Can''t access the Classes subkey after loading user's hive in registry

On my PC, there is an administrator account and two user accounts. There is a particular CLSID subkey in the registry that appears only in the hive of one of the users, and I am trying to access that CLSID subkey while logged on to the administrator account.

When I am logged on to the user account, the target CLSID subkey appears at:

HKEY_CURRENT_USER \SOFTWARE\Classes\WOW6432Node\CLSID\{Target CLSID}

and, of course, it also appears at:

HKEY_USERS\<User SID>\SOFTWARE\Classes\WOW6432Node\CLSID\{Target CLSID}

However, when I log off from the user account and log on to the administrator account, and then load the user’s hive into the registry, Classes does not appear as a subkey of SOFTWARE for that user in HKEY_USERS.

In fact, when I am logged on to the user account, SOFTWARE has 12 subkeys, including Classes. But when I am logged on to the administrator account, with user’s hive loaded, SOFTWARE has only 11 subkeys - the missing subkey being Classes.

Can anyone please explain what is happening? Am I doing something wrong?

Also load ntuser.dat from the username profile folder.

SIW2 said:

Also load ntuser.dat from the username profile folder.

I'm not quite sure what you mean by the "username profile folder".

When I am logged on to the administrator account, I load the user's hive from C:\Users\<user name>\NTUSER.DAT. Is that what you mean by the "username profile folder"? If so, that is what I am already doing.

- - - Updated - - -

Try3 said:

Tony,

Only 12 Subkeys of the Software Key? I'm amazed, mine has more than a screenful of SubKeys.

When you load another user's hive, you don't end up referring to the SID
HKEY_USERS\<User SID>\SOFTWARE
but to whatever word you've chosen during the hive loading procedure e.g.
HKEY_USERS\Fred\SOFTWARE
and I'm a bit surprised you haven't referred to it that way.

Denis

Can't really comment on why you have a screenful of subkeys of the SOFTWARE key other than perhaps you have software from a lot more vendors than I do.

Slight misunderstanding on the second point. When I am logged on to the user's account, my understanding is that what you see in:

HKEY_CURRENT_USER \SOFTWARE

is exactly the same as what you see in:

HKEY_USERS\<User SID>\SOFTWARE

where <User SID> is S-1-5-21-...-1003 (or whatever). The hive isn't loaded at that time. The user hive is loaded only when I log off from the user account and log on to the administrator account. And, yes, when I then load the hive, I need to choose a name like "Fred" in order to see the hive in:

HKEY_USERS\Fred\SOFTWARE

It is in this view, that Classes is not present as a subkey of SOFTWARE, and I would like to know why not. I think that I am missing another step somewhere.

In case it is relevant, before I log off from the administrator account, I unload the user hive.

The Classes subkey is not located in the user's NTUSER.DAT. See here:
Edit Classes-Registry of other users - Stack Overflow

kreemoweet said:

The Classes subkey is not located in the user's NTUSER.DAT. See here:
Edit Classes-Registry of other users - Stack Overflow

Bingo!

There is a list
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

My thanks to all who replied to this thread. The key piece of information that I did not know, and is not widely covered in articles on the Internet, is that the user classes are in:

C:\Users\<User Name>\AppData\Local\Microsoft\Windows\UsrClass.dat

and this hive has to be loaded before the administrator can see them in the registry editor. The user classes are not in:

C:\Users\<User Name>\NTUSER.DAT

I've now managed to achieve what I was trying to do.