How/where does autoruns get startup info for a specific user? Seems broken.

Question

Autoruns is returning data for wrong user:

It is returning contents of

/users/USER-1/appdata/roaming/microsoft/windows/start menu/programs/startup

when USER is set to USER-2, not USER-1 in the dropdown USER option, and when logged in as USER-2 USER-2 who is member of admin group.

How does autoruns determine which user's appdata it is going to look in? It seems that for some reason the place that it looks has wrong data as to the user. If I knew where it looked, I could fix it.

Thanks.

Answer 1

Autoruns will enumerate the subkeys of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList since each subkey is the SID of an account. The enumeration includes service accounts as well as user accounts. The ProfileImagePath value contains the file system location of the user profile folder for the account. Autoruns uses that information to load that accounts registry hive (ntuser.dat).

Answer 2

Thanks so much for responding.

But...

I had already looked there and the ProfileImagePath for that user's sid is correct, as are the other users in that section, meaning they specify the correct home dir, in this case for the sid for user-2, \users\USER-2 .

Whoami when logged in as user-2 returns user-2 and the correct sid.

When explorer is asked to open %appdata%\ , it opens the correct place for the correct user (USER-2).

Am I correct in understanding that the contents of ntuser.dat would correspond to what is in HKCU (when that user is logged in)? Because I am not finding the wrong user name in there.

How would I determine:

1. Whether autoruns is loading the correct ntuser.dat.
2. What in that hive would autoruns use to decide which appdata directory is appropriate?

Might there be somewhere where that user name indexes into the wrong sid (or vice-versa)?

Sorry, but I seem to need some hand-holding here.

--peter

Answer 3

Am I correct in understanding that the contents of ntuser.dat would correspond to what is in HKCU (when that user is logged in)?

Yes.

If you want to see what autoruns does you can use Sysinternals Process Monitor to observe its file system and registry activity. So you can see it identify the user's profile folder and use the registry function RegLoadKey to load that user's hive.

%APPDATA% is an environment variable.

Answer 4

Thanks.Drat, for some reason my long reply vanished.

Anyway, I did just now try Procmon, and just filtered on autoruns64.exe, which turns out to have been sufficient, returning a mere half million events.

I then searched for USER-1 while logged in as USER-2, and discovered that the problem is that autoruns looks in

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersto discover all the special folders. That place has the wrong info, namely the info for USER-1, not the correct USER-2. The very next operation is to access the startup directory for USER-1, so this seems to be the problem source.

That is my fault, because in order to avoid too much manual setting for USER-2, I copied much of the explorer settings for USER-1 into USER-2's registry. Seems I am too smart for my own good.

Incidentally, that particular registry section says to not use it, but instead use a couple of system calls such as SHGetFolderPath. (Which might simply look there for you , I dunno.)

Thanks so much for your help with this. Theoretically, I could have done all this without help, but would not have, due to past bad experience with procmon.

--peter

Answer 5

2nd attempt:

Yes, I did see the comment about selecting an answer, and I answered, but it seems to be lost.

All I said was the answer seems to actually be my comment about where I found the error, but if you get points for providing the right answer, please feel free to mark anything as the answer.