath
    Remove-Item    "HKU:\$TempName\SOFTWARE\Solidworks" -Recurse -Force
    reg unload     $TempHive
}

KeithM said:

Code:

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | out-null 
Get-ChildItem -Path c:\users | ? Name -notMatch 'Public|Administrator|keith' | ForEach {
    $TempName    = $_.Name
    $TempHive    = Join-Path HKU $_.Name
    $ProfilePath = Join-Path $_.FullName NTUSER.DAT
    reg load       $TempHive $ProfilePath
    Remove-Item    "HKU:\$TempName\SOFTWARE\Solidworks" -Recurse -Force
    reg unload     $TempHive
}

The code seems to work now. I say "seems" because after doing a whole bunch of trials with everything in this thread, it gives me the error that Remove-Item can't find the key, which is normal (it's already been deleted, obviously it wont find it).

I guess the only trial left is to use it for real on a computer that I need to do it on.
Will mark as solved once I confirm.

your issue is that you're iterating through usernames and giving that to the registry. The registry stores users by SID, not by username. You need to iterate by those.
use
$(Get-ChildItem -Path REGISTRY::HKEY_USERS\).name
the .name is used to get only that, otherwise you'd have the same issue as before.
.. and be careful :)

I don't lose sleep over things like this. If there are leftover registry entries ... so what?

I just leave them alone.

The process cannot access the file because it is in use.

You need to exclude all currently logged in users from that code, because their hives are already loaded, you can't load a hive twice.

To access those already loaded hives you'll need to learn user's SID first, because SID is the actual key name that identifies loaded hive under HKEY_USERS, and then work on that hive directly.

Hopefully the keys you want to remove will allow Administrator to remove them (most likely this will be the case for HKEY_USERS), otherwise you'll have to take ownership and grant permissions on those keys and for that there is no command that will let you do so, even if you write your own perfectly working code, because PowerShell process doesn't have required privileges even if you run it as Administrator.

A hack does exist however if you need it.

To get logged on users you can use

Code:

$env:UserName

variable

To get SID value for each of the logged on users use this code:

Code:

foreach ($User in $env:UserName)
{
      $NTAccount = New-Object -TypeName System.Security.Principal.NTAccount($User)
      $AccountSID = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier]).ToString()
}

For each account the

Code:

$AccountSID

variable will hold SID value
To delete specific keys I think this line is simply wrong because you need to specify provider path:

Code:

Remove-Item -Path "hkey_users\$user\SOFTWARE\Solidworks" /f

It should be

Code:

Remove-Item -Path "HKU:\$user\SOFTWARE\Solidworks"

To remove key for already loaded hive you would use this line instead:

Code:

Remove-Item -Path "HKU:\$AccountSID\SOFTWARE\Solidworks"

And finally to unload hive that you manually loaded you don't just call

Code:

reg unload

Instead use this code:

Code:

[gc]::collect()
reg unload "hku\$user"

I've omitted error checking code, but with all those pieces you should be able to write a small script that does all the job.