Resolving NTUSER.DAT Preventing Removal of a Deleted User's Home Directory

Backing up part of the Windows registry using the Registry Editor.

Here's the scenario you're likely in: After having backed up any relevant content inside their home directory, you delete a user's local account in Windows via the control panel. You then navigate to C:\Users and attempt to delete their home directory only to find that their NTUSER.DAT file is still in use by the system, and rebooting - even in safe mode - has no effect. The job is left half-finished, and leaving jobs half-finished is simply unbecoming of a fine professional assassin such as yourself. Unacceptable!

Removing the Profile Entry

This guide assumes that you have, at the very least, already backed up the contents of HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList within the registry to a file.

  1. Press Win+R, copy and paste ms-settings:recovery, and press Enter to open the Recovery page within the Windows control panel.
  2. Under Advanced startup, select Restart now.
  3. Navigate to TroubleshootAdvanced optionsStartup Settings and select Restart.
  4. Press 6 to select Enable Safe Mode with Command Prompt.
  5. Use the command pwsh to launch and enter into a PowerShell session.
  6. Substituting foo with the username of the user account that you previously deleted, use the following command to locate their profile entry within the registry:Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\' | ForEach-Object { if ($_.GetValue('ProfileImagePath') -match 'foo') { "`n" + $_.Name + "`n" } }At the end of the location you recieve will be the user's SID, in the format of S-𝑥-𝑥-𝑥𝑥-𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥-𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥-𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥𝑥-1𝑥𝑥𝑥.
  7. Substituting bar with the aforementioned SID, use the following command to delete their profile entry from the registry:Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\bar' -Recurse -Verbose
  8. Use the command Restart-Computer to restart the system normally.
  9. Once the system has rebooted, log in and open a PowerShell prompt.
  10. Substituting foo with the username of the user account that you previously deleted, use the following command to delete their home directory:Remove-Item -Path 'C:\Users\foo' -Recurse -Force -Confirm

Why Does this Happen?

During Windows' startup process, SYSTEM checks the list of user profile entries found within the registry and uses the contained information to open each user's respective NTUSER.DAT file. These files are then kept open by SYSTEM for the remainder of normal operation of the system (e.g. until a reboot). This results in the files being locked by the filesystem as in-use, rendering them indelible.

Magic Spearmint

Comments

Post a Comment