NTUSER.DAT Issues

Hi, everyone.

I tried a search, but couldn't find quite what I was looking for.

Basically, my NTUSER.DAT is becoming increasingly bloated with personal info (names, phone numbers etc) and I was wondering if there was any way to clean this sensitive information? Is there a software method or even a manual workaround to do this?

Thanks.

 

Only you know what you feel needs removing from the file which, of course,holds all your profile information. Each profile has a ntuser.dat file. How many profiles do you have set up and which one is bloated?

If you need to get rid of one that's large and is a profile no longer used, be sure you don't delete simply the .dat file. Just delete the entire profile from profile settings.

 

I only have the one profile set up and it's my active profile, so unfortunately deleting the profile is not an option.

Strangely enough, the personal info in the file only shows up when viewed in a text editor or something similar and does not appear. My understanding was that the NTUSER.DAT file was copy of HKEY_USERS registry hive, so it struck me as odd that I only see this data within the actual NTUSER.DAT file.

 

@ Mystik_TK

Hi, yes you're quite right This has been a Very serious issue for years, and i remember talking about even when i was on 98 !

Why MS "CHOSE" to allow private etc and data NOT required to run the OS in there is VERY suspicious and stupid

Please read this EXTREMELY CAREFULLY then take as much time as you like, then ONLY proceed at your own risk.

I "believe" if we can copy NTUSER.DAT by some means, such as for eg, whilst the hard it is from is not running the OS, we can edit out, delete, that data then paste NTUSER.DAT back EXACTLY where we found it.

Removing the HD and connecting to another comp as a Slave "might" be one way, and there must be other ways too. I have NOT tried this yet, but when i get the chance i think i will. If you do it, please post with your experiences

Make SURE you have FULL backup BEFORE proceeding !

 

who but you has access to that info? If nobody why is it an issue?

 

Clone Ranger, thanks very much. I'll give that a try? Just curious, are you suggesting to delete the data from within a text editor and if so, are you suggesting just to delete the personal info or delte the entire contents of the file?

Cudni, no one else but me has access at the moment. However, I'm a very paranoid guy. If, for example, a hacker wound up with that file, he/she would have access to passwords, phone numbers, e-mail etc. The fact that MS allowed this data to be unknowingly collected simply bothers me and I want it removed.

 

The data is there because you put there as and when you needed it in everyday use. If you are that paranoid then use some kind of virtual environment which you can wipe clean and reuse as you please.

 

Anybody who is "able" to.

1 - Another user/s possibly

2 - If stolen

3 - Forensic

The point is, that info does NOT "NEED" to be stored in there in the first place. So why did MS make it do that, we have our suspicions and they are ALL

@ Mystik_TK

NOT the entire contents of the file, otherwise it probably won't boot.

Just the personal data, with a text editor etc.

If you did make a mistake, as long as you have FULL backup BEFORE proceeding you should be fine.

Looking forward to hearing how it goes

 

Originally Posted by Cudni

But we did NOT purposefully and knowingly put it, STORE it there, the OS does that all by itself.

Sure good suggestion but unless we install such software as soon as we switch on a BRAND NEW comp. then data starts mounting up from that second, and on and on day by day. So installing VTech after the fact, won't help previously stored data.

 

The OS and software in general does what the user tells it. Imagine an OS that does not store data

 

Yes i know what you mean, but the OS does NOT ask us if we want PERMANENT personal data stored in a file called NTUSER.DAT BEFORE it stores it. Nor does it inform us it has stored such data in there, and the implications of doing so.

For eg, we might expect email addys to be stored in DBX etc files, and other data such as passwords to be stored in their appropriate area/s, but MS also duplicates and stores this kind of data in NTUSER.DAT How many people expect, or know about that, not many !

 

I want it to store data otherwise I would use abacus. As for the things it does store then it is a matter of education for the user to access widely available information on what and how to control it.

 

Originally Posted by Cudni

That's just it though, MOST people would NOT even know about the data storage in NTUSER.DAT the first place, to then go and research etc

 

Here's a link to a PP presentation regarding what can forensically be recovered from various parts of the registry.

I am linking to the Google cached "View As HTML" version. Scroll down for NTUSER details.
http://www.google.com/url?sa=t&sour...sOnTDQ&usg=AFQjCNE6QU_NnY96-OJldPjGBbSKepNglg

 

@ LockBox

Thanks for the link = Nightmare =

 

Whatever you do, DO NOT try to edit the NTUSER.DAT file manually. NTUSER.DAT is the binary file which stores the HKEY_CURRENT_USER branch of the registry. If Windows can't read it properly, it won't be able to load the registry into memory... which means your machine will roll back to factory settings... which will then wipe out all of your custom settings and you'll lose the functionality of your installed programs. You might as well reformat and reinstall the OS if you're going to do that.

The solution is to go into REGEDIT and clean up the sensitive info under HKEY_CURRENT_USER, then run an app to compact/defragment the Windows registry.

I would recommend deleting these keys in particular:

HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags

In my experience, those keys are 100% safe to delete. But depending on what programs you have installed, there's probably several more keys and/or values you will want to clean up as well. Search for words like "last" "recent" and "MRU" in the registry editor. Just be very careful about what you delete, or else you could really mess up the registry.

Once the registry is cleaned up to your satisfaction, next you will want to run a registry optimizer such as NTREGOPT. This will synchronize your registry in memory with your physical registry hives (which includes NTUSER.DAT). The purpose is to clean up any orphaned entries or fragments of sensitive info that may still remain in your DAT hives after you've already cleaned your registry.

After you've done all that, look at your NTUSER.DAT again, and now it should be much cleaner. However if you're still finding sensitive info in there, that means it's "spawning" from somewhere in memory (registry) so you'll need to go back into REGEDIT and find out where it's coming from. Ideally, you should try to tweak your OS and programs' settings so they don't write sensitive data into the registry in the first place, whenever possible.

Hope this helps

 

Thanks very much for the tips. The only problem with what you suggested is that a search of the registry through regedit does not show any of this data. I don't know if there's a better way to search, but it appears that this data is exclusive to NTUSER.DAT.

 

Mystik_TK,

Since you couldn't find the sensitive data when searching the registry directly, most likely that means you have fragments of previously deleted registry data stuck in your NTUSER.DAT file that you need to get rid of. In that case, I would suggest just running the NTREGOPT app right away. Or if that's not compatible with your system, you could try Free Registry Defrag instead. You see, whenever you delete something from the registry, technically it just gets flagged for deletion but the actual data stays in your DAT file until it gets overwritten by something else. But if you defrag/compact the registry using the software, it will rebuild the registry tree from scratch and you'll end up with a nice clean NTUSER.DAT that is synchronized with the registry. Also just as an FYI, the NTREGOPT program automatically creates a backup of your NTUSER.DAT (as well as the other hives), so you'll probably want to delete those *.BAK files after you've rebooted successfully.