[SOLVED] Need some help here.

Hi jccruz,

I see FRST updated itself, but please do not download older versions of FRST. FRST is updated frequently, sometimes multiple times a day, which means that older versions of FRST don't have the latest changes, such as fixes, improvements, new malware detections, etc., which means that logs from older versions cannot be used reliably anymore. I also want to warn you not to download from any source other than Geeks 2 Go or Bleeping Computer since only those two websites will always have the latest version. Any other site is managed by someone else not officially affiliated with the developer of FRST and therefore a recent copy of FRST cannot be guaranteed.

In the Windows menu,
  1. search for command prompt and choose Run as adminstrator.
  2. Copy and paste the following line in command prompt and press enter, it will create a profile.txt file in the C:\ folder, the root directory. Attach this file to your post.
Code: 
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" C:\Profile.txt


jccruz said:
Solved... :)
Click to expand...
Mind sharing how you solved it?
 
axe0 said:
Mind sharing how you solved it?
Click to expand...
I also wonder why, it just started to do "real logs", rather then a few lines(!!!)

Thanks in advance once more axe0, here is the result of the file produced...


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]
"Default"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,\
76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,44,00,65,00,66,\
00,61,00,75,00,6c,00,74,00,00,00
"ProfilesDirectory"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,\
00,69,00,76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,00,00
"ProgramData"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,\
00,76,00,65,00,25,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,44,00,\
61,00,74,00,61,00,00,00
"Public"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,76,\
00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,50,00,75,00,62,00,\
6c,00,69,00,63,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18]
"Flags"=dword:0000000c
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,63,00,6f,00,6e,00,66,00,69,00,67,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,70,00,72,00,6f,00,66,00,69,00,6c,00,65,00,00,00
"RefCount"=dword:00000001
"Sid"=hex:01,01,00,00,00,00,00,05,12,00,00,00
"State"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"Flags"=dword:00000000
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,73,00,5c,00,4c,00,6f,00,63,00,61,00,6c,\
00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"State"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"Flags"=dword:00000000
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,73,00,5c,00,4e,00,65,00,74,00,77,00,6f,\
00,72,00,6b,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"State"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-1001]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,55,00,74,00,69,00,6c,00,69,00,7a,00,61,00,64,00,6f,00,72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,e9,03,00,00
"LocalProfileLoadTimeLow"=dword:758adcfd
"LocalProfileLoadTimeHigh"=dword:01d87780
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:8fe463a7
"LocalProfileUnloadTimeHigh"=dword:01d875e4
"RunLogonScriptSync"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-1002]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,6a,00,63,00,72,00,75,00,7a,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000204
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,ea,03,00,00
"LocalProfileLoadTimeLow"=dword:a36277d8
"LocalProfileLoadTimeHigh"=dword:01d73c05
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,64,00,6f,00,\
72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00008100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,f4,01,00,00
"LocalProfileLoadTimeLow"=dword:01e4a831
"LocalProfileLoadTimeHigh"=dword:01d875e3
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:9a5e8b1c
"LocalProfileUnloadTimeHigh"=dword:01d875e3
 
jccruz said:
I also wonder why, it just started to do "real logs", rather then a few lines(!!!)
Click to expand...

Where i mentioned a few lines, it was something like this;

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-06-2022 01
Ran by Utilizador (administrator) on JCCRUZ (Hewlett-Packard HP EliteBook 840 G2) (04-06-2022 12:39:00)
Running from C:\Users\Utilizador\Desktop
Loaded Profiles: Utilizador
Platform: Microsoft Windows 10 Pro Version 21H2 19044.1706 (X64) Language: Português (Portugal)
Default browser: Edge
Boot Mode: Normal

==================== End of FRST.txt ========================
 
There does appear to be corruption present in the administrador account. Let's see if we can fix this.

EDIT: make sure to run these instructions from your normal account.

Run FRST Fix
Warning: This script was created for this specific system. Attempting to use the fix on another system may cause damage to the system
  • Right-click FRST64.exe then click "Run as administrator".
  • Select the entire content of the code below including "Start::" and "End::", right click and select "Copy"
  • Click Fix button once and wait
  • When finished, it will produce a log called Fixlog.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
deletekey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak
startregedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,64,00,6f,00,\
72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00008100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,f4,01,00,00
"LocalProfileLoadTimeLow"=dword:01e4a831
"LocalProfileLoadTimeHigh"=dword:01d875e3
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:9a5e8b1c
"LocalProfileUnloadTimeHigh"=dword:01d875e3
endregedit:
End::

===============================================

In your next post
In your next post, please include the following. Make sure to copy and paste any requested logs unless asked to attach it.
  • Content of fixlog.txt
 
Last edited:
Thanks axe0, here is the content of fixlog.txt


Fix result of Farbar Recovery Scan Tool (x64) Version: 04-06-2022 01
Ran by Utilizador (04-06-2022 15:02:45) Run:2
Running from C:\Users\Utilizador\Desktop
Loaded Profiles: Utilizador
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
deletekey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak
startregedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,64,00,6f,00,\
72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00008100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,f4,01,00,00
"LocalProfileLoadTimeLow"=dword:01e4a831
"LocalProfileLoadTimeHigh"=dword:01d875e3
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:9a5e8b1c
"LocalProfileUnloadTimeHigh"=dword:01d875e3
endregedit:

*****************

Restore point was successfully created.
Processes closed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak => removed successfully
Registry ====> A opera��o foi conclu�da com �xito.



The system needed a reboot.

==== End of Fixlog 15:03:00 ====
 
Can you try and login to the administrador account?

Has anything changed with the detection history in Windows Defender as in new things being detected?
 
Hi axe0, thanks for your support, i´ve logged in with "Administrador" account and keeps telling me that it´s not possible to iniciate the session (image), every time i log out/in appears the screen "preparing windows", as for the protection history the page is still populated.

Captura de ecrã 2022-06-05 144935.png
 
I was trying to see where the "Administrador" acount appears and it doesn't it´s created under a "TEMP" folder (???)Captura de ecrã 2022-06-05 155538.png
 
Yes, it is a temporary account.

The administrator account has to be enabled manually, it is an inbuilt account, and is commonly used for identifying profile corruption. This also means that any customization for its profile will be lost, so if you ever re-enable the account, any customization has to be applied again.

Let's reverse some changes.
Run FRST Fix
Warning: This script was created for this specific system. Attempting to use the fix on another system may cause damage to the system
  • Right-click FRST64.exe then click "Run as administrator".
  • Select the entire content of the code below including "Start::" and "End::", right click and select "Copy"
  • Click Fix button once and wait
  • When finished, it will produce a log called Fixlog.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
startregedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,64,00,6f,00,\
72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00008100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,f4,01,00,00
"LocalProfileLoadTimeLow"=dword:01e4a831
"LocalProfileLoadTimeHigh"=dword:01d875e3
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:9a5e8b1c
"LocalProfileUnloadTimeHigh"=dword:01d875e3
endregedit:
End::

===============================================

In your next post
In your next post, please include the following. Make sure to copy and paste any requested logs unless asked to attach it.
  • Content of fixlog.txt
 
Hi axe0, once again many thanks also for your explanation about admin account, here is the content of fixlog;

Fix result of Farbar Recovery Scan Tool (x64) Version: 04-06-2022 01
Ran by Utilizador (07-06-2022 19:21:00) Run:4
Running from C:\Users\Utilizador\Desktop
Loaded Profiles: Utilizador
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
startregedit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,64,00,6f,00,\
72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00008100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,f4,01,00,00
"LocalProfileLoadTimeLow"=dword:01e4a831
"LocalProfileLoadTimeHigh"=dword:01d875e3
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:9a5e8b1c
"LocalProfileUnloadTimeHigh"=dword:01d875e3
endregedit:

*****************

Restore point was successfully created.
Processes closed successfully.
Registry ====> A opera��o foi conclu�da com �xito.



The system needed a reboot.

==== End of Fixlog 19:21:19 ====
 
Hi jccruz,

Just letting you know that my response will be delayed.

I aim to respond tomorrow, otherwise it'll be Saturday.
 
Hi jccruz,

An earlier attempt in finding out what the ransomware detections are was unsuccessful, so I want to ask you to check for the details on what has been detected.

I would also like you to do the following for the administrador profile corruption, it won't change anything but will give me insight into where other changes may be required.

Run FRST Fix
Warning: This script was created for this specific system. Attempting to use the fix on another system may cause damage to the system
  • Right-click FRST64.exe then click "Run as administrator".
  • In the search box, enter SearchAll: S-1-5-21-3653589094-3565606866-458211961-500.bak
  • Click Search Files button once and wait
  • When finished, it will produce a log called Search.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

===============================================

In your next post
In your next post, please include the following. Make sure to copy and paste any requested logs unless asked to attach it.
  • What has the ransomware module detected?
  • Content of Search.txt
 
I axe0, thanks once more for your help, the ransomware module "blocks everything” i download, for example yesterday i installed Python and the alert pops up, i simply turn it off for now, i remember that this "behaviour" happened since the moment i turn on the ransomware protection module, i attach two screenshots, one for the ransomware protection module the other with the the “alert” with the folder where one of the "detections” was...

Content of Search.txt


Farbar Recovery Scan Tool (x64) Version: 10-06-2022 01
Ran by Utilizador (11-06-2022 20:23:23)
Running from C:\Users\Utilizador\Desktop
Boot Mode: Normal

================== Search Files: "SearchAll: S-1-5-21-3653589094-3565606866-458211961-500.bak" =============

File:
========

folder:
========

Registry:
========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak]
[HKEY_USERS\S-1-5-21-3653589094-3565606866-458211961-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="Computador\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak"


====== End of Search ======





Captura de ecrã 2022-06-11 202945.png
Captura de ecrã 2022-06-11 203139.png
 
Last edited:
Hi axe0, after some research I found “the answer”, it seems that this particular “history folder” can’t be cleared...
EE2538C3-91BD-4532-85BC-6EDB9CAF8A79.png
 
What procedure are they referring to?
 
axe0 said:
What procedure are they referring to?
Click to expand...

They are referring to the procedure of clearing the protection history of Windows Defender (clearing the folder C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store) but this procedure does not have effect to the entries from the controlled folder access feature.
 
Something for you to read that I found when doing research on this: Windows 11 protection history remove - Page 5 - Windows 11
It is about the same problem where they tried deleting folders in the History direction without any change in the detection history for the ransomware module.

Please run these instructions again. In the Windows menu,
  1. search for command prompt and choose Run as adminstrator.
  2. Copy and paste the following line in command prompt and press enter, it will create a profile.txt file in the C:\ folder, the root directory. Post the content of this file in your post.
Code: 
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" C:\Profile.txt
 
axe0 said:
Something for you to read that I found when doing research on this: Windows 11 protection history remove - Page 5 - Windows 11
It is about the same problem where they tried deleting folders in the History direction without any change in the detection history for the ransomware module.
Click to expand...

Wherever they are hiding it, they are hiding it good.
Click to expand...


Thanks for your help axe0, here is the content of C:\Profile.txt


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]
"Default"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,\
76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,44,00,65,00,66,\
00,61,00,75,00,6c,00,74,00,00,00
"ProfilesDirectory"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,\
00,69,00,76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,00,00
"ProgramData"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,\
00,76,00,65,00,25,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,44,00,\
61,00,74,00,61,00,00,00
"Public"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,76,\
00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,50,00,75,00,62,00,\
6c,00,69,00,63,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18]
"Flags"=dword:0000000c
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,63,00,6f,00,6e,00,66,00,69,00,67,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,70,00,72,00,6f,00,66,00,69,00,6c,00,65,00,00,00
"RefCount"=dword:00000001
"Sid"=hex:01,01,00,00,00,00,00,05,12,00,00,00
"State"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"Flags"=dword:00000000
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,73,00,5c,00,4c,00,6f,00,63,00,61,00,6c,\
00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"State"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"Flags"=dword:00000000
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,\
72,00,6f,00,66,00,69,00,6c,00,65,00,73,00,5c,00,4e,00,65,00,74,00,77,00,6f,\
00,72,00,6b,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"State"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-1001]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,55,00,74,00,69,00,6c,00,69,00,7a,00,61,00,64,00,6f,00,72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000000
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,e9,03,00,00
"LocalProfileLoadTimeLow"=dword:33fa6800
"LocalProfileLoadTimeHigh"=dword:01d87f22
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:8fe463a7
"LocalProfileUnloadTimeHigh"=dword:01d875e4
"RunLogonScriptSync"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-1002]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,6a,00,63,00,72,00,75,00,7a,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00000204
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,ea,03,00,00
"LocalProfileLoadTimeLow"=dword:a36277d8
"LocalProfileLoadTimeHigh"=dword:01d73c05
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3653589094-3565606866-458211961-500.bak]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,41,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,64,00,6f,00,\
72,00,00,00
"Flags"=dword:00000000
"FullProfile"=dword:00000001
"State"=dword:00008100
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,66,58,c5,d9,d2,d7,86,d4,79,c2,4f,\
1b,f4,01,00,00
"LocalProfileLoadTimeLow"=dword:01e4a831
"LocalProfileLoadTimeHigh"=dword:01d875e3
"ProfileAttemptedProfileDownloadTimeLow"=dword:00000000
"ProfileAttemptedProfileDownloadTimeHigh"=dword:00000000
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RunLogonScriptSync"=dword:00000000
"LocalProfileUnloadTimeLow"=dword:9a5e8b1c
"LocalProfileUnloadTimeHigh"=dword:01d875e3
 
Hi,

Apologies for my delayed response.

I'm looking into the profile problem with this administrator account, I have also been suggested an option to delete the ransomware protection history but I want to make sure that it doesn't get repeated first otherwise we'd have to do it multiple times. That's where this question comes in, in the screenshot you provided about the ransomware history there is an environment variable used indicating the account that was logged in with, I assume you were logged in with your regular account when that happened?
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top