Deleting a Local User Profile - Not as easy as one Might Assume

Helge Klein's picture

In many environments it is a common practice to delete user profiles prior to conducting tests in order to start with a clean slate. However, this may prove more difficult than anticipated.

Most people think that a local user profile only consists of the directory %USERPROFILE% typically located below C:\Users on Vista and Server 2008 (and newer). But there is more. Windows keeps track of the local profile incarnations in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. For each locally stored profile a subkey is created whose name is set to the profile owner’s SID. Here is the content of a sample ProfileList subkey:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1659004503-1788223648-1417001333-500]
“ProfileImagePath”=”%SystemDrive%\Documents and Settings\Administrator”
“Sid”=hex:01,05,00,00,00,00,00,05,15,00,00,00,57,66,e2,62,a0,20,96,6a,75,b9,75,54,f4,01,00,00
“Flags”=dword:00000000
“State”=dword:00000100
“CentralProfile”=”"
“ProfileLoadTimeLow”=dword:224c9af0
“ProfileLoadTimeHigh”=dword:01c92f98
“RefCount”=dword:00000000
“RunLogonScriptSync”=dword:00000000
“OptimizedLogonStatus”=dword:0000000b

 

How Not to Delete a Profile

Now, what happens if you simply delete the user profile directory below C:\Users without modifying the registry? The next time the user logs on Windows displays a balloon tip whining that Windows could not load the user profile and that the user was logged on with a temporary profile. Is that bad? Yes! Temporary profiles are a last resort if Windows cannot load the user profile. Upon logoff they are deleted and all data is lost. That certainly is a reason to avoid them.

The Right Way

If you need to delete a profile, use one of these methods:

  • Use my command-line tool Delprof2
  • If deleting manually make sure to delete both the profile directory and the associated ProfileList subkey
  • Open the control panel applet “System Properties” by running sysdm.cpl and delete the profile from there (on Windows 7 the corresponding tab is accessible by running "SystemPropertiesAdvanced.exe")

What if I Already Deleted a Profile the "Wrong" Way?

If Windows finds a ProfileList subkey matching your SID without an associated profile directory it backs up the ProfileList subkey. Prior to creating the temporary profile the ProfileList subkey is renamed to SID.bak. About the reason for that strange behavior I can only speculate. Maybe someone thought this would facilitate restoring the original state from a backup.

Whatever the reason, once you got a temporary profile the SID.bak key lingers in the registry. It needs to be deleted to get back to normal profile behavior.

What About XP and Server 2003?

The behavior described in this article applies to Vista, Windows 7 and Server 2008 (including R2). Their predecessors XP and Server 2003 use a more simplistic approach. If a ProfileList registry subkey exists but the corresponding directory is not accessible, they simply create a new local profile and overwrite the data in the ProfileList key. Not even an event is logged to the Windows event log.

This behavior is certainly simpler but at the same time much more realistic. Not every change is for the better…

References

MS KB: A temporary profile is loaded after you log on to a Windows Vista-based system MS KB: A temporary user profile is created every time that you log on to a Windows Vista-based computer that is connected to a domain