I have been requested to conduct analysis on a computer. User A logged onto the computer and User B remotely logged onto the computer and disconnected user A. My analysis of users A profile shows that the user profile was partially created. What will be the cause of the user profile not being created completely.
What will be the cause of the user profile not being created completely.
Is it a local profile, or a roaming profile?
I have been requested to conduct analysis on a computer. User A logged onto the computer and User B remotely logged onto the computer and disconnected user A. My analysis of users A profile shows that the user profile was partially created. What will be the cause of the user profile not being created completely.
Did user A log into the console? Was this the first time that user A had logged in since the account had been created? Was this in a domain?
How did user B log in remotely? RDP? VNC? Something else?
How does "Recent folder missing" apply to the issue?
Just looking for more information to clarify the situation. Given my experience with timelines, a user logging in for the first time (when the profile is actually created) is very quick, and not something that a person would necessarily be able to interrupt. I'd be very curious to see the data to support the finding the user B's disconnecting user A caused the profile creation to be interrupted.
Thanks.
…User B remotely logged onto the computer and disconnected user A.
You answered your own question. User B (an admin at some level) forcibly logged off User A before their profile was fully created or if it was a remote profile, before it was copied to the new machine.
Was the profile not created completely or was it removed partially?
Some background on the underlying question you are trying to answer might be helpful as well.
I have been requested to conduct analysis on a computer. User A logged onto the computer and User B remotely logged onto the computer and disconnected user A. My analysis of users A profile shows that the user profile was partially created. What will be the cause of the user profile not being created completely.
Is your assumption it was not created completely because a Recent folder is not present, and only this?
Is making a Recent folder part of creating a new profile? I do not know the answer to this. A theory that needs testing.
User A physically logged onto the computer. User B used RDA to log onto the computer.
User A is also a first time logger onto the computer.
Here is the folders that are shown in the user profile of A only
c\ Documents and settings\userA\Application Data
c\ Documents and settings\userA\Cookies
c\ Documents and settings\userA\Favorites
no evidence to suggest it was partially deleted.
I have tested the theory even if i for forcibly disconnect the user that is try to log on. the user profile is created fully.
How long was user A logged on before being disconnected? You should be able to correlate the creation date for user A's NTUSER.DAT to the time when they logged on to the system, and then see if you can get the event record for the forcible disconnect from the Event Log.
How does "Recent folder missing" apply to this situation?
Something you could do very quickly to test this is to create another user account on your local system, log into it, and then log out. The log into your original account, and browse to the newly-created user profile and see if the Recent folder was created.
Is there a value for Start_ShowRecentDocs in HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced?
Is there a entry for NoRecentDocsMenu in HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer?
I found the following on TechNet which describes some of the actions that create entries in Recent
Not quite the answer you were looking for, but I am still looking.