Doesn't run correctly under NT\SYSTEM Account

[soccerzockt]

Checklist

• I have searched for existing issues/discussions and didn't find any similar ones.
• I haven't used any other scripts, tools or programs that might have caused this issue.

Windows version

24H2

Script mode/options

doesn't matter

Describe the issue

In Enterprise Software Deployment is common, scripts and packages are being executed under the SYSTEM account.
I noticed the whole routine for regimport falls apart, no matter what mode, sysprep / user.

Steps to reproduce

Run Win11Debloat under the System Account with any parameter.

This will always fail:
$defaultUserPath = $env:USERPROFILE -Replace ('\' + $env:USERNAME + '$'), '\Default\NTUSER.DAT'

Error output

No response

Additional context

Im deploying the Win11Debloat, with an additional wrapper, which runs the debloat with sysprep first, then for currently loggend in user, and after that for all other user accounts, found on that machine.
All under the SYSTEM Account.
I rewrote the whole method, to handle all above situations.
Its not pretty, I know.
`

Get SID for the input username

$NTAccount = New-Object System.Security.Principal.NTAccount($User)
$SID = $NTAccount.Translate([System.Security.Principal.SecurityIdentifier]).Value

Get profile path from registry

$ProfilePath = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList$SID" -ErrorAction Stop).ProfileImagePath
$NtUserDat = Join-Path $ProfilePath "NTUSER.DAT"

Import & execute regfile

function RegImport {
param (
$message,
$path
)

Write-Output $message

if ($script:Params.ContainsKey("Sysprep")) {
	
	write-output "sysprep mode"
    #$defaultUserPath = $env:USERPROFILE -Replace ('\\' + $env:USERNAME + '$'), '\Default\NTUSER.DAT'
	
	# Import into registry
	# Path to Default User hive
	$DefaultUserHive = "C:\Users\Default\NTUSER.DAT"
	$TempHiveName = "TempDefaultUser"

	# Load the hive into HKEY_USERS
	reg load "HKEY_USERS\$TempHiveName" $DefaultUserHive

	# Path to your reg file
	$RegFile = "$PSScriptRoot\Regfiles\$path"

	# Read REG file content
	$Content = Get-Content -Path $RegFile -Raw

	# Replace HKCU with HKU\<SID>
	$PatchedContent = $Content -replace 'HKEY_CURRENT_USER', "HKEY_USERS\$TempHiveName"

	# Write to a temporary reg file
	$TempRegFile = [IO.Path]::Combine([IO.Path]::GetTempPath(), [IO.Path]::GetRandomFileName() + ".reg")

	Set-Content -Path $TempRegFile -Value $PatchedContent -Encoding Unicode

	# Import into registry
	Start-Process -FilePath reg.exe -ArgumentList "import `"$TempRegFile`"" -Wait -NoNewWindow
	
	Write-Output "Registry imported for Default ($TempHiveName)"
	
	reg unload "HKEY_USERS\$TempHiveName" | Out-Null
	        
	 
    
    #reg load "HKU\Default" $defaultUserPath | Out-Null
    #reg import "$PSScriptRoot\Regfiles\Sysprep\$path"
    #reg unload "HKU\Default" | Out-Null
}
elseif ($script:Params.ContainsKey("User")) {
	

    #$userPath = $actualuserprofile -Replace ('\\' + $UserOnly + '$'), "\$($script:Params.Item("User"))\NTUSER.DAT"
    write-output "user mode"
	Write-Output "Active user: $User"
	Write-Output "SID: $SID"
	
	
	# Path to your reg file
	$RegFile = "$PSScriptRoot\Regfiles\$path"

	# Read REG file content
	$Content = Get-Content -Path $RegFile -Raw

	# Replace HKCU with HKU\<SID>
	$PatchedContent = $Content -replace 'HKEY_CURRENT_USER', "HKEY_USERS\$SID"

	# Write to a temporary reg file
	$TempRegFile = [IO.Path]::Combine([IO.Path]::GetTempPath(), [IO.Path]::GetRandomFileName() + ".reg")

	Set-Content -Path $TempRegFile -Value $PatchedContent -Encoding Unicode
	
	if(Test-Path "Registry::HKEY_USERS\$SID"){
		
	write-output "$SID currently mounted, start import"
	# Import into registry
	Start-Process -FilePath reg.exe -ArgumentList "import `"$TempRegFile`"" -Wait -NoNewWindow

	Write-Output "Registry imported for $User ($SID)"
	}else{
		write-output "$sid not currently mounted, mount first."
		reg load "HKEY_USERS\$SID" $NtUserDat
		Start-Process -FilePath reg.exe -ArgumentList "import `"$TempRegFile`"" -Wait -NoNewWindow
		reg unload "HKEY_USERS\$SID" | Out-Null
	}
	# Cleanup
	Remove-Item -Path $TempRegFile -Force -ErrorAction SilentlyContinue
	IF(!(Test-path $TempRegFile)){
		Write-Output "Temp File removed."
	}else{
		write-output $TempRegFile "Could not be deleted!"
	}
			 
			# reg load "HKU\Default" $userPath | Out-Null
			# reg import "$PSScriptRoot\Regfiles\Sysprep\$path"
			# reg unload "HKU\Default" | Out-Null
			
}
else {
    reg import "$PSScriptRoot\Regfiles\$path"  
}

Write-Output ""

}

`

[soccerzockt]

Sorry for that, the code formatting destroyed it.
Ive attached it as a file.

regimport.ps1.txt

[Raphire]

@soccerzockt

Heya,

Thanks for reporting this issue. I have updated the script to handle getting the user directory path more robustly, and make it work when run under the system account too.

I'd love to hear how this works on your end, please let me know if you run into any issues still. In my testing it seems to work well now.

[crimsy]

I was having the same issue, can confirm this works as expected with the new changes. Thank you so much <3

[Raphire]

I was having the same issue, can confirm this works as expected with the new changes. Thank you so much <3

That's good to hear, thank you for letting us know!