"ntuser.dat in use" after complete shutdown?

[Guest]

At our system all windows xp machines store the users profiles in partition D.

In order to maintain a "clean" environment we used to have a batch file that
formated drive D and than copied back a backup of the default/all/admin user
profiles into drive d again.

We tried to shrink this long process by creating a batch file that will
delete all the directories inside the "Documents and Settings" directory in
drive D with the exception of the default/all/admin directories.

We used the following command to delete all the folders that match our
criteria (inside a for loop and if conditions where %%i is the directory we
want to delete):
rd "%%i" /q /s


The problem:
After a while we started to notice that the batch file is having problems
deleting some of the directories and that it complains about "NTUSER.DAT is
being used".

We followed the following procedure when running the batch file:
1. Complete shut down (turn off)
2. Wait until the fans stop spinning.
3. Turning on the computer.
4. Logging in with a predefined user that have the appropriate access rights.
5. Running the batch file.



The question:
Is there any way to make the batch file delete ALL the folders including the
so called used "ntuser.dat" files without having to force a format on the
drive again?



P.S.
We were told that the problem is that some programs leave the registry open
for the users that used it but isn't a complete shut down of the system
supposed to solve that?
We're trying to accomplish this without installing further packages/programs.


Thanks in advance

daat99

 

[Pegasus \(MVP\)]

See below.

A bit of a background:
At our system all windows xp machines store the users profiles in partition D.

In order to maintain a "clean" environment we used to have a batch file that
formated drive D and than copied back a backup of the default/all/admin user
profiles into drive d again.

We tried to shrink this long process by creating a batch file that will
delete all the directories inside the "Documents and Settings" directory in
drive D with the exception of the default/all/admin directories.

We used the following command to delete all the folders that match our
criteria (inside a for loop and if conditions where %%i is the directory we
want to delete):
rd "%%i" /q /s


The problem:
After a while we started to notice that the batch file is having problems
deleting some of the directories and that it complains about "NTUSER.DAT is
being used".

*** ntuser.dat is part of the registry of the user that is currently
*** logged on. The file is locked and you cannot delete it.

We followed the following procedure when running the batch file:
1. Complete shut down (turn off)
2. Wait until the fans stop spinning.
3. Turning on the computer.
4. Logging in with a predefined user that have the appropriate access rights.
5. Running the batch file.

*** By deleting parts of the profile that belongs to this user
*** you're sawing off the branch he sits on. Bad idea.

The question:
Is there any way to make the batch file delete ALL the folders including the
so called used "ntuser.dat" files without having to force a format on the
drive again?

*** Yes, by running the batch file at boot time under the System
*** account. Use schtasks.exe to create a scheduled task for this.

P.S.
We were told that the problem is that some programs leave the registry open
for the users that used it but isn't a complete shut down of the system
supposed to solve that?

*** Yes, it does but the registry gets locked again by your user!

 

[David H. Lipman]

From: "daat99" <[email protected]>

| A bit of a background:
| At our system all windows xp machines store the users profiles in partition D.
|
| In order to maintain a "clean" environment we used to have a batch file that
| formated drive D and than copied back a backup of the default/all/admin user
| profiles into drive d again.
|
| We tried to shrink this long process by creating a batch file that will
| delete all the directories inside the "Documents and Settings" directory in
| drive D with the exception of the default/all/admin directories.
|
| We used the following command to delete all the folders that match our
| criteria (inside a for loop and if conditions where %%i is the directory we
| want to delete):
| rd "%%i" /q /s
|
| The problem:
| After a while we started to notice that the batch file is having problems
| deleting some of the directories and that it complains about "NTUSER.DAT is
| being used".
|
| We followed the following procedure when running the batch file:
| 1. Complete shut down (turn off)
| 2. Wait until the fans stop spinning.
| 3. Turning on the computer.
| 4. Logging in with a predefined user that have the appropriate access rights.
| 5. Running the batch file.
|
| The question:
| Is there any way to make the batch file delete ALL the folders including the
| so called used "ntuser.dat" files without having to force a format on the
| drive again?
|
| P.S.
| We were told that the problem is that some programs leave the registry open
| for the users that used it but isn't a complete shut down of the system
| supposed to solve that?
| We're trying to accomplish this without installing further packages/programs.
|
| Thanks in advance
|
| daat99

NTUser.dat is the User Registry.

When you Logon the User Registry is loaded. Presumably, the User Registry of the account
being used is the one causing the error.

 

[Guest]

*** ntuser.dat is part of the registry of the user that is currently
*** logged on. The file is locked and you cannot delete it.

*** By deleting parts of the profile that belongs to this user
*** you're sawing off the branch he sits on. Bad idea.

*** Yes, by running the batch file at boot time under the System
*** account. Use schtasks.exe to create a scheduled task for this.

*** Yes, it does but the registry gets locked again by your user!

1. The problem occurs on ntuser.dat files of other users beside the
currently logged in user.
2. I'm trying to delete the entire profile, each computer is used by average
of 150 -200 users between maintains cycles and every single 1 of them have a
folder with his name on it, I'm trying to delete all of those with the
exception of the user that run the batch file (1 of the if statements in the
batch file takes care of that).
3. We don't want it to be run on every startup or even to be scheduled to
run at a certain time.
We are required to run it periodically based on events that doesn't have a
"schedule".
4. If the registry is getting locked by the user that runs the script than
why I can't delete the ntuser.dat file of other users? I'm not even trying to
delete the ntuser.dat file of the user that run the batch file.

NTUser.dat is the User Registry.

When you Logon the User Registry is loaded. Presumably, the User Registry of the account
being used is the one causing the error.

The thing is that the used account folder is being skipped by the batch file.
The problem appears in several folders of different users on each computer
(couldn't locate a connection between the users, they aren't part of the same
user group nor do they use the same programs).

 

[David H. Lipman]

From: "daat99" <[email protected]>


| 1. The problem occurs on ntuser.dat files of other users beside the
| currently logged in user.
| 2. I'm trying to delete the entire profile, each computer is used by average
| of 150 -200 users between maintains cycles and every single 1 of them have a
| folder with his name on it, I'm trying to delete all of those with the
| exception of the user that run the batch file (1 of the if statements in the
| batch file takes care of that).
| 3. We don't want it to be run on every startup or even to be scheduled to
| run at a certain time.
| We are required to run it periodically based on events that doesn't have a
| "schedule".
| 4. If the registry is getting locked by the user that runs the script than
| why I can't delete the ntuser.dat file of other users? I'm not even trying to
| delete the ntuser.dat file of the user that run the batch file.
|
| The thing is that the used account folder is being skipped by the batch file.
| The problem appears in several folders of different users on each computer
| (couldn't locate a connection between the users, they aren't part of the same
| user group nor do they use the same programs).

If you have that many people sharing the one PC, maybe you should consider having their
profiles on a Domain member server rather then on the local PC.

After a PC reboot, boot into Safe Mode and try removing the profiles other than your logged
in account. Addtionally while it isn't a batch process, it is best done by Right-Clicking
on "My Computer", choosing "Properties" and removing the profiles from there.

One final note, malware may load under a user's account and be loaded by the system but
still loading the User Registry of the account that was initially infected by the malware.

 

[Guest]

From: "daat99" <[email protected]>


| 1. The problem occurs on ntuser.dat files of other users beside the
| currently logged in user.
| 2. I'm trying to delete the entire profile, each computer is used by average
| of 150 -200 users between maintains cycles and every single 1 of them have a
| folder with his name on it, I'm trying to delete all of those with the
| exception of the user that run the batch file (1 of the if statements in the
| batch file takes care of that).
| 3. We don't want it to be run on every startup or even to be scheduled to
| run at a certain time.
| We are required to run it periodically based on events that doesn't have a
| "schedule".
| 4. If the registry is getting locked by the user that runs the script than
| why I can't delete the ntuser.dat file of other users? I'm not even trying to
| delete the ntuser.dat file of the user that run the batch file.
|

| The thing is that the used account folder is being skipped by the batch file.
| The problem appears in several folders of different users on each computer
| (couldn't locate a connection between the users, they aren't part of the same
| user group nor do they use the same programs).

If you have that many people sharing the one PC, maybe you should consider having their
profiles on a Domain member server rather then on the local PC.

After a PC reboot, boot into Safe Mode and try removing the profiles other than your logged
in account. Addtionally while it isn't a batch process, it is best done by Right-Clicking
on "My Computer", choosing "Properties" and removing the profiles from there.

One final note, malware may load under a user's account and be loaded by the system but
still loading the User Registry of the account that was initially infected by the malware.

 

[Guest]

From: "daat99" <[email protected]>


| 1. The problem occurs on ntuser.dat files of other users beside the
| currently logged in user.
| 2. I'm trying to delete the entire profile, each computer is used by average
| of 150 -200 users between maintains cycles and every single 1 of them have a
| folder with his name on it, I'm trying to delete all of those with the
| exception of the user that run the batch file (1 of the if statements in the
| batch file takes care of that).
| 3. We don't want it to be run on every startup or even to be scheduled to
| run at a certain time.
| We are required to run it periodically based on events that doesn't have a
| "schedule".
| 4. If the registry is getting locked by the user that runs the script than
| why I can't delete the ntuser.dat file of other users? I'm not even trying to
| delete the ntuser.dat file of the user that run the batch file.
|

| The thing is that the used account folder is being skipped by the batch file.
| The problem appears in several folders of different users on each computer
| (couldn't locate a connection between the users, they aren't part of the same
| user group nor do they use the same programs).

If you have that many people sharing the one PC, maybe you should consider having their
profiles on a Domain member server rather then on the local PC.

After a PC reboot, boot into Safe Mode and try removing the profiles other than your logged
in account. Addtionally while it isn't a batch process, it is best done by Right-Clicking
on "My Computer", choosing "Properties" and removing the profiles from there.

One final note, malware may load under a user's account and be loaded by the system but
still loading the User Registry of the account that was initially infected by the malware.

Sorry for double posting, for some reason my reply was omitted from the last
post.

We have 6 labs of computers (~30 computers each lab) and about 1500 users.
All the computers are available to all of the users.
All the computers are connected to the same domain and use the same DC to
authenticate the users name and password before it allows them to log into
the (random) computer they happen to sit by.
Once they're authenticated by the DC the "default user" folder (documents
and settings) is duplicated in "D:\Document and Settings" with the %username%
as the folder name.
We have average of 150-200 folders (users profiles) inside the "Document and
Settings" on each computer when we run the batch file.
Since the users aren't local users they doesn't appear in the "My Computer
-> properties -> advanced -> user profile" users list.
When we run the batch file we are logged in using a local user that does
appear in the "user profile" list and it have administrative rights (not the
administrator though).
Most of the folders inside the "Documents and Settings' are being deleted
without problems except an average of 10-20 on each computer that report the
"ntuser.dat in use" error.

I didn't knew about the malware problem but it doesn't fit the situation and
may very well be the real cause behind the problems, thank you for that

Is there any command I can use inside the batch file that will "release" the
ntuser.dat files so the rd command will be able to delete them?

 

[David H. Lipman]

From: "daat99" <[email protected]>


| Sorry for double posting, for some reason my reply was omitted from the last
| post.
|
| We have 6 labs of computers (~30 computers each lab) and about 1500 users.
| All the computers are available to all of the users.
| All the computers are connected to the same domain and use the same DC to
| authenticate the users name and password before it allows them to log into
| the (random) computer they happen to sit by.
| Once they're authenticated by the DC the "default user" folder (documents
| and settings) is duplicated in "D:\Document and Settings" with the %username%
| as the folder name.
| We have average of 150-200 folders (users profiles) inside the "Document and
| Settings" on each computer when we run the batch file.
| Since the users aren't local users they doesn't appear in the "My Computer
| -> properties -> advanced -> user profile" users list.
| When we run the batch file we are logged in using a local user that does
| appear in the "user profile" list and it have administrative rights (not the
| administrator though).
| Most of the folders inside the "Documents and Settings' are being deleted
| without problems except an average of 10-20 on each computer that report the
| "ntuser.dat in use" error.
|
| I didn't knew about the malware problem but it doesn't fit the situation and
| may very well be the real cause behind the problems, thank you for that
|
| Is there any command I can use inside the batch file that will "release" the
| ntuser.dat files so the rd command will be able to delete them?

No. Not really.
The only way would be to find out what EXE or DLL is loading that User Registry and you
would have to kill that process. That's assuming you can find the process andyou have the
rights to do so. That also assumes that even if you kill th process, the User Registry will
be released and be allowed to be deleted.

Doing this in Safe Mode *may* allow the Batch process to be more successful.

 

[Guest]

From: "daat99" <[email protected]>


| Sorry for double posting, for some reason my reply was omitted from the last
| post.
|
| We have 6 labs of computers (~30 computers each lab) and about 1500 users.
| All the computers are available to all of the users.
| All the computers are connected to the same domain and use the same DC to
| authenticate the users name and password before it allows them to log into
| the (random) computer they happen to sit by.
| Once they're authenticated by the DC the "default user" folder (documents
| and settings) is duplicated in "D:\Document and Settings" with the %username%
| as the folder name.
| We have average of 150-200 folders (users profiles) inside the "Document and
| Settings" on each computer when we run the batch file.
| Since the users aren't local users they doesn't appear in the "My Computer
| -> properties -> advanced -> user profile" users list.
| When we run the batch file we are logged in using a local user that does
| appear in the "user profile" list and it have administrative rights (not the
| administrator though).
| Most of the folders inside the "Documents and Settings' are being deleted
| without problems except an average of 10-20 on each computer that report the
| "ntuser.dat in use" error.
|
| I didn't knew about the malware problem but it doesn't fit the situation and
| may very well be the real cause behind the problems, thank you for that
|
| Is there any command I can use inside the batch file that will "release" the
| ntuser.dat files so the rd command will be able to delete them?

No. Not really.
The only way would be to find out what EXE or DLL is loading that User Registry and you
would have to kill that process. That's assuming you can find the process andyou have the
rights to do so. That also assumes that even if you kill th process, the User Registry will
be released and be allowed to be deleted.

Doing this in Safe Mode *may* allow the Batch process to be more successful.

Ok, thank you very much for your assistance, I really appreciate it

 

[Pegasus \(MVP\)]

Sorry for double posting, for some reason my reply was omitted from the last
post.

We have 6 labs of computers (~30 computers each lab) and about 1500 users.
All the computers are available to all of the users.
All the computers are connected to the same domain and use the same DC to
authenticate the users name and password before it allows them to log into
the (random) computer they happen to sit by.
Once they're authenticated by the DC the "default user" folder (documents
and settings) is duplicated in "D:\Document and Settings" with the %username%
as the folder name.
We have average of 150-200 folders (users profiles) inside the "Document and
Settings" on each computer when we run the batch file.
Since the users aren't local users they doesn't appear in the "My Computer
-> properties -> advanced -> user profile" users list.
When we run the batch file we are logged in using a local user that does
appear in the "user profile" list and it have administrative rights (not the
administrator though).
Most of the folders inside the "Documents and Settings' are being deleted
without problems except an average of 10-20 on each computer that report the
"ntuser.dat in use" error.

I didn't knew about the malware problem but it doesn't fit the situation and
may very well be the real cause behind the problems, thank you for that

Is there any command I can use inside the batch file that will "release" the
ntuser.dat files so the rd command will be able to delete them?

After a reboot, all files in profile folders other than the current
user's folder are unlocked, unless one of them runs some background
process that locks some files.

If you cannot delete some profiles then you must find out what
processes start at boot time, and what accounts they use.

Note that the fully documented "profile copy" process depends
on profiles being unlocked. What you report about your machines
does not agree with the way Windows works, hence there is
something strange about your machines. Changing the password
of the rogue account might flush things out.

 

[Guest]

After a reboot, all files in profile folders other than the current
user's folder are unlocked, unless one of them runs some background
process that locks some files.

If you cannot delete some profiles then you must find out what
processes start at boot time, and what accounts they use.

Note that the fully documented "profile copy" process depends
on profiles being unlocked. What you report about your machines
does not agree with the way Windows works, hence there is
something strange about your machines. Changing the password
of the rogue account might flush things out.

The users accounts and passwords aren't local but part of the DC which I
don't have access to (only the system mess with the DC, I need to mess with
the actual machines) so I can't just go and change someones password to test
this.
It sounds like what David H. Lipman said about malware using the local
profile of the user that was originally infected fit the symptoms we
encounter.
It seems logical that with that many users doing virtually whatever they
want with each computer can and will be infected with viruses and malware.
Our "norton anti virus corporate" doesn't seem to do his job and get a lot
of errors every now and than, a thing that support that conclusion as well.
We just finished deploying a fresh image on all the computers in all the
labs at yesterday before I went back home so at the moment everything is
working 100%.
For now it was decided by my superiors that we won't to use the batch file
to clean drive D but to do it manually instead.
I can't see how it'll solve the issue myself but I do know it makes our work
a lot harder.
It appears that the only solution to this problem is to go back and use the
"format drive d -> restore default/all/admin profile" batch file.