Deleted admin account reappearing after reboot? W7x64


Recommended Posts

Recently used Password Renew on Hirens boot disk to repair a laptop that had a single user account than had become corrupt.  While the app created an admin account which I was able to use to create new profiles, incl a spare admin account for support, when I then tried to delete the initial admin account, upon reboot it reappears...

 

If I delete it and logoff, its not on the logon screen, so it seems to be getting recreated during the boot up process...  Any ideas how I can remove permanently?

 

Cheers

 

 

Link to comment
Share on other sites

 

 

start > run > cmd > control userpasswords2

Remove it from there

 

Will give that a go thanks...  Let you know if it does indeed fix it, although Id ike to know why its reappearing in the first place!

Link to comment
Share on other sites

Nope.. removed the account from userpasswords2, deleted the user folders.. reboot pc, and they are back!

i can think of 3 possibilities

 

1. you have managed to put your computer in kiosk mode so all changes are being rolled back upon reboot

2. you have some kind of virus disallowing those accounts to be deleted

3. your hard drive is failing causing the files not to delete properly

Link to comment
Share on other sites

i can think of 3 possibilities

 

1. you have managed to put your computer in kiosk mode so all changes are being rolled back upon reboot

2. you have some kind of virus disallowing those accounts to be deleted

3. your hard drive is failing causing the files not to delete properly

 

1.  Wouldn't know how to do this, unless accidently, but cant see anything obvious to suggest this.

2.  A possibility, but have run several scan using a few diff scanners incl Malwarebytes, and resident AVG

3.  Again, a possibility, as this could explain why profile became corrupt in first place, Ill run some scans...

 

Cheers

Link to comment
Share on other sites

What is the RID on the account?

So can you run this command from a elevated cmd prompt

C:\>wmic useraccount get name,sid

Name SID

Administrator S-1-5-21-snipped-500

BudMan S-1-5-21-snipped-1000

Guest S-1-5-21-snipped-501

ntp S-1-5-21-snipped-1001

So you notice the Administrator RID the number on the end after the - is 500, this is the built in account. You can not delete this account.. So your saying this tool created an account, you sure it just didn't reset the password on the built in account.

If you run the command above you should get the SID of all the accounts on the machine. You can snip out the meat of the SID for privacy concerns, I am just curious if this was created account or the built in one.. Or your thinking its coming back if they named it admin or something and your seeing the administrator account. If its recreating the account then the RID would change also.

So if you run command, then delete the account - does it have the same RID (the last number after the -) Like my account budman is 1000, this was the first account created. If I delete budman, and create a new budman that rid would be different.. So example, created a test account

see the RID of 1003, then deleted it and created account with same name test and the RID is now 1004

post-14624-0-20183200-1396374273.png

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.