Jump to content

7 posts in this topic

Posted

Recently used Password Renew on Hirens boot disk to repair a laptop that had a single user account than had become corrupt.  While the app created an admin account which I was able to use to create new profiles, incl a spare admin account for support, when I then tried to delete the initial admin account, upon reboot it reappears...

 

If I delete it and logoff, its not on the logon screen, so it seems to be getting recreated during the boot up process...  Any ideas how I can remove permanently?

 

Cheers

 

 

Share this post


Link to post
Share on other sites

Posted

start > run > cmd > control userpasswords2

Remove it from there

Share this post


Link to post
Share on other sites

Posted

 

 

start > run > cmd > control userpasswords2

Remove it from there

 

Will give that a go thanks...  Let you know if it does indeed fix it, although Id ike to know why its reappearing in the first place!

Share this post


Link to post
Share on other sites

Posted

Nope.. removed the account from userpasswords2, deleted the user folders.. reboot pc, and they are back!

Share this post


Link to post
Share on other sites

Posted

Nope.. removed the account from userpasswords2, deleted the user folders.. reboot pc, and they are back!

i can think of 3 possibilities

 

1. you have managed to put your computer in kiosk mode so all changes are being rolled back upon reboot

2. you have some kind of virus disallowing those accounts to be deleted

3. your hard drive is failing causing the files not to delete properly

Share this post


Link to post
Share on other sites

Posted

i can think of 3 possibilities

 

1. you have managed to put your computer in kiosk mode so all changes are being rolled back upon reboot

2. you have some kind of virus disallowing those accounts to be deleted

3. your hard drive is failing causing the files not to delete properly

 

1.  Wouldn't know how to do this, unless accidently, but cant see anything obvious to suggest this.

2.  A possibility, but have run several scan using a few diff scanners incl Malwarebytes, and resident AVG

3.  Again, a possibility, as this could explain why profile became corrupt in first place, Ill run some scans...

 

Cheers

Share this post


Link to post
Share on other sites

Posted

What is the RID on the account?

So can you run this command from a elevated cmd prompt

C:\>wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-snipped-500
BudMan S-1-5-21-snipped-1000
Guest S-1-5-21-snipped-501
ntp S-1-5-21-snipped-1001

So you notice the Administrator RID the number on the end after the - is 500, this is the built in account. You can not delete this account.. So your saying this tool created an account, you sure it just didn't reset the password on the built in account.

If you run the command above you should get the SID of all the accounts on the machine. You can snip out the meat of the SID for privacy concerns, I am just curious if this was created account or the built in one.. Or your thinking its coming back if they named it admin or something and your seeing the administrator account. If its recreating the account then the RID would change also.

So if you run command, then delete the account - does it have the same RID (the last number after the -) Like my account budman is 1000, this was the first account created. If I delete budman, and create a new budman that rid would be different.. So example, created a test account

see the RID of 1003, then deleted it and created account with same name test and the RID is now 1004
[attachment=359447:newaccount.png]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.