DrScouse Posted March 27, 2014 Share Posted March 27, 2014 Recently used Password Renew on Hirens boot disk to repair a laptop that had a single user account than had become corrupt. While the app created an admin account which I was able to use to create new profiles, incl a spare admin account for support, when I then tried to delete the initial admin account, upon reboot it reappears... If I delete it and logoff, its not on the logon screen, so it seems to be getting recreated during the boot up process... Any ideas how I can remove permanently? Cheers Link to comment Share on other sites More sharing options...
n_K Posted March 27, 2014 Share Posted March 27, 2014 start > run > cmd > control userpasswords2 Remove it from there Link to comment Share on other sites More sharing options...
DrScouse Posted March 27, 2014 Author Share Posted March 27, 2014 start > run > cmd > control userpasswords2 Remove it from there Will give that a go thanks... Let you know if it does indeed fix it, although Id ike to know why its reappearing in the first place! Link to comment Share on other sites More sharing options...
DrScouse Posted April 1, 2014 Author Share Posted April 1, 2014 Nope.. removed the account from userpasswords2, deleted the user folders.. reboot pc, and they are back! Link to comment Share on other sites More sharing options...
Brandon H Supervisor Posted April 1, 2014 Supervisor Share Posted April 1, 2014 Nope.. removed the account from userpasswords2, deleted the user folders.. reboot pc, and they are back! i can think of 3 possibilities 1. you have managed to put your computer in kiosk mode so all changes are being rolled back upon reboot 2. you have some kind of virus disallowing those accounts to be deleted 3. your hard drive is failing causing the files not to delete properly Link to comment Share on other sites More sharing options...
DrScouse Posted April 1, 2014 Author Share Posted April 1, 2014 i can think of 3 possibilities 1. you have managed to put your computer in kiosk mode so all changes are being rolled back upon reboot 2. you have some kind of virus disallowing those accounts to be deleted 3. your hard drive is failing causing the files not to delete properly 1. Wouldn't know how to do this, unless accidently, but cant see anything obvious to suggest this. 2. A possibility, but have run several scan using a few diff scanners incl Malwarebytes, and resident AVG 3. Again, a possibility, as this could explain why profile became corrupt in first place, Ill run some scans... Cheers Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 1, 2014 MVC Share Posted April 1, 2014 What is the RID on the account? So can you run this command from a elevated cmd prompt C:\>wmic useraccount get name,sid Name SID Administrator S-1-5-21-snipped-500 BudMan S-1-5-21-snipped-1000 Guest S-1-5-21-snipped-501 ntp S-1-5-21-snipped-1001 So you notice the Administrator RID the number on the end after the - is 500, this is the built in account. You can not delete this account.. So your saying this tool created an account, you sure it just didn't reset the password on the built in account. If you run the command above you should get the SID of all the accounts on the machine. You can snip out the meat of the SID for privacy concerns, I am just curious if this was created account or the built in one.. Or your thinking its coming back if they named it admin or something and your seeing the administrator account. If its recreating the account then the RID would change also. So if you run command, then delete the account - does it have the same RID (the last number after the -) Like my account budman is 1000, this was the first account created. If I delete budman, and create a new budman that rid would be different.. So example, created a test account see the RID of 1003, then deleted it and created account with same name test and the RID is now 1004 Link to comment Share on other sites More sharing options...
Recommended Posts