Holy cow, I wrote a book!
Via the suggestion box,
Aaron Lerch asks whether
a non-administrator can
retrieve/evaluate environment variables as
they would appear for another user.
This falls into the category of asking for a security hole as a
feature, specifically an information disclosure security hole,
because you are extracting information from a user's private data
which has security access controls that do not grant everybody access.
users have full access to their data,
as does the operating system itself,
but nobody else.
Administrators can get access to the data by
taking ownership and modifying the ACL
or using security overrides like
but that's the general idea.
And certainly, unprivileged users don't have access to the data
from other unprivileged users.
The way to get a user's initial environment variables
is to call the
function, passing the token of the user you are interested in.
Note that it's more than just scraping the registry,
because you also have to take into account group policy objects
and the possibility that the information in the registry is
incorrect because it is a stale
cached roaming profile.