Looks like you are right. I have Terminal Services running (it is an
XP machine), although Fast User Switching is not running. But I
restarted the computer, and the administrator can no longer see the
limited user under HKU.
Terminal Services is really what makes Fast User Switching possible, it
provides the multi-session environment that makes FUS possible, without
Terminal Services there is no Fast User Switching. The Fast User
Switching Compatibility service is not responsible for FUS, although,
because of its namesake, it would be easy to understand why folks would
think that this service would be responsible for FUS. In fact you can
disable the Fast User Switching Compatibility service and you will still
be able to do Fast User Switching. All that the Fast User Switching
Compatibility service does is provide assistance to programs that cannot
run in a multiple user environment, granted if you do FUS it is
important that your programs keep running when you change sessions but
the service is not strictly required to do Fast User Switching, it
doesn't provide the multi-session environment required for FUS.
But is the behavior different under Vista? Last night I checked a
Vista Home Premium computer - I turned it on and logged in as the
administrator, and I could see both of the limited users under HKU.
Perhaps that is because the Fast User Switching service was running?
For more in depth information you should ask this in a Vista help group,
but the basics are still the same for Vista, Terminal Services is
responsible for multi-session environments.
Now this makes me wonder if running virus/spyware scans only under
Administrator is enough. Sometimes viruses/spyware will modify
registry keys under HKCU, and if a limited user gets a virus/spyware,
the scan under Administrator wouldn't detect those changes. I guess
it's not a big deal, because if a limited user gets a virus, it
wouldn't affect the system, and the scan should still detect any files
that were downloaded.
The AV experts could comment on that but one may assume that the better
AV programs would have a method of scanning all the ntuser.dat files,
but even if they don't it usually doesn't stop a user from logging on
when orphaned entries are left behind after virus removal, most of the
time the user will get a message saying that a certain file could not be
found and the computer will boot without problems. Also, most virus
writers target the system and will have their virus put their entries in
the HKLM branch as opposed to the HKCU branch, the ntuser.dat files
mostly only contains user preferences, there isn't much there of
interest to malicious virus writers.
John