May 23rd, 2006, 04:54 AM
Recordkeeping by ntuser.dat file
I am hoping to start a discussion about the ntuser.dat file in XP. This would be located in the C:\Documents and Settings\username directory. It's a file that is supposed to maintain the registry settings. However it can grow to tremendous sizes. It continues to grow even if you do not change the registry. Being the curious type, I had to find out what is in this file. I tried opening it using FileAlyzer (from the makers of Spybot) but it would not open as it was being used by another process.
What I had to do was create a new user account for myself with admin privileges. At this point I noticed the ntuser.dat file in the new account is only a few hundred kilobytes in size. Then I began the process of deleting my original user account. During the user account deletion process, you are prompted whether to delete all of the users files or to save them. I chose to save them. The user account was gone, but the subdirectory was still present in the C:\Documents and Settings folder. Directories such as Application Data, Cookies, User Data, WINDOWS, etc were still there. But more importantly, the ntuser.dat file was still present. It had grown to over 5MB. I tried opening the file with FileAlyzer but it wouldn't open. Even though the user account was gone, the file was still locked by another process!!
To take care of this I had to restart my computer and enter "Safe Mode with Command Prompt" in the Administrator account. Using DOS commands I was able to unhide ntuser.dat and then rename it ntuser.txt. After restarting the computer I was able to open the file with FileAlyzer.
I found listings for such things as keys pressed, windows opened, window sizes, resizing of windows, scrolling positions, addresses, files opened, files saved, registry changes made, programs opened, links, etc. I am not sure if all keys pressed are retained in the file (such as typing an email or a notepad document). In FileAlyzer, strings are in a left frame and are very brief. Double-clicking on a string takes you to its location in the right frame, which shows both the hex dump and text. However, a good portion of the text was coded as if you opened an executable in Notepad. But program names and file names were easily read. I have read elsewhere that this file also stores such information as passwords, form data, etc. In essence, the file contains a complete account of what I had done on the computer since I started using Windows XP.
I'm just wondering how others feel about this type of recordkeeping being done by Microsoft without the knowledge of the user, and if anyone has any other information about how this file is used by the operating system.
May 28th, 2006, 09:32 AM
June 5th, 2006, 05:01 AM
Still puzzled about the complete purpose of this file
Kane, thank you for the informative links.
You mentioned ntuser.dat = HKEY_CURRENT_USER. At this link is the following quote: "The user profile includes environment variables, personal program groups, desktop settings, network connections, printers, and application preferences. The data in the user profile is similar to the data stored in the Win.ini file in Windows 3.x."
As probably with most XP Pro users, I have a main 'Administrator' account, and a second user account called 'Mikey' that also has administrative privileges. As stated in my original thread post, I deleted my old user account and started the new one 'Mikey'. This occurred on May 20. Since then my ntuser.dat file for Mikey has grown in size from a few hundred kilobytes (I forgot to write down the original size) to currently 2.56MB. This is significant as the ntuser.dat file for 'Administrator' is currently only 512kB. Since reinstalling XP Pro late last year, I have only accessed this account twice. The first time is noted in my first post and then just tonight. I have installed additional programs in the Mikey account since then but to such a degree that would not make the ntuser.dat file increase so much.
On a side note, I followed the well-written instructions at http://www.petri.co.il/edit_registry...han_myself.htm. Previously when I would edit my registry I did it right from the Mikey account. It seems that is why I couldn't directly access my ntuser.dat file. This time, following those directions, I rebooted in windows safe mode in my Administrator account. Using Windows Explorer I simply right-clicked on ntuser.dat, clicked copy, and then pasted it in the My Documents folder. I was then able to open it with FileAlyzer. A much simpler process than creating a whole new account.
As before, I found logging of recent activities. About a day ago I created a folder. It was represented in the left string window of FileAlyzer by a five-digit number which when double-clicked brought me to the folder name in the right window. Also referenced were the opening and conversion-to-pdf of a cover letter and resume I worked on about three days ago. I even found a listing for the registry-editing link you provided as I saved the whole page to disk!!!
One entry mentions a 'Microsoft Remote Assistance Incident' and refers to the RCBdyctl.dll file in the System32 directory. I note this because I have my remote assistance service disabled. In fact, to the best of my knowledge, I have ALL of my remote services turned off. Entries before this are for a Windows Installer Package and a Windows Installer Patch (I did not install anything). Entries after this a mention dll's for Movie Maker (I never used it), PC Health, and NetMeeting (it states 'Compatible Whiteboard Document', but I have the NetMeeting service disabled).
I guess I could go on and on but you get the idea. If this document is only for user settings and you do not change anything in a week, for instance, then wouldn't ntuser.dat remain the same size? Shouldn't it be a static file until something is changed? Also, open Windows Explorer to the user directory with the ntuser.dat file in it. I have already moved from this folder to another and then back again, and I saw the ntuser.dat.LOG file increase in size. This file is logging the folder events I just performed. I have also right-clicked ntuser.dat.LOG and clicked Properties, and the window would say that ntuser.dat.LOG is 40kB in size, yet the Explorer window would show only 1kB. Very odd. Sometimes ntuser.dat is changed while I am using the computer; but it always seems to change at shut down.
OK this is too long as it is. Take care,