I was looking in C\system volume information\ with WinHex and noticed that the _REGISTRY_USER_NTUSER_S-1-5-21 (corresponding to NTUSER.dat for various users) that you can find in FIFOed system restore point folders always has a file size of zero (even the most recently FIFOed). The other _REGISTRY_USER files aren't zero bytes. It seems strange to me that Windows would go to the extra effort of setting these files to zero bytes instead of just unallocating the space. Is there any way to extract what was in the NTUSER.dat from these FIFOed folders, or are they lost?
> _REGISTRY_USER_NTUSER_S-1-5-21 (corresponding to NTUSER.dat for various users)
Each user account has an NTUSER.DAT hive file. The SID you listed appears to be a well-known SID, although it doesn't appear in MS's KB article on the subject
http//
It would appear that the SID you listed is, in fact, part of a SID.
The rest of your question doesn't make a great deal of sense. Have you checked the regular profile for that user to determine the content of the NTUSER.DAT prior to being added to the Restore Points?
Sorry, I meant _REGISTRY_USER_NTUSER_S-1-5-21-(long string of numbers that correspond to a particular SID). I figured the particular SID was irrelevant. At any rate, I meant the restore point file that corresponds to NTUSER.dat for a particular user.
What I am trying to do is to determine the content of NTUSER.dat at the time those restore points were made. It was my understanding that at each restore point, the system makes a copy of NTUSER.dat at that particular time. I've already looked through the current NTUSER.dat; I want to see what it looked like in the past.
However, the restore points of interest have been FIFOed - this particular system allocated a very small amount of space to System Restore, and as a consequence, there are only two intact system restores and several dozen deleted ones that were FIFOed by the system.
If you go in with WinHex or another file recovery program into C\System Volume Information, you can still see all the old restore points - Windows renames the folders FIFOed, but all the files are still inside. The problem is that my file of interest, _REGISTRY_USER_NTUSER_S-1-5-21-XXXX… is shown as 0 bytes and WinHex doesn't show any starting sector for it - so I can't recover it or even find a starting point to carve out any data. This file is always 0 bytes in all of the deleted restore point folders, but all the other files inside appear to have some file size. I'm wondering if the data in these deleted files is still floating around somewhere in unallocated space since it seems odd to me that Windows would go to the trouble of wiping this one file when deleting restore points.
Sorry, I meant _REGISTRY_USER_NTUSER_S-1-5-21-(long string of numbers that correspond to a particular SID). I figured the particular SID was irrelevant. At any rate, I meant the restore point file that corresponds to NTUSER.dat for a particular user.
It's important with respect to whether you're talking about an NTUSER.DAT file that is either empty or one for an active user.
What I am trying to do is to determine the content of NTUSER.dat at the time those restore points were made. It was my understanding that at each restore point, the system makes a copy of NTUSER.dat at that particular time. I've already looked through the current NTUSER.dat; I want to see what it looked like in the past.
However, the restore points of interest have been FIFOed - this particular system allocated a very small amount of space to System Restore, and as a consequence, there are only two intact system restores and several dozen deleted ones that were FIFOed by the system.
I see a lot of focus on FIFO of the RPs….just so you're aware, this is a normal function of Restore Points.
If you go in with WinHex or another file recovery program into C\System Volume Information, you can still see all the old restore points - Windows renames the folders FIFOed, but all the files are still inside. The problem is that my file of interest, _REGISTRY_USER_NTUSER_S-1-5-21-XXXX… is shown as 0 bytes and WinHex doesn't show any starting sector for it - so I can't recover it or even find a starting point to carve out any data. This file is always 0 bytes in all of the deleted restore point folders, but all the other files inside appear to have some file size. I'm wondering if the data in these deleted files is still floating around somewhere in unallocated space since it seems odd to me that Windows would go to the trouble of wiping this one file when deleting restore points.
It doesn't sound as if Windows went to the trouble of anything. I'd have to see the system, but are the NTUSER.DAT in the available Restore Points 0 bytes in size ?
Is there anything specific that you're looking for? Maybe I can help you with something that you can find indications of in the current NTUSER.DAT file that is available.