ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Domain Migration
  New Posts New Posts RSS Feed - Windows 7 - Profile Disappeared?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Windows 7 - Profile Disappeared?

 Post Reply Post Reply Page  12>
Author
Message Reverse Sort Order
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Topic: Windows 7 - Profile Disappeared?
    Posted: 14 Aug 2009 at 9:26am
Sorry yes the folders also exist as specified by the ProfileImagePath. I can access my old data no problem on disk but can't login into it. I did not upgrade the system from beta to RC. I did a fresh RC install. I know it's kind of a pain to debug this situation but if you need more info let me know.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 14 Aug 2009 at 9:19am
I meant does the c:\users\username folder exist as specified by the 'ProfileImagePath' registry string value? Is that what you meant? Smile
 
We are now doing additional testing against the RTM Windows 7 code. We didn't see any issues testing on RC1, but we'll do what we can to reproduce the problem.
Back to Top
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Posted: 14 Aug 2009 at 7:13am
Yes they exist in both subkeys.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 4:00pm
Thanks for this. Does the path in the 'ProfileImagePath' registry string value actually exist?
Back to Top
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 3:43pm
I'm using Windows 7 RC 64-bit. Yes there are actually 3 specific message that occurs when trying to login. Since I can't find a way to attach a file I'll have to copy the general description with the raw XML dump (I have edited out the computer name) :

Error
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.

DETAIL - The system cannot find the file specified.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1500</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2009-08-13T13:57:56.790241400Z" />
<EventRecordID>1710</EventRecordID>
<Correlation />
<Execution ProcessID="896" ThreadID="2684" />
<Channel>Application</Channel>
<Computer>**********</Computer>
<Security UserID="S-1-5-21-2401352382-3948046723-1209217091-1000" />
</System>
- <EventData>
<Data Name="Error">The system cannot find the file specified.</Data>
</EventData>
</Event>
===================
Warning
The winlogon notification subscriber <Sens> failed a notification event.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6001</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-13T13:57:58.000000000Z" />
<EventRecordID>1711</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>*************</Computer>
<Security />
</System>
- <EventData>
<Data>Sens</Data>
<Binary>F0030000</Binary>
</EventData>
</Event>

===================
Warning
The winlogon notification subscriber <Profiles> failed a notification event.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6001</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-13T13:57:58.000000000Z" />
<EventRecordID>1712</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>*************</Computer>
<Security />
</System>
- <EventData>
<Data>Profiles</Data>
<Binary>F4010000</Binary>
</EventData>
</Event>
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 3:22pm
No, don't change the path.
 
Are you using 32-bit or 64-bit Windows 7? Are there any messages in the event log?
Back to Top
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 3:14pm
The subkey with the .bak has this as a string value : C:\Users\Kioshen
The subkey with the right uuid has this as a string value : C:\Users\TEMP

Do I inverse C to %SystemDrive% instead for the .bak subkey ?

As far as I can see, the only other difference between the two subkeys is that .bak profile has a REG_SZ key titled CentralProfile with no value and a different value in the State (REG_DWORD) subkey. If you need a registry dump let me know.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 2:52pm
Run regedit and check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList key. If you are running with a temporary profile, you should see a subkey with a .BAK extension. Take a look at the 'ProfileImagePath' string value. Check if it has a value like %SystemDrive%\Users\username. If it does, change it to C:\Users\username. Reboot the machine.
 
Let us know what happens! Thanks.


Edited by Support - 13 Aug 2009 at 2:53pm
Back to Top
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 12:39pm
I used build 3.0.1133. Right now, I can't login using the original local account. I can however login using the domain account albeit with a temporary profile. I'll transcribe the error message for the local account if needed be.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 12:16pm
Thanks for the information. What build of the Wizard were you using? (This is written on the "Welcome" page.)
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.

This page was generated in 0.109 seconds.