Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Recovering Windows Profiles Using the Registry

Posted by William Diaz on October 19, 2010


Sometimes a user has logged onto Windows and soon notice that the desktop is missing their personal icons, display settings, and other tidbits, resulting in a call to the help desk. Often times, the user will be presented with an error after logon but before the desktop loads indicating that roaming profile could not be loaded either because it could not be found, was corrupted, or due to insufficient security rights: “User Enviornment. Windows cannot load the locally stored profile…”

We started seeing a flurry of these problems after upgrading our user’s a Citrix ICA upgrade. Without going into details, the problem was that the user’s registry was getting hooked, even after reboot. When there are open handles on the user’s ntuser.dat, Windows will not load the profile during logon. For an excellent read on how the issue was identified, see this Mark Russinovich blog here.

Normally, uninstalling the problem ICA client was enough to resolve. However, in some cases where the user logged off and on again in an attempt to load into their original profile, a new profile was created with the name of their previous profile but now including the domain name, e.g. username.domain and none of the user settings migrated over.At this point, the previous profile could not be recovered by just logging off and on again. To recover it required some registry manipulation. These steps assumes you are troubleshooting remotely and can connect to the affected workstation.

  1. Start by rebooting the system and tell the user not to log on until the changes below are completed.
  2. Next, open the remote registry of the workstation the user is trying to log on to.
    • What you are looking for is a backup of the user’s profile. It can be found in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList and contains .bak at the end of the key name.
    • You will also find the same key but without the .bak–this is the current active profile for the user that we no longer want to use. The key name is based on the unique SID (security identifier) of that user.
    • To verify the user that the key belongs to, select it and look for the string called ProfileImagePath; it will contain the path to the user’s profile.
  3. Once you have identified both keys, delete the current profile key of the user.
  4. Now rename the previous profile to remove the .bak.
  5. Additionally, you should also reset the RefCount and State DWORD values in this key to 0.
  6. Afterwards, cleanup the unneeded profile folder by going to the UNC of the target system and deleting the username.domain profile (along with any other temp profiles) in C:\ComputerName\c$\Documents and Settings.
  7. Reboot and have the user logon. Monitor the UNC path to verify no other Temp or username.domain profiles are created during logon.

If you are not sure the issue is due to a hooked ntsuer.dat, look at the most recently modified profile in the above UNC location for TEMP or username.domain profiles just created. This issue also creates unique event IDs in the Application logs of the Windows Event Viewer:

Advertisements

One Response to “Recovering Windows Profiles Using the Registry”

  1. […] Often times when I encounter this it’s a simple matter of hacking the registry to fix it. This is covered in detail in this Microsoft KB You receive a "The User Profile Service failed the logon” error message. It also covered in one of my older (pre-MS KB) blogs. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: