Home/ Questions/Q 7559813
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T12:43:54+00:00

If I call REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI in a batch script then the correct result

  • 0

If I call

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

in a batch script then the correct result is displayed:

ShowTabletKeyboard    REG_DWORD 0x0
LastLoggedOnProvider  REG_SZ    {???}
LastLoggedOnSAMUser   REG_SZ    foo\bar
LastLoggedOnUser      REG_SZ    .\bar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonU \Background
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LogonSoundPlayed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData

If I run the command above from within a c program (mingw):

#include <stdio.h>
#include <unistd.h>
int main(void) {
    system("REG QUERY HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI");
    return (0);
}

the output is

ShowTabletKeyboard    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation

Where is the rest of the output? Which permissions are wrong? I am interested in the key LastLoggedOnUser. Many thanks in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is the action of the registry redirector. You have a 64 bit system. The batch file is executed by the native 64 bit command interpreter. But your C program is 32 bit, and the system command runs as a 32 bit process. That happens because of the file redirector which translates system32 to syswow64 when you run a 32 bit process on 64 bit Windows.

    All this means that the C program is reading out of the 32 bit view of the registry. Your attempt to read HKLM\Software is redirected to HKLM\Software\Wow6432Node.

    The ideal solution would be to stop using system and use the native Windows API functions to access the registry. Then you could specify that you want to read from the 64 bit view of the registry and you could gain access to that even from a 32 bit process.

    An utterly revolting hack would be to get your system command to start %SystemRoot%\Sysnative\reg.exe which would force the use of the 64 bit version of reg.

    • 0