I’m trying to setup an Analysis to capture the deleted user profiles on a computer but I’m not having any luck. Google says the analysis should reference this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList — but I’ can’t get it to work. Can someone help?
Thanks for any help!
Sno
Can you share the analysis that you’re currently testing with?
Sure!
unique values of (it as string) of values “ProfileImagePath” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” of (x64 registries; x32 registries)
If your trying to identify what profiles exist to determine what profiles could be deleted then I believe your issue is that you need to do Keys of Keys instead of values “ProfileImagePath” of keys but that key doesn’t show profiles that have been deleted already which is what was confusing me from your original question.
unique values of (it as string) of values “ProfileImagePath” of keys of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” of (x64 registries; x32 registries)
this is close but it only returning %systemroot%\serviceproviles\localservice
I really need the user profile name. So close!
have you looked at the registry to confirm there are profiles listed under profilelist key? It appears to be working on my machines but if your needing just the the user name and not the path we have an analysis that gets it like this to remove the LocalService, NetworkService, and systemprofiles paths.
following texts whose ( it is not contained by "NetworkService|LocalService|systemprofile" ) of lasts "\" of (substrings before "%00" of (Values"ProfileImagePath" of Keys of key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" of Registry as string))
(it, exists folder of (it)) of (folders ((expand environment string of preceding text of last "%00" of (it as string)) of (values "ProfileImagePath" whose ((it as string) does not end with "\systemprofile%00" ) of keys whose (exists value "sid" of it) of key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of registry)))
the exists folder of it should tell us if the folder exists. If the folder doesn’t exists then the profile would have been deleted. I’m not sure if that is what your trying to do or not though.
they did something similar to this on this post that made me think to do it this way
Using a folder wildcard - Content Authoring - BigFix Forum
this returns a “syntax error”. could it be the ))) at the end?
What is the error that you received? it works for me on Windows 11 on the 11.0.3 debugger. but I can try an older version of debugger to see if I get different results. I don’t think anything in this relevance statement is new so I don’t think it would be a version issue.
the ))) are close parentheses for the relevance statements earlier in the statement.
The Forum “smart formatting” broke some of the query JStev posted above. I have correct that bit with code tags, could you check it and try again?
hi jason, now it says: the operator “folders” is not defined
If possible, please share a screenshot or the exact relevance query you’re using. That will help others identify where the issue might be. I’ve also tested @Jstev relevance query and haven’t encountered any errors so far.
Yes the smart quotes are very frustrating.
I’m not sure at this point what query you’re using, but this one works for me:
q: (it, exists folder of (it)) of (folders ((expand environment string of preceding text of last "%00" of (it as string)) of (values "ProfileImagePath" whose ((it as string) does not end with "\systemprofile%00" ) of keys whose (exists value "sid" of it) of key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList" of registry)))
A: C:\Users\SOME ADMIN, True
A: C:\Users\JASON, True