locked
S-1-5-20 Key missing from registry? RRS feed

  • Question

  • I have a client with Vista Home Premium, failing WGA testing at least in part because the entire

    HKU\S-1-5-20 Key is missing from the registry.

    Trying to replicate this in a VM, I am unable to delete the Key - although I am able to clear all content from the Key.

    In the Client's computer, a REG QUERY HKU returns only

    HKEY_USERS\.DEFAULT
    HKEY_USERS\S-1-5-19
    HKEY_USERS\S-1-5-21-vvvvvvvvvvvvvvvvvvvvvvvvvv-1000
    HKEY_USERS\S-1-5-21-vvvvvvvvvvvvvvvvvvvvvvvvvv-1000_Classes
    HKEY_USERS\S-1-5-18

    REG ADD HKU\S-1-5-20 returns

    ERROR: The parameter is incorrect

    The permissions on HKU appear correct -

    everyone- read

    restricted- read

    System- full control, read

    administators- full control, read

    Anyone have any idea how to fix this, apart from a reinstall?


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, February 27, 2012 9:37 PM

Answers

  •  
     
     
     
    For reference, the original thread referred to is Error 0x80070426
    The eventual solution was summarised in Error 0x80070426 summary post
     
    1) Run CHKDSK /R to fix any filesystem problems
    2) Delete the NTUSER.DAT file from the Network Service profile
    3) Copy the Default user’s NTUSER.DAT file across to the NetworkService profile, and amend the permissions to allow Network Service to have Full Control.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Sabrina Shen Monday, March 5, 2012 2:22 AM
    Sunday, March 4, 2012 12:09 PM

All replies

  • My understanding is these keys under user are registry hives. So the
    contents of this key are in
     
    "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
    (maybe send the 57yo grandmother your's - see I was following the original
    thread)
     
    Which presumably is controlled by this [missing] registry key
     
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\ProfileList\S-1-5-20
     
    Good work just finding the problem.
     
    And don't forget to run MGADiag.
    --
    ..
    --
    "Noel D Paton" wrote in message news:defce3ab-c0da-4026-995c-a0f28f079fb1...
    >
    > I have a client with Vista Home Premium, failing WGA testing at least in
    > part because the entire
    >
    > HKU\S-1-5-20 Key is missing from the registry.
    >
    >
    > Trying to replicate this in a VM, I am unable to delete the Key - although
    > I am able to clear all content from the Key.
    >
    >
    > In the Client's computer, a REG QUERY HKU returns only
    >
    > HKEY_USERS\.DEFAULT
    > HKEY_USERS\S-1-5-19
    > HKEY_USERS\S-1-5-21-vvvvvvvvvvvvvvvvvvvvvvvvvv-1000
    > HKEY_USERS\S-1-5-21-vvvvvvvvvvvvvvvvvvvvvvvvvv-1000_Classes
    > HKEY_USERS\S-1-5-18
    >
    > REG ADD HKU\S-1-5-20 returns
    >
    > ERROR: The parameter is incorrect
    >
    > The permissions on HKU appear correct -
    >
    > everyone- read
    >
    > restricted- read
    >
    > System- full control, read
    >
    > administators- full control, read
    >
    >
    > Anyone have any idea how to fix this, apart from a reinstall?
    >
    >
    >
    >
    >
    > --------------------------------------------------------------------------------
    >
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
    >
     
     
    Tuesday, February 28, 2012 12:10 PM
  • "DavidMCandy" wrote in message news:3495d583-38da-4642-86a3-dcfd1fd0feaf...
    My understanding is these keys under user are registry hives. So the
    contents of this key are in
     
    "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
    (maybe send the 57yo grandmother your's - see I was following the original
    thread)
     
    Which presumably is controlled by this [missing] registry key
     
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\ProfileList\S-1-5-20
     
    Good work just finding the problem.
     
     
     
    Thanks for a *useful* reply, David (which I’ve come to expect from you <g>)
    I thought I’d asked her to check the folder/file was present and accessible – but maybe not.
    The ProfileList Key is present??

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
    5-20
    ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkSer
    vice
    Flags REG_DWORD 0x0
    State REG_DWORD 0x04

    ---------------------------

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Users
    Default REG_EXPAND_SZ %SystemDrive%\Users\Default
    Public REG_EXPAND_SZ %SystemDrive%\Users\Public
    ProgramData REG_EXPAND_SZ %SystemDrive%\ProgramData


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, February 28, 2012 1:55 PM
  • Also check
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
     
    --
    ..
    --
    "Noel D Paton" wrote in message news:772d7e6d-d26c-403f-9961-b026accf3afc...
    > "DavidMCandy" wrote in message
    > news:3495d583-38da-4642-86a3-dcfd1fd0feaf...
    > My understanding is these keys under user are registry hives. So the
    > contents of this key are in
    >
    > "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
    > (maybe send the 57yo grandmother your's - see I was following the original
    > thread)
    >
    > Which presumably is controlled by this [missing] registry key
    >
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    > NT\CurrentVersion\ProfileList\S-1-5-20
    >
    > Good work just finding the problem.
    >
    >
    >
    > Thanks for a *useful* reply, David (which I’ve come to expect from you
    > <g>)
    > I thought I’d asked her to check the folder/file was present and
    > accessible – but maybe not.
    > The ProfileList Key is present??
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    > NT\CurrentVersion\ProfileList\S-1-
    > 5-20
    > ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkSer
    > vice
    > Flags REG_DWORD 0x0
    > State REG_DWORD 0x04
    >
    > ---------------------------
    >
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    > NT\CurrentVersion\ProfileList
    > ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Users
    > Default REG_EXPAND_SZ %SystemDrive%\Users\Default
    > Public REG_EXPAND_SZ %SystemDrive%\Users\Public
    > ProgramData REG_EXPAND_SZ %SystemDrive%\ProgramData
    >
    >
    > --------------------------------------------------------------------------------
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
     
     
    Tuesday, February 28, 2012 2:03 PM
  • "DavidMCandy" wrote in message news:8bc241b0-0092-46b9-99c6-0c9ad81a86d1...
    Also check
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
     
     
     
     
    Oooh – I never realised that Key existed (I think!)
    My VM shows..... (amongst other things - using REG QUERY)
     
        \REGISTRY\USER\S-1-5-20    REG_SZ    \Device\HarddiskVolume\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
     
     
    That looks as if it’s identical to the previous Keys found?
    (am I  missing something here?)
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, February 28, 2012 7:13 PM
  •  

    Hi,

    Before moving on, I would like to confirm the detailed error which you encountered for the original WGA issue.

    Regarding the missing of the registry key HKEY_USERS\S-1-5-20, what about to export the below Registry key from a Working Machine and Merging them with the affected machine?

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20

    Regards,

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Sabrina

    TechNet Community Support

    Wednesday, February 29, 2012 6:01 AM
  • The HKEY_USERS\S-1-5-20 is a registry hive. Can you find out what is the
    setting that controls the loading of hives. The ProfileList key includes
    profiles that aren't loaded.
     
    PS Can you find out what are the values for the flags value eg
    ....\ProfileList\S-1-5-20\Flags
     
    --
    ..
    --
    "Sabrina Shen" wrote in message news:284cb912-9e60-43f6-8185-44963e661014...
    >
    > Hi,
    >
    >
    > Before moving on, I would like to confirm the detailed error which you
    > encountered for the original WGA issue.
    >
    >
    > Regarding the missing of the registry key HKEY_USERS\S-1-5-20, what about
    > to export the below Registry key from a Working Machine and Merging them
    > with the affected machine?
    >
    >
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    > NT\CurrentVersion\ProfileList\S-1-5-20
    >
    >
    > Regards,
    >
    >
    > Sabrina
    >
    >
    > TechNet Subscriber Support
    >
    > If you are TechNet Subscription user and have any feedback on our support
    > quality, please send your feedback here.
    >
    >
    > --------------------------------------------------------------------------------
    >
    >
    > Sabrina
    >
    > TechNet Community Support
    >
    >
    >
    >
     
     
    Wednesday, February 29, 2012 6:19 AM
  • Sabrina

    1) the ProfileList entry is not missing - it's present and apparently correct. 

    2) the HKU\S-1-5-20 key *is*missing, and I can find no way to recreate it - either by a REG ADD command, or a .REG file. I cannot repro the problem myself, as I am unable to actually remove the SID from the registry in my VM (or on bare metal!)

    Thanks for trying, though! - any more ideas gratefully received.

    David.

    Info requested - I tried removing the S-1-5-20 entry from the Hivelist in my VM, but it regenerated on reboot?  (and I still couldn't get rid of the HKU entry)


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Wednesday, February 29, 2012 7:16 AM
  • Is the hive corrupt. Try loading it
     
    reg load HKU\Test "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
     
    And see if there is an error and can the subkeys be then read in Regedit,
    and test the security of a random key.
     
    I wonder if activation might work if you manually load the hive using
     
    reg load HKU\S-1-5-20 "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
     
    --
    ..
    --
    "Noel D Paton" wrote in message news:ee441f58-81e3-468b-b18e-931da31b2946...
    > Sabrina
    >
    > 1) the ProfileList entry is not missing - it's present and apparently
    > correct.
    >
    > 2) the HKU\S-1-5-20 key *is*missing, and I can find no way to recreate
    > it - either by a REG ADD command, or a .REG file. I cannot repro the
    > problem myself, as I am unable to actually remove the SID from the
    > registry in my VM (or on bare metal!)
    >
    >
    > Thanks for trying, though! - any more ideas gratefully received.
    >
    >
    > David.
    >
    > Info requested - I tried removing the S-1-5-20 entry from the Hivelist in
    > my VM, but it regenerated on reboot? (and I still couldn't get rid of the
    > HKU entry)
    >
    >
    >
    > --------------------------------------------------------------------------------
    >
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
    >
     
     
    Wednesday, February 29, 2012 9:32 AM
  • I noticed Laura doesn't have an entry under HiveList. This could be a
    symptom rather than a cause.
     
    --
    ..
    --
    "Noel D Paton" wrote in message news:ee441f58-81e3-468b-b18e-931da31b2946...
    > Sabrina
    >
    > 1) the ProfileList entry is not missing - it's present and apparently
    > correct.
    >
    > 2) the HKU\S-1-5-20 key *is*missing, and I can find no way to recreate
    > it - either by a REG ADD command, or a .REG file. I cannot repro the
    > problem myself, as I am unable to actually remove the SID from the
    > registry in my VM (or on bare metal!)
    >
    >
    > Thanks for trying, though! - any more ideas gratefully received.
    >
    >
    > David.
    >
    > Info requested - I tried removing the S-1-5-20 entry from the Hivelist in
    > my VM, but it regenerated on reboot? (and I still couldn't get rid of the
    > HKU entry)
    >
    >
    >
    > --------------------------------------------------------------------------------
    >
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
    >
     
     
    Wednesday, February 29, 2012 9:45 AM
  • "DavidMCandy" wrote in message news:00dcf40c-5da1-4807-8bf3-d9ef973518cc...
    Is the hive corrupt. Try loading it
    reg load HKU\Test "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
    And see if there is an error and can the subkeys be then read in Regedit,
    and test the security of a random key.
    I wonder if activation might work if you manually load the hive using
    reg load HKU\S-1-5-20 "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"

    I’m busy trying to work out how best to corrupt my VM’s NTUSER.DAT file and see what happens :)

    I don’t think the client is up to this sort of thing, although I could possibly ask her to upload the file (it may not be locked?)

    Just got the results of the hivelist.

    C:\Windows\system32>REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
    \REGISTRY\MACHINE\HARDWARE REG_SZ
    \REGISTRY\MACHINE\SECURITY REG_SZ \Device\HarddiskVolume1\Windows\System32\config\SECURITY
    \REGISTRY\MACHINE\SOFTWARE REG_SZ \Device\HarddiskVolume1\Windows\System32\config\SOFTWARE
    \REGISTRY\MACHINE\SYSTEM REG_SZ \Device\HarddiskVolume1\Windows\System32\config\SYSTEM
    \REGISTRY\USER\.DEFAULT REG_SZ \Device\HarddiskVolume1\Windows\System32\config\DEFAULT
    \REGISTRY\MACHINE\SAM REG_SZ \Device\HarddiskVolume1\Windows\System32\config\SAM
    \REGISTRY\MACHINE\COMPONENTS REG_SZ \Device\HarddiskVolume1\Windows\System32\config\COMPONENTS
    \REGISTRY\USER\S-1-5-19 REG_SZ \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT
    \Registry\User\S-1-5-21-1938820810-1180724512-1959737532-1000 REG_SZ \Device\HarddiskVolume1\Users\Laura\ntuser.dat
    \Registry\User\S-1-5-21-1938820810-1180724512-1959737532-1000_Classes REG_SZ \Device\HarddiskVolume1\Users\Laura\AppData\Local\Microsoft\Windows\UsrClass.dat


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Edited by Noel D Paton Wednesday, February 29, 2012 12:27 PM clarity
    Wednesday, February 29, 2012 9:47 AM
  • "DavidMCandy" wrote in message news:bf35d91c-7131-4ca6-8f9d-474c26aae223...
    I noticed Laura doesn't have an entry under HiveList. This could be a
    symptom rather than a cause.
     
    --
     
     
     
     
    Yeah – I’ve asked her for the Permissions on the NTUSER.DAT file while I work out what to do :)
    It may simply be that SYSTEM has lost read permissions, or some such.

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, February 29, 2012 10:04 AM
  • Your client is a quick learner, you've asked a lot of her and she has
    delivered without saying it's too hard.
     
    Just do this
     
    reg load HKU\Test "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
     
    reg query hku\test\environment
     
    We are hoping for an error number.
     
    I found a web site that details the loading of NetworkService.
    http://blogs.msdn.com/b/richpec/archive/2009/07/20/userenv-debugging-line-by-line.aspx
     
    Problem is userenv.logs were removed for Vista. Replaced with this
    http://www.google.com.au/url?q=http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/224c95bc-e6b3-4b66-82e1-22de625b7dc6/&sa=U&ei=s_hNT7fdIvCfiAewk7la&ved=0CBIQFjAA&usg=AFQjCNHF0JrMWlzBHeSyzSKHKyijFkVmrw
     
    I don't know if these logs would be useful.
    --
    ..
    --
    "Noel D Paton" wrote in message news:77e5b549-bdc7-4703-b295-41863c793bf9...
    > "DavidMCandy" wrote in message
    > news:00dcf40c-5da1-4807-8bf3-d9ef973518cc...
    > Is the hive corrupt. Try loading it
    >
    > reg load HKU\Test "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
    >
    > And see if there is an error and can the subkeys be then read in Regedit,
    > and test the security of a random key.
    >
    > I wonder if activation might work if you manually load the hive using
    >
    > reg load HKU\S-1-5-20
    > "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
    >
    >
    >
    >
    > I’m busy trying to work out how best to corrupt my VM’s NTUSER.DAT
    > file and see what happens :)
    >
    > I don’t think the client is up to this sort of thing, although I could
    > possibly ask her to upload the file (it may not be locked?)
    >
    > Just got the results of the hivelist.
    >
    > C:\Windows\system32>REG QUERY
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro
    > l\hivelist
    >
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
    > \REGISTRY\MACHINE\HARDWARE REG_SZ
    > \REGISTRY\MACHINE\SECURITY REG_SZ \Device\HarddiskVolume1\Windows\Syst
    > em32\config\SECURITY
    > \REGISTRY\MACHINE\SOFTWARE REG_SZ \Device\HarddiskVolume1\Windows\Syst
    > em32\config\SOFTWARE
    > \REGISTRY\MACHINE\SYSTEM REG_SZ \Device\HarddiskVolume1\Windows\System
    > 32\config\SYSTEM
    > \REGISTRY\USER\.DEFAULT REG_SZ \Device\HarddiskVolume1\Windows\System3
    > 2\config\DEFAULT
    > \REGISTRY\MACHINE\SAM REG_SZ \Device\HarddiskVolume1\Windows\System32\
    > config\SAM
    > \REGISTRY\MACHINE\COMPONENTS REG_SZ \Device\HarddiskVolume1\Windows\Sy
    > stem32\config\COMPONENTS
    > \REGISTRY\USER\S-1-5-19 REG_SZ \Device\HarddiskVolume1\Windows\Service
    > Profiles\LocalService\NTUSER.DAT
    > \Registry\User\S-1-5-21-1938820810-1180724512-1959737532-1000 REG_SZ \
    > Device\HarddiskVolume1\Users\Laura\ntuser.dat
    > \Registry\User\S-1-5-21-1938820810-1180724512-1959737532-1000_Classes REG
    > _SZ
    > \Device\HarddiskVolume1\Users\Laura\AppData\Local\Microsoft\Windows\UsrCl
    > ass.dat
    >
    >
    > --------------------------------------------------------------------------------
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
     
     
    Wednesday, February 29, 2012 10:07 AM
  • The eventlog may help
     
    wmic PATH Win32_NTLogEvent get eventcode,message |findstr "networkservice"
     
    On my computer this always crashes unless the logs are mostly empty. Test on
    yours, it must have worked on MS's computers.
     
    My system log shows no mention of NetworkService
    --
    ..
    --
    "Noel D Paton" wrote in message news:16a0a8db-7ee3-4fc5-9a54-8661e4046280...
    > "DavidMCandy" wrote in message
    > news:bf35d91c-7131-4ca6-8f9d-474c26aae223...
    > I noticed Laura doesn't have an entry under HiveList. This could be a
    > symptom rather than a cause.
    >
    > --
    >
    >
    >
    >
    > Yeah – I’ve asked her for the Permissions on the NTUSER.DAT file while
    > I work out what to do :)
    > It may simply be that SYSTEM has lost read permissions, or some such.
    >
    > --------------------------------------------------------------------------------
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
     
     
    Wednesday, February 29, 2012 10:15 AM
  • "DavidMCandy" wrote in message news:ddc04f9c-83ee-47d9-ba65-45514dc6f627...
    The eventlog may help
     
    wmic PATH Win32_NTLogEvent get eventcode,message |findstr "networkservice"
     
    On my computer this always crashes unless the logs are mostly empty. Test on
    yours, it must have worked on MS's computers.
     
    My system log shows no mention of NetworkService
     
     
     
     
     
    This seems to hang on my VM – then get a code 80020009 error
     
    I’ve been playing.
    1) Boot using RE, copy NTUSER.DAT to ntuser.copy ( after –s-h attrib)
    2) clear content of NTUSER.DAT and save (then _s_h attrib)
    Boot to Windows
    reg load HKU\S-1-5-20 ntuser.copy  doesn’t seem to do anything – I get an Access Denied error.
    reg load HKU\test ntuser.copy works, and creates a new key, and I
     
    The problem is that the S-1-5-20 key is still present in my VM – I’ll try deleting NTUSER.DAT completely next
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, February 29, 2012 10:50 AM
  • "Noel D Paton" wrote in message news:c9e60e24-30fd-4c56-9cd2-9e0506c95c0a...
     
    I’ve been playing.
    1) Boot using RE, copy NTUSER.DAT to ntuser.copy ( after –s-h attrib)
    2) clear content of NTUSER.DAT and save (then _s_h attrib)
    Boot to Windows
    reg load HKU\S-1-5-20 ntuser.copy  doesn’t seem to do anything – I get an Access Denied error.
    reg load HKU\test ntuser.copy works, and creates a new key, and I
     
    The problem is that the S-1-5-20 key is still present in my VM – I’ll try deleting NTUSER.DAT completely next
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
    That was interesting!
    deleting the NTUSER.DAT file completely repopulated the S-1-5-20 Key!
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, February 29, 2012 11:03 AM
  • Worth a try.
    --
    ..
    --
    "Noel D Paton" wrote in message news:f8d8e594-4208-4b7d-a1cb-9acc7981a285...
    > "Noel D Paton" wrote in message
    > news:c9e60e24-30fd-4c56-9cd2-9e0506c95c0a...
    >
    > I’ve been playing.
    > 1) Boot using RE, copy NTUSER.DAT to ntuser.copy ( after –s-h attrib)
    > 2) clear content of NTUSER.DAT and save (then _s_h attrib)
    > Boot to Windows
    > reg load HKU\S-1-5-20 ntuser.copy doesn’t seem to do anything – I get
    > an Access Denied error.
    > reg load HKU\test ntuser.copy works, and creates a new key, and I
    >
    > The problem is that the S-1-5-20 key is still present in my VM – I’ll
    > try deleting NTUSER.DAT completely next
    >
    >
    >
    > --------------------------------------------------------------------------------
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
    >
    > That was interesting!
    > deleting the NTUSER.DAT file completely repopulated the S-1-5-20 Key!
    >
    >
    > --------------------------------------------------------------------------------
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
     
     
    Wednesday, February 29, 2012 11:15 AM
  • "Noel D Paton" wrote in message news:c9e60e24-30fd-4c56-9cd2-9e0506c95c0a...
    "DavidMCandy" wrote in message news:ddc04f9c-83ee-47d9-ba65-45514dc6f627...
    The eventlog may help
     
    wmic PATH Win32_NTLogEvent get eventcode,message |findstr "networkservice"
     
    On my computer this always crashes unless the logs are mostly empty. Test on
    yours, it must have worked on MS's computers.
     
    My system log shows no mention of NetworkService
     
     
     
     
     
    This seems to hang on my VM – then get a code 80020009 error
     
    I’ve been playing.
    1) Boot using RE, copy NTUSER.DAT to ntuser.copy ( after –s-h attrib)
    2) clear content of NTUSER.DAT and save (then _s_h attrib)
    Boot to Windows
    reg load HKU\S-1-5-20 ntuser.copy  doesn’t seem to do anything – I get an Access Denied error.
    reg load HKU\test ntuser.copy works, and creates a new key, and I
     
    The problem is that the S-1-5-20 key is still present in my VM – I’ll try deleting NTUSER.DAT completely next
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
     
    BINGO!!!!
     
    removing access to the NTUSER.DAT file by SYSTEM, NETWORK SERVICES and AMDINs drops the whole Key from regedit!
     
    Now to see how bets to restore the default permissions :)
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, February 29, 2012 11:53 AM
  • "Noel D Paton" wrote in message news:8a4d7ebd-552a-4cab-b106-bf3749fa933d...
    BINGO!!!!
    removing access to the NTUSER.DAT file by SYSTEM, NETWORK SERVICES and AMDINs drops the whole Key from regedit!
    Now to see how bets to restore the default permissions :)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    OK _ I uploaded a ACL list  for the NetworkService folder down – let’s see what that does :)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Edited by Noel D Paton Wednesday, February 29, 2012 12:25 PM remove excess
    Wednesday, February 29, 2012 12:21 PM
  • "Noel D Paton" wrote in message news:18c8262d-8713-4c74-a3b9-9a9783af26e9...
    "Noel D Paton" wrote in message news:8a4d7ebd-552a-4cab-b106-bf3749fa933d...
    BINGO!!!!
    removing access to the NTUSER.DAT file by SYSTEM, NETWORK SERVICES and AMDINs drops the whole Key from regedit!
    Now to see how bets to restore the default permissions :)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    OK _ I uploaded a ACL list  for the NetworkService folder down – let’s see what that does :)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
     
    Further testing shows that if the file is corrupted (I took a chunk out of the middle of the data, rather than just blanked the file completely), then the Key will also go AWOL – and this time will also produce the correct MGADiag error (0x80070426)
     
    So it does look as if the file itself is the root cause. If that in the case, then it’s no longer locked by the system and can be renamed from within windows.(with about 5 confirmation clicks <g>)
    Such a simple fix :) – if it works!
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, February 29, 2012 1:45 PM
  • Excellent.
     
    --
    ..
    --
    "Noel D Paton" wrote in message news:ee2ced72-f5a7-4d7a-919a-2a85e6cf0089...
    > "Noel D Paton" wrote in message
    > news:18c8262d-8713-4c74-a3b9-9a9783af26e9...
    > "Noel D Paton" wrote in message
    > news:8a4d7ebd-552a-4cab-b106-bf3749fa933d...
    > BINGO!!!!
    > removing access to the NTUSER.DAT file by SYSTEM, NETWORK SERVICES and
    > AMDINs drops the whole Key from regedit!
    > Now to see how bets to restore the default permissions :)
    >
    > --------------------------------------------------------------------------------
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
    > OK _ I uploaded a ACL list for the NetworkService folder down – let’s
    > see what that does :)
    >
    > --------------------------------------------------------------------------------
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
    >
    >
    >
    > Further testing shows that if the file is corrupted (I took a chunk out of
    > the middle of the data, rather than just blanked the file completely),
    > then the Key will also go AWOL – and this time will also produce the
    > correct MGADiag error (0x80070426)
    >
    > So it does look as if the file itself is the root cause. If that in the
    > case, then it’s no longer locked by the system and can be renamed from
    > within windows.(with about 5 confirmation clicks <g>)
    > Such a simple fix :) – if it works!
    >
    >
    > --------------------------------------------------------------------------------
    > Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed
    > Sloth
     
     
    Wednesday, February 29, 2012 1:57 PM
  • "DavidMCandy" wrote in message news:262b7a6d-9217-4c34-9625-5990a18f24a6...
    Excellent.
     
     
     
    I spoke too early....
    the NTUSER.DAT file is not regenerated on a reboot

    The folder only contains the DAT file, and the LOG1 and LOG2 files - no regtrans files, and no LOG file
    I tested a similar configuration in my VM, by deleting from RE, but that regenerated fine.
    I suspect that somewhere, something is pulling in the wrong (corrupted) NTUSER.DAT file.

    There is a reference somewhere that I found that suggests that if the registry is unable to save the updated to the normal place, it will fall back to somewhere in the Users hierarchy - the question then is how is the fall-back reversed, or is it supposed to test the default location every time?
     
    The user assures me that the NTUSER.DAT file has been renamed now - but an ICACLS request from the command prompt says that it's still present!
    There must be a redirect in place somewhere - I just can't work out where it's likely to be, or how?
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, February 29, 2012 7:35 PM
  •  

    Hi,

    If the NTUSER.DAT file is corrupted and cannot be re-generated, what about to create a new account and then copy files to the new user profile?

    Fix a corrupted user profile

    Regards,

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Sabrina

    TechNet Community Support

    Friday, March 2, 2012 4:36 AM
  • "Sabrina Shen" wrote in message news:5ed255bd-c004-4686-a78b-885759432e3d...

     

    Hi,

    If the NTUSER.DAT file is corrupted and cannot be re-generated, what about to create a new account and then copy files to the new user profile?

    Fix a corrupted user profile

    Regards,

    Sabrina

    TechNet Subscriber Support

     

     
     
    That’s a thought – but since the Network Service account is a pre-machine account, rather than a per-user account surely any links to it would be outside the purview of the user profile, and so it would not be rebuilt by creating a new account?
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, March 2, 2012 8:05 AM
  •  
     
     
     
    For reference, the original thread referred to is Error 0x80070426
    The eventual solution was summarised in Error 0x80070426 summary post
     
    1) Run CHKDSK /R to fix any filesystem problems
    2) Delete the NTUSER.DAT file from the Network Service profile
    3) Copy the Default user’s NTUSER.DAT file across to the NetworkService profile, and amend the permissions to allow Network Service to have Full Control.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Sabrina Shen Monday, March 5, 2012 2:22 AM
    Sunday, March 4, 2012 12:09 PM
  •  

    Glad to see the issue was finally fixed. J

    And thank you for sharing the solution which will help the other community members with the same issue.

    Regards,

    Sabrina

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Sabrina

    TechNet Community Support

    Monday, March 5, 2012 2:22 AM
  • Noel,

    I'm having a similar issue as this thread references.  How did you delete the NTUSER.DAT of the NetworkService profile?  If I try to delete the NTUSER.DAT through right click-->Delete I get the message "Cannot delete NTUSER:  It is being used by another person or program.  Close any programs that might be using the file and try again."

    Thursday, July 5, 2012 2:16 PM
  • Most of the issue was discussed in another thread. This thread was an
    offshoot of the main thread.
     
    The results were summarised here at the bottom
    http://social.microsoft.com/Forums/en-US/genuinevista/thread/b4c34d7a-ae6d-4c68-9410-441f2d002964#afc2abcb-eb40-4008-8a8c-ec8c598d56b0
     
    Just confirm you have a problem with windows activation and the absense of
    S-1-5-20 key missing from HKEY_USERS\ branch of the registry.
     
    --
    ..
    --
    "C01254" wrote in message news:424229bf-a52d-45f6-a933-f678cfbc0077...
    > Noel,
    >
    > I'm having a similar issue as this thread references. How did you delete
    > the NTUSER.DAT of the NetworkService profile? If I try to delete the
    > NTUSER.DAT through right click-->Delete I get the message "Cannot delete
    > NTUSER: It is being used by another person or program. Close any
    > programs that might be using the file and try again."
    >
     
     
    Thursday, July 5, 2012 11:48 PM

  • --
    .
    --
    "DavidMCandy" wrote in message news:e28f957a-8828-4b49-8ebb-ff093e056985...
    Most of the issue was discussed in another thread. This thread was an
    offshoot of the main thread.
     
    The results were summarised here at the bottom
    http://social.microsoft.com/Forums/en-US/genuinevista/thread/b4c34d7a-ae6d-4c68-9410-441f2d002964#afc2abcb-eb40-4008-8a8c-ec8c598d56b0
     
    Just confirm you have a problem with windows activation and the absense of
    S-1-5-20 key missing from HKEY_USERS\ branch of the registry.
     
    --
    ..
    --
    "C01254" wrote in message news:424229bf-a52d-45f6-a933-f678cfbc0077...
    > Noel,
    >
    > I'm having a similar issue as this thread references. How did you delete
    > the NTUSER.DAT of the NetworkService profile? If I try to delete the
    > NTUSER.DAT through right click-->Delete I get the message "Cannot delete
    > NTUSER: It is being used by another person or program. Close any
    > programs that might be using the file and try again."
    >
     
     
    Friday, July 6, 2012 12:01 AM
  • (thanks, David)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Friday, July 6, 2012 1:00 PM