Windows Explored

While trying to open an application on her workstations, our user was encountering a logon prompt each time:

Entering her logon info failed to get pass the logon prompt. Clicking Cancel also did not dismiss the prompt and it remained stuck here. The tech handling the call was about to give up and have the application reinstalled, but I was asked to take a look for a second opinion.

I navigated to our lab from the user’s workstation and started Process Monitor. I identified the process as TpstWnd.exe and set a filter to only log operations from this process. Afterwards, I started the application again, waited for the prompt, and stopped the trace. To filter through the several thousand operations, I simply ran a search for the computer name appearing in the logon prompt, ignoring hots in HKLM. Here is what I found:

Right-clicking the operation in Process Monitor allows you to quickly navigate to the registry location in this operation. Here I see references to her previous workstation, which had since been decommissioned, XXX-960:

After speaking with user, I was able to establish that this workstation had replaced her earlier one. Upon receiving the new workstation and logging in, her roaming profile was copied to this workstation, which includes the ntuser.dat file that contains her settings in HKCU (It doesn’t matter that the registry keys being queried are in HKU, since HKCU is a sub key within HKU).