am hoping to start a discussion about the ntuser.dat file in XP. This would be located in the C:\Documents and Settings\username directory. It's a file that is supposed to maintain the registry settings. However it can grow to tremendous sizes. It continues to grow even if you do not change the registry. Being the curious type, I had to find out what is in this file. I tried opening it using FileAlyzer (from the makers of Spybot) but it would not open as it was being used by another process.
What I had to do was create a new user account for myself with admin privileges. At this point I noticed the ntuser.dat file in the new account is only a few hundred kilobytes in size. Then I began the process of deleting my original user account. During the user account deletion process, you are prompted whether to delete all of the users files or to save them. I chose to save them. The user account was gone, but the subdirectory was still present in the C:\Documents and Settings folder. Directories such as Application Data, Cookies, User Data, WINDOWS, etc were still there. But more importantly, the ntuser.dat file was still present. It had grown to over 5MB. I tried opening the file with FileAlyzer but it wouldn't open. Even though the user account was gone, the file was still locked by another process!!
To take care of this I had to restart my computer and enter "Safe Mode with Command Prompt" in the Administrator account. Using DOS commands I was able to unhide ntuser.dat and then rename it ntuser.txt. After restarting the computer I was able to open the file with FileAlyzer.
I found listings for such things as keys pressed, windows opened, window sizes, resizing of windows, scrolling positions, addresses, files opened, files saved, registry changes made, programs opened, links, etc. I am not sure if all keys pressed are retained in the file (such as typing an email or a notepad document). In FileAlyzer, strings are in a left frame and are very brief. Double-clicking on a string takes you to its location in the right frame, which shows both the hex dump and text. However, a good portion of the text was coded as if you opened an executable in Notepad. But program names and file names were easily read. I have read elsewhere that this file also stores such information as passwords, form data, etc. In essence, the file contains a complete account of what I had done on the computer since I started using Windows XP.
I'm just wondering how others feel about this type of recordkeeping being done by Microsoft without the knowledge of the user, and if anyone has any other information about how this file is used by the operating system.
2007-09-26 21:22:49 · 2 answers · asked by Anonymous in Computers & Internet ➔ Software
As probably with most XP Pro users, I have a main 'Administrator' account, and a second user account called 'Mikey' that also has administrative privileges. As stated in my original thread post, I deleted my old user account and started the new one 'Mikey'. This occurred on May 20. Since then my ntuser.dat file for Mikey has grown in size from a few hundred kilobytes (I forgot to write down the original size) to currently 2.56MB. This is significant as the ntuser.dat file for 'Administrator' is currently only 512kB. Since reinstalling XP Pro late last year, I have only accessed this account twice. The first time is noted in my first post and then just tonight. I have installed additional programs in the Mikey account since then but to such a degree that would not make the ntuser.dat file increase so much.
On a side note, I followed the well-written instructions at http://www.petri.co.il/edit_registry...han_myself.htm. Previously when I would edit my registry I did it right from the
2007-09-26 23:13:35 · update #1
Mikey account. It seems that is why I couldn't directly access my ntuser.dat file. This time, following those directions, I rebooted in windows safe mode in my Administrator account. Using Windows Explorer I simply right-clicked on ntuser.dat, clicked copy, and then pasted it in the My Documents folder. I was then able to open it with FileAlyzer. A much simpler process than creating a whole new account.
As before, I found logging of recent activities. About a day ago I created a folder. It was represented in the left string window of FileAlyzer by a five-digit number which when double-clicked brought me to the folder name in the right window. Also referenced were the opening and conversion-to-pdf of a cover letter and resume I worked on about three days ago. I even found a listing for the registry-editing link you provided as I saved the whole page to disk!!!
One entry mentions a 'Microsoft Remote Assistance Incident' and refers to the RCBdyctl.dll file in the System32 directory.
2007-09-26 23:17:44 · update #2
Wow. I don't know much about the registry, but that was some good research. I'd like to hear what M$ has to say about that.
Edit to answerer #2...
a) paranoia is a moot point if your comp is keylogging every stroke since day 1.
b) it doesn't look like a standard cleaner like CCleaner, Gould or ATF Cleaner cleans ntuser.dat (But as I said I don't know a lot about the registry, so I could be wrong there.)
c) any mention of a firewall is irrelevant to this question. The point being that MS is making the user vulnerable by storing this info without our knowledge to begin with. If it wasn't there (or if we could get rid of it) we wouldn't need to worry about it getting out.
Edits 2 and 3 regarding fraudulent poster have been removed.
2007-09-26 21:37:25 · answer #1 · answered by heebus_jeebus 7 · 0⤊ 0⤋
you can buy programs that erase your history
and besides do you think your life is so important that microsoft has a file or you? [or anyone else for that matter]
or if your that paranoid just get a firewall [which monitors what programs send info online]
2007-09-26 21:38:01 · answer #2 · answered by Anonymous · 0⤊ 1⤋