This past week I ran into a system which was heavily infected with various malware. This was a Windows 2008 R2 Remote Desktop server, but this could have just as easily happened to a system running Windows 7 or Windows 8, or even Windows 2012.
One of the steps I had to take, to cleanup the malware, was recreating a specific user profile. Because of the malware infections, the user profile deletion did not complete successfully. Since parts of Windows thought there was still a profile, logging in as the user resulted in using a temporary profile instead of automatically creating a new one. Also, because of this I was no longer able to access the GUI tool to see/delete local user profiles. So now what?
Well, luckily I found a solution pretty quickly and it was not too difficult, but required some close attention:
- First, make sure the profile folder in C:\Users was completely gone.
Find the user’s SID (security identifier):
- From a command prompt type: wmic useraccount get name,sid (type exactly as shown)
- In the registry, expand HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList and find the key named with the SID of the desired user. Right clicking on the key, export to the desktop (you’ll need this in the next step). Right click on the folder and delete the key.
- Using Notepad, I open the registry export from the previous step. Find the GUID for the desired user. In the registry expand HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileGuid and find the key named with the GUID of the desired user. Right-click on the folder and deleted the key.
Now when you login as that user, Windows should automatically create the local profile.