HUGE ntuser.dat (140MB) - what to do?

  • Thread starter Thread starter M. Straver
  • Start date Start date
M

M. Straver

Hi everyone,

I've been running into bootup time problems and I've gone in and checked
what the problem might be. To my amazement, my user's registry hive
ntuser.dat is a whopping 140MB !!

I've already gone in and fixed any errors there might have been and
compressed/defragged (tried 2 different tools for that) but the size
remains about the same. I have no idea where this bloat comes from but
it causes a serious logon delay (I'm not talking just a few seconds
here) which is really inconvenient.

Does anyone know how to track what takes so much space in the registry
file? I've tried exporting the HKEY_CURRENT_USER branch but it creates a
much smaller file so whatever it is isn't in the normally exported keys...

Unfortunately, the tools ERUNT and NTREGPT don't seem to work either,
they give errors on trying to access the hives.

Any suggestions/help appreciated! Thanks

Mark.
 
Have you tried deleting the NTuser.dat file, logging off
and back on to see if comes back the same size?
 
OK,

Even if I didn't get ANY feedback from this newsgroup I'm posting what I
found out anyway, just so it will benefit others in the community.

It seems that at that size for a user registry (I still don't know what
bloated it that much, but have some suspicion now), windows itself runs
out of resources to handle it. Things like saving branches into hive
files, even just loading the hive from a backup file, results in errors
(by windows itself). This is most likely the cause for the
defragging/shrinking tools to fail as well since they use the basic
registry read/write interface normally.

I worked together with the author of NTREGOPT and ERUNT to try and find
a solution (thanks a lot Lars!), and after some pointers I managed to
fix it the following way:

1) I logged on with my regular user (A), opened regedit, en exported the
whole HKEY_CURRENT_USER branch to a .reg text file
2) I logged on next with a different account with admin privileges, and
created a new account (B) with the same rights my (A) account
3) I logged in once with the (B) account to initialise all the
directories and settings to default values.
4) I opened up the .reg file I created in a text editor (capable of
handling huge files) and did a search and replace for all the paths that
contained c:\\documents and settings\\(A)\\ to change it to (B) --
repeated this replace with the canonical short names
c:\\docume~1\\(A)~1\\ for the entries that use 8.3 path names in there.
5) I copied over all the directories from c:\documents and settings\(A)\
to c:\documents and settings\(B)\ -- but NOT any of the registry files
of course (no ntuser.dat .ini .pol .log etc), to retain my stored
application data for programs that need it.
6) Still in the (B) account, I opened up regedit and imported the .reg
file. Some keys were in use, but that was fine, it imported the rest anyway.
7) logged off, and logged back on with (B). ta da, all my settings were
there again, including start menu, program registrations, etc.
8) What was left was deleting the old user and user directory to clean up.

** I had to recreate a few profiles for some programs (among others my
browser) but could edit/copy the files from the old profiles over to get
the settings back.

result: ntuser.dat back to 2.6MB, and my account looks and feels and
works exactly the same as the old one.

In the process of messing with the huge file trying to load/save/unload
the hive which failed, I found 2 keys it would refuse to delete, so I'm
suspicious about those two being the culprit for the bloat. this is only
a suspicion, I have no way to verify it since I don't have a tool to
analyse the .dat file that I saved a copy of.

The keys were:

Software\Microsoft\Protected storage system provider
Software\Microsoft\Systemcertificates\TrustedPublisher

even with protected storage service turned off and all registry
permissions forcefully set, it refused to delete these keys or unload
the hive.
 
Hi Alan,

Deleting this file would mean losing all settings for all programs...
that is not what I wanted to do ;-P (you have no idea how many different
programs I have, re-installing/re-registering to make up for the missing
keys would be a mammoth task)

Thanks anyway for your input.
 
Thank you, MC, for posting back.
I love learning something new every day!
and it is nice to learn about these steps as a 'way out'.

george
 
Hi everyone,

I've been running into bootup time problems and I've gone in and checked
what the problem might be. To my amazement, my user's registry hive
ntuser.dat is a whopping 140MB !!

I've already gone in and fixed any errors there might have been and
compressed/defragged (tried 2 different tools for that) but the size
remains about the same. I have no idea where this bloat comes from but
it causes a serious logon delay (I'm not talking just a few seconds
here) which is really inconvenient.

Does anyone know how to track what takes so much space in the registry
file? I've tried exporting the HKEY_CURRENT_USER branch but it creates a
much smaller file so whatever it is isn't in the normally exported keys...

Unfortunately, the tools ERUNT and NTREGPT don't seem to work either,
they give errors on trying to access the hives.

Any suggestions/help appreciated! Thanks

Mark.
Click to expand...

I've never used this tool and have only glanced at its description. I
grabbed the link as it looked like it might be useful at some point in
time. You might want to take a look at it.

Profile Hive cleaner from MS:
http://www.microsoft.com/downloads/details.aspx?
familyid=31634d79-34ad-494d-8108-80085ace23be&displaylang=en
 
Back
Top