Hello all,
I was hoping someone could help shed some light on a little dilemma I am currently facing.
It revolves around XP home edition user accounts. The short story is that there are 3 user created accounts. Two of them check out, i.e. there is the usual profile where one would expect it to be (%systemroot%\Documents and Settings\%username%) and, using EnCase, the Last logon and profile paths and dates all match up.
There is, however one account that has no profile path or actual profile, but a last logon date. As per EnCase, there has been a logon count of 3.
The user in question states he has never used or logged on to pc. The account is a valid account, and has not been deleted.
So.. the question is… has anyone ever come across a situation where there is a valid user account, that has no profile, but does have a last logon date?
I will gladly provide the steps I have taken and testing that I have done to anyone who would like more info.
I hope the question makes sense and thanks in advance for any assistance.
I'd start by checking the contents of the ProfileList key, and then using some other tool besides EnCase (such as RegRipper) to validate my findings from the SAM file.
Is it possible that someone deleted the user profile? Do you find any other indications of the user profile anywhere other than in the SAM?
This really sounds like they've deleted the profile but not their account. Although, as keydet said, check the ProfileList key - maybe their profile path was on a different drive etc …
Hi,
Thanks for the response.
I have checked the profilelist key, nothing there, except for the two users who have logged in.
I considered the deleted profile option and have checked for recovered folders etc but cant find anything. Windows wont remove the profilelist key if a user simply deletes the profile.
I have been trying to recreate a scenario where an account is created, never logged in locally, but gets a last logon date. No success yet. I have tried mapping network drives using the users username, using the runas feature, trying to start a service with the username… the list goes on.
I am also going to start checking the system restore points to see if there is anything in there.
Regards,
That's a good thought…get the user's SID and check restore points for any sort of NTUSER.DAT file with that SID…
I have checked the profilelist key, nothing there, except for the two users who have logged in.
I considered the deleted profile option and have checked for recovered folders etc but cant find anything. Windows wont remove the profilelist key if a user simply deletes the profile.
If the profile is deleted the "correct way" then the profilelist key is ALSO DELETED. i.e. System Properties > Advanced > Settings (User Profiles).
If the profile is "deleted" by just browsing to the parent profile folder and deleting it, then as you've said, the profilelist key will not be removed.
If the profile is deleted the "correct way" then the profilelist key is ALSO DELETED. i.e. System Properties > Advanced > Settings (User Profiles).
If the profile is "deleted" by just browsing to the parent profile folder and deleting it, then as you've said, the profilelist key will not be removed.
I agree, In thinking this sounds like someone or something deleted just the profile folder,(assuming there is no alternate location). Is it possible they may have used boot media like BartPE\WINPE\UBCD4WIN to login to delete that folder? and then clear the slack space?(I am probably thinking way to far into this)