ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Domain Migration
  New Posts New Posts RSS Feed - Windows 7 - Profile Disappeared?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Windows 7 - Profile Disappeared?

 Post Reply Post Reply Page  12>
Author
Message
exx View Drop Down
Newbie
Newbie


Joined: 28 Jul 2009
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote exx Quote  Post ReplyReply Direct Link To This Post Topic: Windows 7 - Profile Disappeared?
    Posted: 28 Jul 2009 at 6:17pm

I went to use Profile Wizard on a Windows 7 workstation to move the system from one domain to another and, after logging on, the profile for the user was not loaded. Upon closer inspection I cannot find the users old files in C:\users.

I understand that this process isn't supposed to move/copy/delete or anything like that, so I'm stumped?
 
The application log shows a couple of warnings & errors after profwiz was used:

The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession).

Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

Any help is greatly appreciated!
Back to Top
exx View Drop Down
Newbie
Newbie


Joined: 28 Jul 2009
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote exx Quote  Post ReplyReply Direct Link To This Post Posted: 28 Jul 2009 at 6:35pm
I should also mention that although a 'unassigned' profile appears, the data is not in that profile.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 29 Jul 2009 at 5:00am
Hi,
 
I'm sorry you've had a problem. We've done a lot of testing with Windows 7 (RC1) and we haven't seen anything like this. The way Windows 7 handles profiles is pretty much identical to Vista, so we wouldn't expect any problems.
 
You are right when you say that User Profile Wizard doesn't move, copy or delete data, so if that has happened it must be the result of another process.  In fact, the only time we have ever seen data deleted is if the new domain account has an existing roaming profile.
 
Was the original user profile folder under C:\Users renamed? Does the original profile folder still exist (without any data) or is it missing? 
 
 
 
 
Back to Top
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 9:16am
Hello Support !
 
I also have used your Profile Wizard migration tool but came across the same bug. I'll try to answer your questions to the best of my knowledge in hopes that I can rescue my profile.
 
The original profile folder was not renamed nor is any data missing. Before I tried using your tool, I did log on once with the target domain user on the machine. Then I tried to migrate the local account to the domain user. Let me know if you need any other information.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 12:16pm
Thanks for the information. What build of the Wizard were you using? (This is written on the "Welcome" page.)
Back to Top
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 12:39pm
I used build 3.0.1133. Right now, I can't login using the original local account. I can however login using the domain account albeit with a temporary profile. I'll transcribe the error message for the local account if needed be.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 2:52pm
Run regedit and check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList key. If you are running with a temporary profile, you should see a subkey with a .BAK extension. Take a look at the 'ProfileImagePath' string value. Check if it has a value like %SystemDrive%\Users\username. If it does, change it to C:\Users\username. Reboot the machine.
 
Let us know what happens! Thanks.


Edited by Support - 13 Aug 2009 at 2:53pm
Back to Top
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 3:14pm
The subkey with the .bak has this as a string value : C:\Users\Kioshen
The subkey with the right uuid has this as a string value : C:\Users\TEMP

Do I inverse C to %SystemDrive% instead for the .bak subkey ?

As far as I can see, the only other difference between the two subkeys is that .bak profile has a REG_SZ key titled CentralProfile with no value and a different value in the State (REG_DWORD) subkey. If you need a registry dump let me know.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 3:22pm
No, don't change the path.
 
Are you using 32-bit or 64-bit Windows 7? Are there any messages in the event log?
Back to Top
Kioshen View Drop Down
Newbie
Newbie


Joined: 13 Aug 2009
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Kioshen Quote  Post ReplyReply Direct Link To This Post Posted: 13 Aug 2009 at 3:43pm
I'm using Windows 7 RC 64-bit. Yes there are actually 3 specific message that occurs when trying to login. Since I can't find a way to attach a file I'll have to copy the general description with the raw XML dump (I have edited out the computer name) :

Error
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.

DETAIL - The system cannot find the file specified.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1500</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2009-08-13T13:57:56.790241400Z" />
<EventRecordID>1710</EventRecordID>
<Correlation />
<Execution ProcessID="896" ThreadID="2684" />
<Channel>Application</Channel>
<Computer>**********</Computer>
<Security UserID="S-1-5-21-2401352382-3948046723-1209217091-1000" />
</System>
- <EventData>
<Data Name="Error">The system cannot find the file specified.</Data>
</EventData>
</Event>
===================
Warning
The winlogon notification subscriber <Sens> failed a notification event.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6001</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-13T13:57:58.000000000Z" />
<EventRecordID>1711</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>*************</Computer>
<Security />
</System>
- <EventData>
<Data>Sens</Data>
<Binary>F0030000</Binary>
</EventData>
</Event>

===================
Warning
The winlogon notification subscriber <Profiles> failed a notification event.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6001</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-13T13:57:58.000000000Z" />
<EventRecordID>1712</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>*************</Computer>
<Security />
</System>
- <EventData>
<Data>Profiles</Data>
<Binary>F4010000</Binary>
</EventData>
</Event>
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.

This page was generated in 0.078 seconds.