To reference the Local System’s registry hive or profile directory: HKEY_CURRENT_USER or %USERPROFILE% Registry hive location: (HKEY_USERS\S-1-5-18) or profile directory %SYSTEMROOT%\system32\config\systemprofile) Listed below are three options for writing scripts for remote execution when targeting other users’ profiles.
Listed below are three options for writing scripts for remote execution when targeting other users’ profiles.
Option 1
When targeting a currently-logged-in account specifically, a script check for the owner should be performed to ensure all running instances of explorer.exe (instances of the Win32_Process WMI class) have a convenient GetOwner. This is the method as per Microsoft (https://msdn.microsoft.com/en-us/library/aa394372(v=vs.85).aspx)
Option 2
When targeting all users who have active profiles on the system, as an alternative it is possible to iterate over the registry key:
KEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
The subkeys of ProfileList are the SIDs of each user who has logged into the system, and each of those keys has relevant values like ProfileImagePath, which defines that user's %USERPROFILE% environment variable, as per https://technet.microsoft.com/en-us/library/cc775560(v=ws.10).aspx#sectionSection3
Option 3
An even simpler, less precise, approach is to have the script run through every subdirectory of %SYSTEMROOT%\users and do the relevant tasks to them, whether the subdirs are for an actual user or not.