Hi
I have some experience (about 6 months), and I made some expertises for some companies, but I have a weird problem
I'm analyzing a hard disk when content of SAM file and C\Documents & Settings doesn't match. In Doc & Sett I see profile called e.g "newprofile", but I don't see "newprofile" in SAM file.
I checked creation date of SAM file, and I know that this file wasn't deleted and "recreated". My next idea maybe someone copied profile folder from another hard disk. But NTUSER.dat was modified! And content of Recent folder too!
How? I temporarily can't check hdd in vmware, but how someone can login on this account without entry in SAM file? 😯
(sorry for my english, hope you understand)
The SAM hive maintains local accounts, but not domain accounts.
Check the SID for the profile by accessing the Software hive and looking at the ProfileList key subkeys.
No, I checked it - this acount doesn't belong to any domain, there is no info about any domain elsewhere in the registry. It's a local account.
So, my conclusion is, profile folder was copied from another PC
Did you run Regslack against the SAM hive?
Is the account listed in the ProfileList key?
How does the account SID compare to the SID on the Administrator account?
If the profile was copied from another hard drive then that should become obvious from the created dates of the files in the profile.
If this is not the case have you considered whether the user has been renamed?
H