where can I find the unlogd on users registry data?

I understood that the HKEY_CURRENT_USER is actually a pointer to the spe开发者_运维知识库cific SID of the loged-in user at the HKEY_USERS. The HKEY_USER is holding only the users that loged-in at list once. do you know where can find the unloged-on users registry data?

HKEY_USERS hive contains all users' data. Each sub-hive under HKEY_USERS is named after the SID of user and contain user specific data. When a user logs on to the system, Windows loads the corresponding to logged on user's SID from HKEY_USERS to HKEY_CURRENT_USER.

So, if you want to access other (not logged in) user's data, you can do so by directly accessing HKEY_USERS\sid-of-user\ hive. Now, the question is how to get SID of a username? To do this, you need to enumerate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList hive. Each registry key under this hive is an SID. The value ProfileImagePath gives the username associated with it.

Examples:
http://support.microsoft.com/kb/154599
http://support.microsoft.com/kb/243330