XPlantefeve · January 22, 2019 06:33
diff --git a/registryHives.ps1 b/registryHives.ps1
 Function Get-Profiles 
 {
  <#
      .SYNOPSIS
      Gives a list of locally saved user profiles.

      .DESCRIPTION
      Gets a list of locally used profiles according to the registry and
      returns an object with information about the profile.

      .NOTES
      Requires the Microsoft.PowerShell.LocalAccounts module for the
      Get-LocalUser command.

      .INPUTS
      None

      .OUTPUTS
      An array of PSCustomObjects with the following four properties:
      SID: the user SID
      UserHive: the path to the NTUser.dat file for the user.
      Local: whether the user is a local user or not.
      Loaded: wheter the user hive is currently loaded or not.
  #>


  $ComputerSID = ( Get-LocalUser | Select-Object -First 1 -ExpandProperty SID ).AccountDomainSID.ToString()
  $Profiles = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' |
  Select-Object -Property (
    @{Name = 'SID';      Expression = {$_.PSChildName}},
    @{Name = 'UserHive'; Expression = {('{0}\NTuser.dat' -f $_.ProfileImagePath)}},
    @{Name = 'Local';    Expression = {$_.PSChildName -match ('{0}|^S-1-5-\d+$' -f $ComputerSID)}},
    @{Name = 'Loaded';   Expression = { Test-Path -Path ('Registry::HKEY_USERS\{0}' -f $_.PSChildName) }}
  )
  return $Profiles
 }

 function Import-UserRegistryHive 
 {
  <#
      .SYNOPSIS
      Loads offline user(s) registry hive(s)

      .PARAMETER SID
      The user SID

      .PARAMETER UserHive
      The hive (NTUSER.dat) file path for the user.

      .EXAMPLE
      Import-UserRegistryHive -SID S-1-5... -UserHive C:\Users\johndoe.Domain\NTUSER.dat
      
      Accept pipeline if the objects have the correct properties:
      $Profiles | Import-UserRegistryHive

      .INPUTS
      Strings

      .OUTPUTS
      None
  #>


  [CmdletBinding()]
  param(
    [parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 0)]
    [String]$SID,
    [parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 1)]
    [String]$UserHive
  )
  process {
    Start-Process -FilePath 'REG.EXE' -ArgumentList ('LOAD HKU\{0} {1}' -f $SID, $UserHive) -Wait -WindowStyle Hidden
  }
 }

 # Unloads offline registry hive
 function Remove-UserRegistryHive () 
 {
  <#
      .SYNOPSIS
      Unloads user(s) registry hive(s)

      .PARAMETER SID
      The user SID

      .EXAMPLE
      Remove-UserRegistryHive -SID S-1-5...
      
      Accept pipeline if the objects have the correct properties:
      $Profiles | Remove-UserRegistryHive

      .INPUTS
      String

      .OUTPUTS
      None
  #>


  [CmdletBinding()]
  param(
    [parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 0)]
    [String]$SID
  )
  process {
    Start-Process -FilePath 'REG.EXE' -ArgumentList ('UNLOAD HKU\{0}' -f $SID) -Wait -WindowStyle Hidden
    [gc]::collect()
  }
 }
	Function Get-Profiles
	{
	<#
	.SYNOPSIS
	Gives a list of locally saved user profiles.

	.DESCRIPTION
	Gets a list of locally used profiles according to the registry and
	returns an object with information about the profile.

	.NOTES
	Requires the Microsoft.PowerShell.LocalAccounts module for the
	Get-LocalUser command.

	.INPUTS
	None

	.OUTPUTS
	An array of PSCustomObjects with the following four properties:
	SID: the user SID
	UserHive: the path to the NTUser.dat file for the user.
	Local: whether the user is a local user or not.
	Loaded: wheter the user hive is currently loaded or not.
	#>


	$ComputerSID = ( Get-LocalUser \| Select-Object -First 1 -ExpandProperty SID ).AccountDomainSID.ToString()
	$Profiles = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' \|
	Select-Object -Property (
	@{Name = 'SID'; Expression = {$_.PSChildName}},
	@{Name = 'UserHive'; Expression = {('{0}\NTuser.dat' -f $_.ProfileImagePath)}},
	@{Name = 'Local'; Expression = {$_.PSChildName -match ('{0}\|^S-1-5-\d+$' -f $ComputerSID)}},
	@{Name = 'Loaded'; Expression = { Test-Path -Path ('Registry::HKEY_USERS\{0}' -f $_.PSChildName) }}
	)
	return $Profiles
	}

	function Import-UserRegistryHive
	{
	<#
	.SYNOPSIS
	Loads offline user(s) registry hive(s)

	.PARAMETER SID
	The user SID

	.PARAMETER UserHive
	The hive (NTUSER.dat) file path for the user.

	.EXAMPLE
	Import-UserRegistryHive -SID S-1-5... -UserHive C:\Users\johndoe.Domain\NTUSER.dat

	Accept pipeline if the objects have the correct properties:
	$Profiles \| Import-UserRegistryHive

	.INPUTS
	Strings

	.OUTPUTS
	None
	#>


	[CmdletBinding()]
	param(
	[parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 0)]
	[String]$SID,
	[parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 1)]
	[String]$UserHive
	)
	process {
	Start-Process -FilePath 'REG.EXE' -ArgumentList ('LOAD HKU\{0} {1}' -f $SID, $UserHive) -Wait -WindowStyle Hidden
	}
	}

	# Unloads offline registry hive
	function Remove-UserRegistryHive ()
	{
	<#
	.SYNOPSIS
	Unloads user(s) registry hive(s)

	.PARAMETER SID
	The user SID

	.EXAMPLE
	Remove-UserRegistryHive -SID S-1-5...

	Accept pipeline if the objects have the correct properties:
	$Profiles \| Remove-UserRegistryHive

	.INPUTS
	String

	.OUTPUTS
	None
	#>


	[CmdletBinding()]
	param(
	[parameter(Mandatory,ValueFromPipelineByPropertyName,Position = 0)]
	[String]$SID
	)
	process {
	Start-Process -FilePath 'REG.EXE' -ArgumentList ('UNLOAD HKU\{0}' -f $SID) -Wait -WindowStyle Hidden
	[gc]::collect()
	}
	}