5 Replies Latest reply on Jan 24, 2013 11:59 AM by Lazar NameToUpdate

    HKEY_CURRENT_USER registry keys

    Joe Piotrowski

      I need to create some Compliance Rules that check for the values of some registry keys stored in HKEY_CURRENT_USER. But that hive doesn't exist when you live browse a server.


      Does anyone have an good way to create Compliance analysis and remediation options for this?

        • 1. Re: HKEY_CURRENT_USER registry keys

          You live browse as BladeLogicRSCD user, which most likely does not have that hive because you never login with this account. That hive if for the user that's currently logged in to the system if I'm not mistaken.

          What is your use case here, perhaps there's another way to accomplish?

          • 2. Re: HKEY_CURRENT_USER registry keys
            Joe Piotrowski

            This is from the DISA Internet Explorer 10 STIG:


            Group ID (Vulid):  V-32808

            Group Title: DTBI018 - Publishers Certificate Revocation

            Rule ID: SV-45116r1_rule

            Severity: CAT II

            Rule Version (STIG-ID): DTBI018

            Rule Title: Check for publishers certificate revocation must be enforced.


            Vulnerability Discussion:  Check for publisher's certificate revocation options should be enforced to ensure all PKI signed objects are validated.


            Responsibility:  System Administrator

            IAControls:  ECSC-1


            Check Content: 

            Open Internet Explorer. From the menu bar select Tools. From the Tools drop-down menu, select Internet Options. From the Internet Options window, select the Advanced tab, from the Advanced tab window scroll down to the Security category, verify a check mark is placed in the "Check for publisher's certificate revocation" box.


            Procedure: Use the Windows Registry Editor to navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing


            Criteria: If the value State is REG_DWORD = 65536 (decimal), this is not a finding.


            Fix Text: Check mark the option to enable "Check for publisher's certificate revocation" in the Internet Explorer Options, Advanced page. NOTE: Manual entry for the value State, set to REG_DWORD = 65536, may first be required.

            • 3. Re: HKEY_CURRENT_USER registry keys
              Joe Piotrowski

              So would this be a manual check? I wasn't sure if this information was being stored elsewhere in the registry, or if there was another way I wasn't aware of to check for this.

              • 4. Re: HKEY_CURRENT_USER registry keys

                I believe that HKEY_CURRENT_USER is a link to HKEY_USER\[SID]\…\…

                The challenge will be getting all the different SID's … And checking the entry recursively …

                • 5. Re: HKEY_CURRENT_USER registry keys

                  Jae is correct. Also the {SID} would exist if the user was logged in. If you also want to make this change for all potential new users that may log into this server, make the same change to HKEY_USERS\.DEFAULT as well.

                  1 of 1 people found this helpful