deleting user accounts in win xp

[phazz]

Hi, hope someone might be able to help out.

In a rash moment, i agreed to have look at a friends pc (AMD Duron 1300mhz, 128mb ram, Pcchips m/b with onboard vga hogging 8mb of the memory, running Win XP home!!).

I took the pc home to deal with, after initial spyware checks found over 2500 infections! (6 months of 2 teenage offspring using a broadband connection with no firewall or a/v!). Unfortunatly, no Windows disk to re-install with, nothing so easy!

Got the machine runnin a bit better - program removal, spyware and a/v scans and some simple registry cleaning using jv power tools.

My problem lies with a selection of programs that don't uninstall due to missing files, and i think this stems from the programs being originally installed from user accounts that don't exist anymore. I could be totally wrong here, quite a few of the programs that won't uninstall are asking for missing install logs or dat files, leading me to my above mentioned prognosis, however a few of the errors quote '16 bit windows subsystem' 'not suitable for running MS-DOS and Windows applications' leaving me wondering if this XP installation was a crude upgrade! I decided cleaning up some of these unused accounts might help system performance but your observations or suggestions would be appreciated.

From the XP log on screen, there are 2 user accounts (both admistrator), but in the Documents and Settings folder of the system drive, there are 10 accounts (Administrator, All Users, Default User and 7x user named accounts). I'm presuming that the problem ones are the 5 unused user named accounts.

Can anyone point me to the right way to get rid of these accounts and their registry entries, as they are not removable from the control panel/user accounts or system properties/advanced/user profiles tab, and just deleting the folders fails also.

Sorry if i'm missing something obvious, but I'm not that upto date with XP!

thanks, phazz

[InTheWayBoy]

At this point it sounds like the accounts have already been removed...now all that is left is the folders. You can delete these folders if you don't need anything from them. If you don't know already, the user folders contain the profile that is loaded when you logon to an account. That includes both personal files (My Docs, Favorites, Outlook, etc) and system files (settings, cookies, temp files, etc.). So before you delete the folders, make sure you get all the info from it first!

But in truth, if the user account is dead (Removed from Control Panel) then those folders aren't accessed anymore by windows...now, if there is some spyware/virus hiding in one of those folders then that's a different story. Each user's personal settings, including the HKCU registry, are stored in the folder and not loaded unless the user logs on. Now if the user changed anything to the 'universal' HKLM, then there is no way to undo a specific users changes...at least none that I know of.

You say you are running into uninstall errors...I saw that quite a bit when I was a spyhunter. A lot of the apps that clean systems have a bad habit of removing files they shouldn't. For instance, many have a feature that removes all log files...thus when an uninstall needs to access a log file it isn't there. So it's not really a problem of users, but more of how things have been handled.

And don't discount the fact that many uninstallers just plain don't work...sad fact.

If you are at this state of the repair, I would seriously look into a reload...when you add up all the time needed to fix the remaining problems you've probably wasted more time than a backup + reload. I know you don't have his CD, but if you have the CDKey (Should be on a sticker somewhere on the unit) then you can try methods. If there is an I386 directory on the unit, then you can most likely rebuild a new CD. Or, you can try a CD of a similar OS...so if he has XPHome then try another XPHome. Be warned, I wouldn't try a Dell XP CD on an HP computer. That's just an example, but many OEM's customize their CD's to the point where it could cause problems on different machines.

And if you can't delete a folder, then the user may have 'secured' it...depending on the OS you can get around this very easily. If it's XP Pro, you can become the 'owner' of the folder, at which point you can delete it. If you are on XP Home I don't know how you do that since it doesn't have the NTFS File Permissions tab. Another way, and one you should look into for other uses, is some kinda bootable CD...In particular one that boots to a GUI and gives you NTFS access. There are a few options, but the best by far is BartPE. With this you can boot off a CD into a GUI and run various programs...you can even run SpyBot from it! It's not all that simple, as each program you add on needs to be correctly setup, but it's well worth it.

Once you have a BartPE CD, then you can run a file manager (A43 is included by default) and delete the folders that way. This is also a very effective way to remove those last bits of spyware that you just can't remove from a running copy of windows...good luck!

[phazz]

InTheWayBoy

Many thanks for your prompt and detailed response

If you are at this state of the repair, I would seriously look into a reload...when you add up all the time needed to fix the remaining problems you've probably wasted more time than a backup + reload.

How true! Having dedicated the best of a weekend and more to this machine, and despite achieving a vast improvement in performance, I know that there is still ad/spyware installed on the machine. Not just from the programs that I recognise as adware supported programs with entries in 'add and remove programs' (those that error when uninstall is attempted), but also from software in the 'program files' folder which appear to have no uninstall utillities. The spyware removal programs (Lavasoft Ad-Aware, Search and Destroy) are not picking these up, however experience has taught me that these programs need to be run from each user account to be thorough, so if the rogue programs were installed by the defunct users, which can't be accessed, then inevitably there will be spyware remaining, which makes my prior efforts immaterial!

Unfortunatly, the user account folders can not be deleted, and this is Win XP Home, however perhaps you offer a ray of hope, I do have the CD key 'on a sticker somewhere on the unit' and there are I386 folders in the Windows/driver cache and Windows/ServicePackFiles folders (SP2 has been installed).

but if you have the CDKey (Should be on a sticker somewhere on the unit) then you can try methods. If there is an I386 directory on the unit, then you can most likely rebuild a new CD

I wasn't aware this was possible, could you elaborate further, either with a link, or if there's a name for this process I can use as a start for some research, would be very helpfull

Thanks also for the BartPE link

phazz

[ender341]

in either the windows dir or the root drive dir there may be a "i386" dir that contains all the setup files.

Is it a OEM machine (dell or other big name) or is it a homebuilt machine, if it is it probly has the CD-Key printed somewhere on the outside of the case?

as another option look online, i know there are tools that will tell you the CD-Key of the windows machine it is run on so you could use another CD to install with their CD, the only problem i see with this is that usually these are found on 'shady' sites, but if the machine is already full of spyware it can't really do to much damage.

[InTheWayBoy]

You might have an I386 dir either in the root of your C: or inside your windows directory...in the I386 should be all the source files used to install windows. I say might and should because many OEM's like to do things differently resulting in situations where these tactics don't work.

A WinXP install disc is basically that I386 folder, plus a few necessary files to support the booting and launching of setup...so if you can create the correct structure around the I386 folder you have on the HD, then you can burn that to a CD and try reloading.

First I would make a new folder, lets call it XPCD. Next copy the I386 directory into that folder...when it's finished you should have a folder called XPCD with nothing in it other than the I386 folder you just copied.

Next, you'll need to download the correct support files...I'm sure there is a more specific name, but we'll just stick with that for now. This step varies depending on what service pack the source files are. This isn't necessarily the same as what service pack the machine is currently running...you could be running SP2, but your source was SP1.

But don't worry too much about that. As long as you include all the files for the various service packs (0, 1, and 2) and versions (Home and Pro) then you'll be alright. Lucky for you someone made a nice little download that contains all of them:

http://www.msfn.org/board/index.php?s=&sho...ndpost&p=156691

Alanoll is good people.

Download that and extract it to the root of your XPCD folder...so now you should have a bunch of files in the C:\XPCD folder along with the I386 folder. The last part of the puzzle is the boot loader. This is a file that specifically calls the setup process when you boot from a CD. It also gives you that nice "Press any key to boot from CD..." option.

Since you don't have an original install disc to pull this from, you'll need to download this as well. You can download it here:

http://www.msfn.org/uploads/files/boot.zip

I tend to extract it to the root of the XPCD folder, but in truth it can be almost anywhere. It's just one file...boot.bin and it's only 2K.

Now that you have the source files, the support files, and the boot loader you are ready to burn! You can go at this several ways. Some like to burn straight to a CD, I like to make an ISO file first...and then burn. Even though it's an extra step now, it saves a ton of time later when you need to make a new copy.

Here's a way to do it going straight to CD using Nero:

http://www.msfn.org/articles.php?action=show&id=22

Here's a way to do it using CDIMAGE, which will create an ISO image:

http://unattended.msfn.org/global/cdimage.htm

NOTE: There is a process called slipstreaming that I intentionally left out. It's a process that updates the sources files to a newer version. So if your source is SP1, you can slipstream SP2 changes into the source. The end result is an install that starts at SP2 instead of SP1. Seeing as you look pressed for time, I figure you don't really wanna put too much time into this. You can do it manually or by using a program. If you want to know more, look here:

http://unattended.msfn.org/beginner/slipstream.htm

Now others will tell you to just use nlite, and I agree in some cases. It's a great application that can do almost all of this plus much more. Problem is, if it's not used properly (And believe me, that's easy), then your CD may not work. Or, even worse...it may work and install windows, but only then after wasting an hour or two do you find out the installed windows isn't right. So I suggest you learn to do it manually first, and then you can jump up to an automated program. Sounds backwards but it's easier to understand the tools better when you actually know what they are doing

Also, as you'll notice a bunch of the links point to this:

http://unattended.msfn.org

Even though it goes beyond the scope of your problem, it's a great document to read and keep handy.

Good luck!

Edited November 9, 2005 by InTheWayBoy

[phazz]

Hi,

Once again, thanks for your replies, however i fear they may be in vain.

Unfortunatly the only I386 folders on the pc are within the C:\windows\driver cache and C:\windows\ServicePackFiles folders, not in the root, or windows folders. I googled this topic and read through a couple of articles that basically went through the process that you (InTheWayBoy) patiently outlined for me. They do suggest that the relevent I386 folders contain the important file winnt32.exe, which is totally absent too.

I'm not sure about the build (dell, hp etc. or home build) of the pc but the windows CD key sticker says the version of Windows is XP Home OEM

I'm not sure if this suggestion is possible, or if we're allowed to mention, but can i use my own Win XP Home CD to extract a I386 folder or relevent files to create a CD that would be usable with the CD key on the pc, or does this constitute some form of pirate-ing! Please ignore if thats the case.

Alternatively, going back to your first post, I haven't had a chance to explore the BartsPE page too much yet, but i presume I could use my own Win XP Home CD to create a BartPE CD to access and possibly delete some of the folders/spyware on the pc.

Perhaps i'll tell my mate he won't be getting his pc back for a couple of weeks!

[InTheWayBoy]

Well that sucks about the source files on the unit...but it does happen.

But you do have an out...you can use YOUR XP Home disc on the unit. However, there are sometimes when that doesn't work. For instance, if the CDKey on the unit is a SP2 key (Meaning the unit was bought after SP2 was released), then it won't work on a CD that is SP1 level. Also, and I never figured this one out, but there are sometimes when a key just flat-out won't work...very rare, but it does happen.

Another gotcha about using YOUR CD, is that it might be customized to YOUR computer. This could be a simple as drivers for your unit to custom branding by the OEM. So if YOUR CD is a Dell CD, and you install it on another computer that isn't a Dell, it'll still show the Dell logo's in certain places.

And the last issue is the type of CD you have...you say the CDKey on the unit says "OEM". That means that CDKey will only work on an OEM CD. If you bought your CD in a retail setting, then it won't work. How do you know if you have an OEM CD? It usually says on the CD that it's an OEM, or only to be sold with a new PC. If it's a retail it says something else...

As for the BartPE question, you most definantly can use XP Home to create that. You can also use 2003 if you had that, but I can't see a real reason to use anything other than XP. I wish there were some better tutorials, but this looks well enough:

http://www.bootcd.us/PEBuilder_tutorial.php

It's for an older version, but most of the stuff is still the same. I suggest start out with the bare system, and then move up. The basic system comes with enough tools to remove files and such. Plugins, which are really just applications packaged correctly to work with BartPE, can be found for many applications like Spybot, AdAware, and almost any other program ever made.

There is a gotcha for BartPE too...when you boot the system it is reading the local registry from the CD. So, when a tool like AdAware scans the registry from spyware, it's really scanning the CD's registry, not the computer you booted it from. Of course, they have found many ways around this, and Spybot has recently built-in support to read the computers registry and not the CD.

The best place for BartPE help is their forums:

http://911cd.net/forums

But, you can always ask questions here...someone will help ya

[phazz]

Yes, i have to smile about this, as it appears everything is against me. My copy of Win XP Home is OEM too, but has SP2 included, however I suspect the version on the unit is prior to SP2, as there is a entry for SP2 in the 'add and remove programs' tab.

Six months ago I found the Unattended install site, associated with this site, that you linked to, and had meant to read more into the topic and have ago, but never got around to it, perhaps I should start again. I do remember that the guide mentions that testing using Virtual machine is possible, so I could try to create a CD from mine and try it out with VM, but it dosn't sound like a strong candidate for success and not something I'm going to be rushing into without some reading up first. So for the short term, I think i'll explore the BartPE option and try and clean the machine as best as possible! Gotta feeling I need to do a bit of registry research aswell first before I delete something i don't really want to be deleting!

Many Thanks for the Help

phazz

[InTheWayBoy]

Well not necessarily...as I said, you can't use an SP2 CDKey on an SP1 source, as it only has support for SP0 and SP1 CDKeys.

But, since SP2 came out after SP1 it contains support for SP0 + SP1 + SP2 CDKey...so you're good to go!

The unattended is definantly something you don't wanna beta test on a friends machine...at least, not a friend you like

And just in case you don't have a VM solution already, there is an free mini version of VMWare (Best VM Ever) called VMPlayer. It only lets you start VM's, not create them. But we've all found out that with a little text editing you can pretty much create your own VM. Works great for testing unattended installs. I started a thread over here:

http://www.msfn.org/board/index.php?showtopic=58664