Access all user registries with Remote Registry Service

Question

I'm currently working on a PowerShell tool that reads from the registry remotely via the Remote Registry Service. When a user is logged in, the data I'm reading from is located in HKCU\Software\. Obviously, when a computer has multiple user accounts, HKCU will not accurately reflect all users. Is there a dynamic way where I can loop through all users on a computer and access their registries?

Currently I'm doing the following in PowerShell:

$KeyType = [Microsoft.Win32.RegistryHive]::CurrentUser
$BaseRegKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($KeyType, $RemoteComputer)
$SoftwareKey = $BaseRegKey.OpenSubKey($SoftwarePathEnding)

How would I be able to use similar code to loop through all users to get the right data I'm looking for?

Sorry if this isn't explained too well and if I'd need to provide some clarification.

Answer 1

HKCU is a shortcut to HKU\<User-SID>, where the ntuser.dat from the user's profile is loaded at login. To get access to every user's registry branch you need to load each user's ntuser.dat first, e.g. by running reg load on the remote host via Invoke-Command.

Invoke-Command -Computer 'hostname' -ScriptBlock {
    & reg load 'HKU\someuser' 'C:\Users\someuser\ntuser.dat'
}

Don't forget to reg unload the file after you're done.