If you look at either of the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

如果您查看以下任一键：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

You can find a list of the SIDs there with various values, including where their "home paths" which includes their usernames.

您可以在那里找到具有各种值的 SID 列表，包括包含用户名的“主路径”的位置。

I'm not sure how dependable this is and I wouldn't recommend messing about with this unless you're really sure what you're doing.

我不确定这有多可靠，除非您真的确定自己在做什么，否则我不建议您对此进行处理。

It is possible to query this information from WMI. The following command will output a table with a row for every user along with the SID for each user.

可以从WMI查询此信息。以下命令将输出一个表，其中每个用户都有一行以及每个用户的 SID。

wmic useraccount get name,sid

You can also export this information to CSV:

您还可以将此信息导出为 CSV：

wmic useraccount get name,sid /format:csv > output.csv

I have used this on Vista and 7. For more information see WMIC - Take Command-line Control over WMI.

我在 Vista 和 7 上使用过它。有关更多信息，请参阅WMIC - 对 WMI 进行命令行控制。

1. Open Reg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

2. make a loop to get all subkeys

3. the subkeys you are interested with are those started with [S-1-5-21-] which means user (see key name [ProfileImagePath] they are always started with a path c:\Users)

4. Those starting with [S-1-5-21-12] are all local users

5. Those starting with [S-1-5-21-13] are all network users [if joined to Domained network] that are previously logged on the machine.

1. 打开注册表 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

2. 循环获取所有子键

3. 您感兴趣的子键是以 [S-1-5-21-] 开头的，这意味着用户（请参阅键名 [ProfileImagePath] 它们总是以路径 c:\Users 开头）

4. [S-1-5-21-12]开头的都是本地用户

5. 那些以 [S-1-5-21-13]开头的都是以前登录到机器上的网络用户 [如果加入域网络]。

By searching for my userid in the registry, I found

通过在注册表中搜索我的用户 ID，我发现

HKEY_CURRENT_USER\Volatile Environment\Username

You can use the command PSGetSid from Microsoft's SysInternals team.

您可以使用 Microsoft SysInternals 团队的 PSGetSid 命令。

Download URL: http://technet.microsoft.com/en-gb/sysinternals/bb897417.aspx

下载地址：http: //technet.microsoft.com/en-gb/sysinternals/bb897417.aspx

Usage:

用法：

psgetsid [\computer[,computer[,...] | @file] [-u username [-p password]]] [account|SID]
-u  Specifies optional user name for login to remote computer.
-p  Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Account PsGetSid will report the SID for the specified user account rather than the computer.
SID PsGetSid will report the account for the specified SID.
Computer    Direct PsGetSid to perform the command on the remote computer or computers specified. If you omit the computer name PsGetSid runs the command on the local system, and if you specify a wildcard (\*), PsGetSid runs the command on all computers in the current domain.
@file   PsGetSid will execute the command on each of the computers listed in the file.

Example:

例子：

psgetsid S-1-5-21-583907252-682003330-839522115-63941

NB:

注意：

• Where the user is a domain/AD(LDAP) user, running this on any computer on the domain should give the same results.
• Where the user is local to the machine the command should either be run on that machine, or you should specify the computer via the optional parameter.

• 如果用户是域/AD(LDAP) 用户，则在域中的任何计算机上运行它应该会得到相同的结果。
• 如果用户在机器本地，则命令应该在该机器上运行，或者您应该通过可选参数指定计算机。

Update

更新

If you use PowerShell, the following may be useful for resolving any AD users listed:

如果您使用 PowerShell，以下内容可能对解析列出的任何 AD 用户有用：

#create a drive for HKEY USERS:
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue

#List all immediate subfolders
#where they're a folder (not a key)
#and they's an SID (i.e. exclude .DEFAULT and SID_Classes entries)
#return the SID
#and return the related AD entry (should one exist).
Get-ChildItem -Path 'HKU:\' `
| ?{($_.PSIsContainer -eq $true) `
-and ($_.PSChildName -match '^S-[\d-]+$')} `
| select @{N='SID';E={$_.PSChildName}} `
, @{N='Name';E={Get-ADUser $_.PSChildName | select -expand Name}}

You could also refine the SID filter further to only pull back those SIDs which will resolve to an AD account if you wished; more on the SID structure here: https://technet.microsoft.com/en-us/library/cc962011.aspx

您还可以进一步细化 SID 过滤器，以仅撤回将解析为 AD 帐户的那些 SID（如果您愿意）；有关 SID 结构的更多信息，请访问：https: //technet.microsoft.com/en-us/library/cc962011.aspx

In the HKEY_USERS\oneyouwanttoknow\you can look at \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersand it will reveal their profile paths. c:\users\whothisis\Desktop, etc.

在HKEY_USERS\oneyouwanttoknow\您可以查看，\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders它会显示他们的个人资料路径。c:\users\whothisis\Desktop， 等等。

for /f "tokens=8 delims=\" %a in ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist" ^| find "UsrClass.dat"') do echo %a

Done it, by a bit of creative programming,

完成了，通过一些创造性的编程，

1. Enum the Keys in HKEY_USERS for those funny number keys...

2. Enum the keys in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

1. 为那些有趣的数字键枚举 HKEY_USERS 中的键...

2. 枚举 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ 中的键

and you will find the same numbers.... Now in those keys look at the String value: ProfileImagePath = "SomeValue" where the values are either:

你会发现相同的数字......现在在这些键中查看字符串值： ProfileImagePath = "SomeValue" 其中值是：

"%systemroot%\system32\config\systemprofile"... not interested in this one... as its not a directory path...

“%systemroot%\system32\config\systemprofile”...对这个不感兴趣...因为它不是目录路径...

%SystemDrive%\Documents and Settings\LocalService - "Local Services" %SystemDrive%\Documents and Settings\NetworkService "NETWORK SERVICE"

%SystemDrive%\Documents and Settings\LocalService -“本地服务”%SystemDrive%\Documents and Settings\NetworkService“NETWORK SERVICE”

or

或者

%SystemDrive%\Documents and Settings\USER_NAME, which translates directly to the "USERNAME" values in most un-tampered systems, ie. where the user has not changed the their user name after a few weeks or altered the paths explicitly...

%SystemDrive%\Documents and Settings\USER_NAME，在大多数未篡改的系统中直接转换为“USERNAME”值，即。几周后用户没有更改其用户名或明确更改路径...

The proper way to do this requires leveraging the SAM registry hive (on Windows 10, this requires NT AUTHORITY\SYSTEMprivileges). The information you require is in the the key: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names.

执行此操作的正确方法需要利用 SAM 注册表配置单元（在 Windows 10 上，这需要NT AUTHORITY\SYSTEM特权）。您需要的信息在密钥中：HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names。

Each subkey is the username, and the default value in each subkey is a binary integer. This value (converted to decimal) actually corresponds to the last chunk of the of the SID.

每个子键是用户名，每个子键中的默认值是一个二进制整数。该值（转换为十进制）实际上对应于 SID 的最后一个块。

Take "Administrator" for example, by default it is associated with the integer 0x1f4 (or 500).

以“管理员”为例，默认情况下它与整数 0x1f4（或 500）相关联。

So, in theory you could take the build a list of SIDS based on the subkey names of the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileListkey and/or HKEY_USERSkey, parse out the the value after the last hyphen (-), and compare that to the info from the SAM hive.

因此，理论上您可以根据HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList键和/或 HKEY_USERS键的子键名称构建一个 SIDS 列表，解析最后一个连字符 (-) 之后的值，并将其与来自 SAM 配置单元的信息进行比较。

If you don't have NT AUTHORITY\SYSTEMprivileges, the next best way to approach this may be to follow the other method described in the answers here.

如果您没有NT AUTHORITY\SYSTEM特权，那么解决此问题的下一个最佳方法可能是遵循此处的答案中描述的其他方法。

reference: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

参考：https: //docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab