Unable to delete profile folder using default Admin. account

R

Robert

I'm restoring and upgrading a friend's computer (XP Home SP3). Her teens and
their friends screwed it up by creating several bogus profiles, downloading
Trojan Horse laden ringtones, anti-virus programs and other unwanted
software, and leaving personal files and folders all over the place. I
removed several virus infections and other malware. And, I installed leading
anti-virus and anti-malware software. Then, I verified that all malicious
files and programs had indeed been completely removed by running numerous
scans untilI was confident that the system was clean.

However, one of the user accounts was locked-out due to a forgotten
password. And, the kids' IM profiles had been hacked by a former friend,
possibly compromising the mother's entire computer. Now, she's afraid he'll
try to hack it again. So, I created all new passwords and am taking further
steps to secure the system.

I created two new user accounts and their associated profiles with profile
folders. Then, I copied over select files and folders from the (2) original
profile folders using procedures outlined elsewhere on this Help site. And,
I verified that the new user accounts/profiles are functioning correctly by
logging into each one from the Windows Logon screen. They work fine.

My next step was to delete the original accounts, their profiles and their
related folders. I deleted the first account by simply clicking "Delete" in
Control Panel | User Accounts. All traces of the account's profile appear to
have been completely removed.

However, the second account's original profile folder is giving me fits! It
appeared to have been deleted like the first account when I tried using the
delete function in Control Panel | User Accounts. The account name was gone
in User Settings, in Windows Explorer and in the Registry subkey ProfileList
*. But upon reboot, this profile's folder reappears in Explorer.

Subsequent attempts to delete it from Explorer using an Admin. account have
had one of two results. Either the folder appears to be deleted and then
reappears again when I reboot. Or, Delete fails and I get an error message
stating that this is a System folder and can't be deleted. This is a curious
error message! I don't understand how it could be a System folder. The
default Windows Admin. account (listed in the Registry under ProfileList
subkey #S-1-5-21-.....-500) is still intact, assuming someone accidentally
renamed it.

I also tried logging in with the default Windows Admin. account (in Safe
Mode). The results were the same. I even tried deleting all the folder's
files and subfolders. But, the root folder keeps returning after I reboot.
There doesn't seem to be a username linked to it in Control Panel | User
Accounts either; nor in System | Advanced | User Settings, or in the
Registry under the ProfileList subkey.


Questions:
1. Since XP Home edition doesn't use the more effective MMC Snap-In, Local
Users and Groups which is available in XP Pro, do you have any suggestions
for tracing this folder's properties or links to figure out why it keeps
repairing itself?

2. A Microsoft technical expert explained to me the relationship between
Account names and Profile names. I thought I had it down pat. However, I was
unaware of the User Profile names list on the Control Panel | System |
Advanced tab until recently. Now I'm totally confused again! The user's
Account name, profile folder name and ProfileList registry entry all match.
However, the User's Profile name on the System | Advanced tab apparently
doesn't have to match the other three (e.g., some of my accounts' User
Profile names match the other (3) identifiers, and some don't. Yet, they all
work. And no, the folder I'm trying to delete isn't listed on this tab.) So,
how do User Profile names relate to these other three (Account names in
Control Panel | User Accounts, profile folders in Explorer, and the
ProfileList in the Registry)?

Thanks in advance for your assistance,
-Robert



* The path to this subkey is
HKLM/Software/Microsoft/WindowsNT/CurrentVersion/ProfileList.



P.S
This issue was previously posted in the Help and Support Newsgroup and all I
received was insults from the members. I can't do a clean reinstall as has
been suggested. This was not a retail computer. It was a custom-built unit by
a Ma & Pop computer store that has since gone out of business. And, the
computer owner never received reinstallation disks.
 
P

Pegasus [MVP]

Robert said:
I'm restoring and upgrading a friend's computer (XP Home SP3). Her teens
and
their friends screwed it up by creating several bogus profiles,
downloading
Trojan Horse laden ringtones, anti-virus programs and other unwanted
software, and leaving personal files and folders all over the place. I
removed several virus infections and other malware. And, I installed
leading
anti-virus and anti-malware software. Then, I verified that all malicious
files and programs had indeed been completely removed by running numerous
scans untilI was confident that the system was clean.

However, one of the user accounts was locked-out due to a forgotten
password. And, the kids' IM profiles had been hacked by a former friend,
possibly compromising the mother's entire computer. Now, she's afraid
he'll
try to hack it again. So, I created all new passwords and am taking
further
steps to secure the system.

I created two new user accounts and their associated profiles with profile
folders. Then, I copied over select files and folders from the (2)
original
profile folders using procedures outlined elsewhere on this Help site.
And,
I verified that the new user accounts/profiles are functioning correctly
by
logging into each one from the Windows Logon screen. They work fine.

My next step was to delete the original accounts, their profiles and their
related folders. I deleted the first account by simply clicking "Delete"
in
Control Panel | User Accounts. All traces of the account's profile appear
to
have been completely removed.

However, the second account's original profile folder is giving me fits!
It
appeared to have been deleted like the first account when I tried using
the
delete function in Control Panel | User Accounts. The account name was
gone
in User Settings, in Windows Explorer and in the Registry subkey
ProfileList
*. But upon reboot, this profile's folder reappears in Explorer.

Subsequent attempts to delete it from Explorer using an Admin. account
have
had one of two results. Either the folder appears to be deleted and then
reappears again when I reboot. Or, Delete fails and I get an error message
stating that this is a System folder and can't be deleted. This is a
curious
error message! I don't understand how it could be a System folder. The
default Windows Admin. account (listed in the Registry under ProfileList
subkey #S-1-5-21-.....-500) is still intact, assuming someone accidentally
renamed it.

I also tried logging in with the default Windows Admin. account (in Safe
Mode). The results were the same. I even tried deleting all the folder's
files and subfolders. But, the root folder keeps returning after I reboot.
There doesn't seem to be a username linked to it in Control Panel | User
Accounts either; nor in System | Advanced | User Settings, or in the
Registry under the ProfileList subkey.


Questions:
1. Since XP Home edition doesn't use the more effective MMC Snap-In, Local
Users and Groups which is available in XP Pro, do you have any suggestions
for tracing this folder's properties or links to figure out why it keeps
repairing itself?

2. A Microsoft technical expert explained to me the relationship between
Account names and Profile names. I thought I had it down pat. However, I
was
unaware of the User Profile names list on the Control Panel | System |
Advanced tab until recently. Now I'm totally confused again! The user's
Account name, profile folder name and ProfileList registry entry all
match.
However, the User's Profile name on the System | Advanced tab apparently
doesn't have to match the other three (e.g., some of my accounts' User
Profile names match the other (3) identifiers, and some don't. Yet, they
all
work. And no, the folder I'm trying to delete isn't listed on this tab.)
So,
how do User Profile names relate to these other three (Account names in
Control Panel | User Accounts, profile folders in Explorer, and the
ProfileList in the Registry)?

Thanks in advance for your assistance,
-Robert



* The path to this subkey is
HKLM/Software/Microsoft/WindowsNT/CurrentVersion/ProfileList.



P.S
This issue was previously posted in the Help and Support Newsgroup and all
I
received was insults from the members. I can't do a clean reinstall as has
been suggested. This was not a retail computer. It was a custom-built unit
by
a Ma & Pop computer store that has since gone out of business. And, the
computer owner never received reinstallation disks.

You write " I removed several virus infections and other malware. And, I
installed leading anti-virus and anti-malware software. Then, I verified
that
all malicious files and programs had indeed been completely removed by
running numerous scans untilI was confident that the system was clean."
It is a common misconception that virus damage can be "repaired" by
removing all traces of the virus. This is often not so: The virus may have
damaged numerous files and registry keys. Such damage can not be
repaired by anti-virus programs, because these programs have no way
of knowing what was there before the virus did its dirty job.

The most effective way to deal with this situation is to rebuild the
machine.
This would give you a clean machine within a very short time. Much better
than to deal with a rattail of weird and wonderful problems that you may
never fully resolve.
 
R

Robert

Thanks for your help. But for the last time friends, REBUILDING THE COMPUTER
IS NOT AN OPTION! As I keep saying (and nobody is listening) I don't have the
installation disks, especially for the Windows XP OS. And, if I if have to
buy a new copy of Vista, I might as well tell the owner the computer is toast
and spend her money on a new computer!

Seriously folks, I've fixed all the problems I was having already. All I'm
looking for is a means of deleting this one folder. There's nothing else
wrong with the computer at this point. I've fixed all the problems it had.

The only advice I'm looking for is figuring out how to identify and then
delete this one profile folder. The problem I'm having with it has probably
less to do with any previous viruses (which were all minor) than with me
trying to rebuild new accounts and copy old profiles following procedures I
read about in the Microsoft KB.

Anyone who can tell me where to find the profile folder attributes, or any
other place where references to the account name may still reside are greatly
appreciated. I only need to find out why this folder keeps restoring itself
after I delete it, almost like the User Profile and ProfileList entry not
being deleted. All other advice telling me to rebuild the machine is not
helpful!

In addition, I was hoping someone could please explain the relationship
between the account name, the user profile, the profile folder and the
ProfileList (see Question #2, above).

Don't mean to sound unappreciative or disrespectful. But I'm just not
interested in advice about rebuilding the computer.

Thanks,
-Robert
 
P

Pegasus [MVP]

*** See below.

Robert said:
Thanks for your help. But for the last time friends, REBUILDING THE
COMPUTER
IS NOT AN OPTION! As I keep saying (and nobody is listening) I don't have
the
installation disks, especially for the Windows XP OS. And, if I if have to
buy a new copy of Vista, I might as well tell the owner the computer is
toast
and spend her money on a new computer!
*** IMHO her installation is fatally flawed if she has lost her installation
*** media. Sooner or later she will need them - probably sooner
*** rather than later.
Seriously folks, I've fixed all the problems I was having already. All I'm
looking for is a means of deleting this one folder. There's nothing else
wrong with the computer at this point. I've fixed all the problems it had.
*** I think you're a little optimistic. Viruses have a nasty way of
*** hiding themselves and/or causing subtle damage.
The only advice I'm looking for is figuring out how to identify and then
delete this one profile folder. The problem I'm having with it has
probably
less to do with any previous viruses (which were all minor) than with me
trying to rebuild new accounts and copy old profiles following procedures
I
read about in the Microsoft KB.

Anyone who can tell me where to find the profile folder attributes, or any
other place where references to the account name may still reside are
greatly
appreciated. I only need to find out why this folder keeps restoring
itself
after I delete it, almost like the User Profile and ProfileList entry not
being deleted. All other advice telling me to rebuild the machine is not
helpful!

In addition, I was hoping someone could please explain the relationship
between the account name, the user profile, the profile folder and the
ProfileList (see Question #2, above).

Don't mean to sound unappreciative or disrespectful. But I'm just not
interested in advice about rebuilding the computer.

Thanks,
-Robert

OK, let's get out the sledge hammer. I will number the steps for ease of
identification.

01. Reboot in Safe Mode.
02. Log on as Administrator.
03. Start a Command Prompt.
04. (Click Start, then Run, then type the three letters cmd
05. and click the OK button.)
06. Type these commands:
07. net user xxx /del{Enter}
08. (Replace xxx with the user's logon name you wish to remove)
09. net user {Enter}
10. (Is the unwanted user still there?)
11. cd /d "%UserProfile%\.."{Enter} (yes, it is \ plus 2 dots!)
12. dir {Enter}
13. Can you see the unwanted profile folder? If yes, type these commands to
delete it:
14. cacls "xxx" /e /t /g administrator:F{Enter}
15. rd /s /q "xxx"{Enter}
16. (Replace xxx with the user's logon name you wish to remove)
17. dir {Enter}
18. Is the folder still there? Did you get any error messages for the "rd"
command?
19. Only proceed if your answer is "no" to both questions.
20. Reboot in Safe Mode.
21. Log on as Administrator.
22. Start a Command Prompt.
23. cd /d "%UserProfile%\.."{Enter}
24. dir {Enter}
25. Is the unwanted folder still there?
26. Reboot in Normal Mode.
27. Start a Command Prompt.
28. cd /d "%UserProfile%\.."{Enter}
29. dir {Enter}
30. Is the unwanted folder there again? If yes then some virus is still
present.

Warning: Be careful when substituting "xxx" with the real folder name. If
you get it wrong then you are likely to do permanent damage to this
installation. "xxx" *MUST* be the name of the profile folder you wish to
delete!
 
R

Robert

OK Pegasus, now we're getting somewhere! These procedures seem very much like
some advice I got several weeks ago when I first started working on this
computer; all though, your steps get a little more involved. Before I attempt
it, I need to know that you understood that the profile folder in question
doesn't appear to be attached to an active user account or user profile
anymore. Its the remnant of a previous account that has since been deleted,
as has its Registry entry in ProfileList. Should I still attempt the repair
procedure you suggest?

Thanks for your help,
-Robert
:)
 
P

Pegasus [MVP]

Robert said:
OK Pegasus, now we're getting somewhere! These procedures seem very much
like
some advice I got several weeks ago when I first started working on this
computer; all though, your steps get a little more involved. Before I
attempt
it, I need to know that you understood that the profile folder in question
doesn't appear to be attached to an active user account or user profile
anymore. Its the remnant of a previous account that has since been
deleted,
as has its Registry entry in ProfileList. Should I still attempt the
repair
procedure you suggest?

Thanks for your help,
-Robert
:)

The procedure I gave you will treat the specified profile folder like any
other folder: It will delete it. Full stop. Step 07 will also
unconditionally delete the account you nominate, regardless of whether it is
tied to the rogue profile folder or not.
 
R

Robert

Pegasus -

Thanks for hanging in there with me on this pesky profile folder problem. I
tried your repair procedures with mixed results (see results, below). Two
things I should clarify before I get into an explanation of what's happened
thus far.

First, the Account that this rogue profile folder belonged to has long since
been deleted. So, there's no Account to delete in Step 7. There's no User
Profile associated with it to delete, nor is there an SID linked to it in the
ProfileList of the Registry.

Secondly, I've always been able to delete the folder in Safe Mode, but not
in Normal Mode. The problem is that it keeps restoring itself as soon as I
reboot into Normal Mode.


As for the troubleshooting steps you outlined, here's what happened:

07. net user xxx /del{Enter}

"The user name could not be found."
"More help is available by typing NET HELPMSG 2221."

The rogue folder was listed (initially) when I ran the Dir command in the
Documents and Settings folder. But, there doesn't appear to be a net user by
that same user profile/folder name.

11. cd /d "%UserProfile%\.."{Enter}

I'm not sure what this step does (or did, if anything). Rather than return a
list of user names or profile names, the Dir command displayed what appeared
to be an abbreviated list of the current folder, which was Documents and
Settings. However, none of the user profiles were listed. Is there possibly a
typo in the command line you gave me?

14. cacls "xxx" /e /t /g administrator:F{Enter}
15. rd /s /q "xxx"{Enter}

The rogue folder was gone from Documents and Settings after this step! I
rebooted in Safe Mode as Administrator and it still wasn't there. I even ran
Net User again to make sure. It appeared to be gone.

I rebooted in Normal Mode and the rogue folder(s) had returned! [Note: I
also deleted a test Profile Folder using this same method. It too had no
Account or User Profile attached to it. And, it self-restored upon reboot
into Normal Mode like the rogue folder.]


Questions:

1. Where else are references to Profile Folders (or User Profiles) stored
such that they auto-restore themselves. Its almost as if there was an active
(hidden) account and the system keeps restoring the profile folder the way it
builds a profile folder on first boot or rebuilds itself if the original
Profile Folder is missing. But where would such information reside?

2. I'm the one who initially tried to delete this account. And, the rogue
folder may have resulted from my failure to completely log out of the local
Administrator account to verify that it was gone. I merely clicked Switch
User, which I later found out causes big problems. Nevertheless, when I try
to delete the rogue folder in Normal Mode from Windows Explorer , I get an
error message that "<foldername> is a Windows system folder and is required
for Windows to run properly. It cannot be deleted." Yet, I don't get that
error in Safe Mode. I can even delete the folder in Safe Mode (all though it
reappears the next time I reboot). Is it possible someone could have
mistakenly renamed an actual Windows System Folder, and that the Windows
error message is correct? How would I know which folder it might be. And, is
there a way to determine a folder's lineage since the time it was created?

3. What else would cause a Profile Folder to auto-restore?

4. How and where do the three references to a user's Account link together
(i.e., the user's Account as listed in "Control Panel | User Accounts", the
User Profile as listed in "Control Panel | System | Advanced tab | User
Profiles", and the Profile Folder name as listed in the Registry under the
ProfileList subkey)?

5. Just so I know what it is I've been doing, would you please tell me what
the following command instructions are, including their switches?

11. cd /d "%UserProfile%\.."{Enter}
14. cacls "xxx" /e /t /g administrator:F{Enter}
15. rd /s /q "xxx"{Enter}


Thanks for sticking with me on this. I know you (and half of the Microsoft
Newsgroup community) would have preferred I simply wipe the drive clean and
start over. But, since we've already discussed all the reasons why I can't do
that, I appreciate your patience and advice in helping me resolve this
problem!

-Robert
 
P

Pegasus [MVP]

Robert said:
Pegasus -
11. cd /d "%UserProfile%\.."{Enter}
I'm not sure what this step does (or did, if anything).
*** This step will place you into the parent folder of all profile
*** folders, regardless of where this parent folder might be.
*** If your machine uses the default configuration then the
*** command is equivalent to
*** cd /d "c:\Documents and Settings"
Rather than return a list of user
names or profile names, the Dir command displayed what appeared
to be an abbreviated list of the current folder, which was Documents
and Settings. However, none of the user profiles were listed. Is there
possibly a typo in the command line you gave me?

14. cacls "xxx" /e /t /g administrator:F{Enter}
15. rd /s /q "xxx"{Enter}

The rogue folder was gone from Documents and Settings after this step! I
rebooted in Safe Mode as Administrator and it still wasn't there. I even
ran
Net User again to make sure. It appeared to be gone.
*** There is no point in running "net user" repeatedly. If the account
*** is gone then it's gone. You should concentrate on the rogue folder
*** issue.
I rebooted in Normal Mode and the rogue folder(s) had returned! [Note: I
also deleted a test Profile Folder using this same method. It too had no
Account or User Profile attached to it. And, it self-restored upon reboot
into Normal Mode like the rogue folder.]


Questions:

1. Where else are references to Profile Folders (or User Profiles) stored
such that they auto-restore themselves. Its almost as if there was an
active
(hidden) account and the system keeps restoring the profile folder the way
it
builds a profile folder on first boot or rebuilds itself if the original
Profile Folder is missing. But where would such information reside?
*** It could be as simple as one of your Startup tasks. You can see
*** them with msconfig.exe under the Startup tab. It could also be
*** the result of a scheduled task. You can see them under the Task
*** Scheduler in the Control Panel. What is the contents of this rogue
*** folder, anyway? Any hidden files in it?
2. I'm the one who initially tried to delete this account. And, the rogue
folder may have resulted from my failure to completely log out of the
local
Administrator account to verify that it was gone. I merely clicked Switch
User, which I later found out causes big problems. Nevertheless, when I
try
to delete the rogue folder in Normal Mode from Windows Explorer , I get an
error message that "<foldername> is a Windows system folder and is
required
for Windows to run properly. It cannot be deleted." Yet, I don't get that
error in Safe Mode. I can even delete the folder in Safe Mode (all though
it
reappears the next time I reboot). Is it possible someone could have
mistakenly renamed an actual Windows System Folder, and that the Windows
error message is correct? How would I know which folder it might be. And,
is
there a way to determine a folder's lineage since the time it was created?

3. What else would cause a Profile Folder to auto-restore?
*** See above.
4. How and where do the three references to a user's Account link
together (i.e., the user's Account as listed in "Control Panel | User
Accounts", the User Profile as listed in "Control Panel | System |
Advanced tab | User Profiles", and the Profile Folder name as listed
in the Registry under the ProfileList subkey)?
*** Entries in "User Accounts" reflect the accounts that exist on this
*** machine. They are stored in the SAM accounts data base.
***
*** Folders under "Documents and Settings" are profile folders.
*** They get created at the first logon. This is why you can have
*** user accounts without a profile folder. When you use the command
*** "net user xxx /del" then you remove an account from the SAM
*** data base but you leave the profile folder intact.
***
*** Entries under the Advanced Tab reflect a compilation of a
*** number of registry entries and the profile folder. When you
*** delete one of these entries then you delete the profile folder
*** but not the associated account.
5. Just so I know what it is I've been doing, would you please tell
me what the following command instructions are, including their
switches?

11. cd /d "%UserProfile%\.."{Enter} *** See above.
14. cacls "xxx" /e /t /g administrator:F{Enter}
*** This command gives full read/write control to the administrator
*** for the folder "xxx" and all its subfolders.
15. rd /s /q "xxx"{Enter}
*** This command removes the folder "xxx" and all its subfolders.
Thanks for sticking with me on this. I know you (and half of the Microsoft
Newsgroup community) would have preferred I simply wipe the drive
clean and start over. But, since we've already discussed all the reasons
why I can't do that, I appreciate your patience and advice in helping me
resolve this problem!

-Robert

*** If none of the abov methods prevent the unwanted profile folder
*** from reappearing then you can probably block it by typing these
*** commands from a Command Prompt while in Safe Mode:
*** rd /s /q "c:\Documents and Settings\xxx"
*** echo Gotcha! > "c:\Documents and Settings\xxx"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top