Discussion:
slow boot : Please Wait for the User Profile Service
(too old to reply)
Mike S
2018-05-05 01:17:05 UTC
Permalink
About once a week for the past 3 weeks my w7 x64 ult boots really slow,
taking over a minute for the desktop to appear. I see, "Please wait for
the User Profile Service" for many seconds, then a black screen for
another long delay, and finally the desktop. I read somewhere that
flushing the DNS cache resolved this for some people, and it seems like
that has been working for me, whenever I do that I get about a week or
normal boot speeds. Does anyone have any idea what is causing this and
how to resolve it? Should I figure out how to run a script at shutdown
to flush the DNS cache every shutdown?
VanguardLH
2018-05-05 03:02:13 UTC
Permalink
Post by Mike S
About once a week for the past 3 weeks my w7 x64 ult boots really slow,
taking over a minute for the desktop to appear. I see, "Please wait for
the User Profile Service" for many seconds, then a black screen for
another long delay, and finally the desktop. I read somewhere that
flushing the DNS cache resolved this for some people, and it seems like
that has been working for me, whenever I do that I get about a week or
normal boot speeds. Does anyone have any idea what is causing this and
how to resolve it? Should I figure out how to run a script at shutdown
to flush the DNS cache every shutdown?
The User Profile Service manages the user profiles after Windows startup
followed by loading whatever user profile into which you log into (aka
Windows account). Profiles can be copied, deleted, added/created, and
even become corrupt. Because of possible corruption of a user profile
is why you should NEVER use the Administrator account as your own
personal account. Administrator should be left alone for use only in
emergencies. If you run out of admin-level Windows accounts, you lose
control of managing Windows.

In the services manager (services.msc), the following is the description
for the User Profile Service:

This service is responsible for loading and unloading user profiles.
If this service is stopped or disabled, users will no longer be able
to successfully logon or logoff, applications may have problems
getting to users' data, and components registered to receive profile
event notifications will not receive them.

I recall but not the specifics that there was something about fixing the
shutdown of this service upon Windows shutdown. I think it was called
the User Profile Hive Cleanup Service (UPHClean). I used it back in
Windows XP but didn't need it thereafter.

http://www.majorgeeks.com/files/details/microsoft_user_profile_hive_cleanup_service.html
https://searchenterprisedesktop.techtarget.com/tip/Use-UPHCLEAN-to-fix-profile-problems

These kind of OS-specific fixes is why I do *not* upgrade to a new
version of Windows. I start with a fresh install of the OS and then
review what apps to install again but in the fresh OS install and
migrate my data from my backups. You don't want to be lugging along
fixes for the prior OS that are not applicable or incompatible with the
new OS. Upgrades can be faster but they carry along more pollution.

You could try restoring your user profile folder (%userprofile%) from
your backups that were saved before the problem arose. Else, you could
create a new user profile (Windows account) and copy what you can from
your old profile folder.

https://neosmart.net/wiki/corrupt-user-profile/

You need an admin-level Windows account to create or manage profiles and
why I mentioned you should NEVER use the Administrator account except in
these type of emergencies. In fact, after installing Windows, I usually
create a secondary admin-level account called AdminBackup (in addition
to my own personal-use account since I do too many things that require
admin privs so a restricted user account is not an option). Instead and
for quite a while, I rely on backups to get me back to a prior working
state.

Your user profile is in the file system on your storage media (disk).
Like with any file system, a defective drive could cause corruption of
the file system or of the files themselves. When was the last time you
ran "chkdsk c: /r"? Do you have a drive monitor running that checks the
S.M.A.R.T. attributes to monitor the health of your drive(s)?

https://blogs.technet.microsoft.com/askds/2010/10/20/mythical-creatures-corrupt-user-profiles/

I've encountered only 1 actually corrupted user profile so I know it can
happen. There were no backups so it was easier to create a new user
profile and move on with that. With users installing lots of software
without realizing the impact on load during startup, often they neglect
that some of that software adds startup programs, services, WinLogon
events, logon scripts by account, and other means of loading software on
starting Windows or as part of the logon process.

That flushing the local DNS cache ("ipconfig /flushdns") temporarily
eliminates the logon hang is more likely due to some software you choose
to install and loads on either Windows startup or upon login. For
example, maybe you are running a local caching DNS proxy that loads on
Windows startup or login, and it has a problem with the Windows' DNS
Client's cache. When the problem arises next time, see what happens
when you boot into Windows' safe mode. That eliminates loading of
startup programs and non-critical services. You could also peek into
Event Viewer to see if it reports problems at the time of a Windows
startup and login.
Mike S
2018-05-05 09:06:42 UTC
Permalink
Post by VanguardLH
Post by Mike S
About once a week for the past 3 weeks my w7 x64 ult boots really slow,
taking over a minute for the desktop to appear. I see, "Please wait for
the User Profile Service" for many seconds, then a black screen for
another long delay, and finally the desktop. I read somewhere that
flushing the DNS cache resolved this for some people, and it seems like
that has been working for me, whenever I do that I get about a week or
normal boot speeds. Does anyone have any idea what is causing this and
how to resolve it? Should I figure out how to run a script at shutdown
to flush the DNS cache every shutdown?
The User Profile Service manages the user profiles after Windows startup
followed by loading whatever user profile into which you log into (aka
Windows account). Profiles can be copied, deleted, added/created, and
even become corrupt. Because of possible corruption of a user profile
is why you should NEVER use the Administrator account as your own
personal account. Administrator should be left alone for use only in
emergencies. If you run out of admin-level Windows accounts, you lose
control of managing Windows.
In the services manager (services.msc), the following is the description
This service is responsible for loading and unloading user profiles.
If this service is stopped or disabled, users will no longer be able
to successfully logon or logoff, applications may have problems
getting to users' data, and components registered to receive profile
event notifications will not receive them.
I recall but not the specifics that there was something about fixing the
shutdown of this service upon Windows shutdown. I think it was called
the User Profile Hive Cleanup Service (UPHClean). I used it back in
Windows XP but didn't need it thereafter.
http://www.majorgeeks.com/files/details/microsoft_user_profile_hive_cleanup_service.html
https://searchenterprisedesktop.techtarget.com/tip/Use-UPHCLEAN-to-fix-profile-problems
These kind of OS-specific fixes is why I do *not* upgrade to a new
version of Windows. I start with a fresh install of the OS and then
review what apps to install again but in the fresh OS install and
migrate my data from my backups. You don't want to be lugging along
fixes for the prior OS that are not applicable or incompatible with the
new OS. Upgrades can be faster but they carry along more pollution.
You could try restoring your user profile folder (%userprofile%) from
your backups that were saved before the problem arose. Else, you could
create a new user profile (Windows account) and copy what you can from
your old profile folder.
https://neosmart.net/wiki/corrupt-user-profile/
You need an admin-level Windows account to create or manage profiles and
why I mentioned you should NEVER use the Administrator account except in
these type of emergencies. In fact, after installing Windows, I usually
create a secondary admin-level account called AdminBackup (in addition
to my own personal-use account since I do too many things that require
admin privs so a restricted user account is not an option). Instead and
for quite a while, I rely on backups to get me back to a prior working
state.
Your user profile is in the file system on your storage media (disk).
Like with any file system, a defective drive could cause corruption of
the file system or of the files themselves. When was the last time you
ran "chkdsk c: /r"? Do you have a drive monitor running that checks the
S.M.A.R.T. attributes to monitor the health of your drive(s)?
https://blogs.technet.microsoft.com/askds/2010/10/20/mythical-creatures-corrupt-user-profiles/
I've encountered only 1 actually corrupted user profile so I know it can
happen. There were no backups so it was easier to create a new user
profile and move on with that. With users installing lots of software
without realizing the impact on load during startup, often they neglect
that some of that software adds startup programs, services, WinLogon
events, logon scripts by account, and other means of loading software on
starting Windows or as part of the logon process.
That flushing the local DNS cache ("ipconfig /flushdns") temporarily
eliminates the logon hang is more likely due to some software you choose
to install and loads on either Windows startup or upon login. For
example, maybe you are running a local caching DNS proxy that loads on
Windows startup or login, and it has a problem with the Windows' DNS
Client's cache. When the problem arises next time, see what happens
when you boot into Windows' safe mode. That eliminates loading of
startup programs and non-critical services. You could also peek into
Event Viewer to see if it reports problems at the time of a Windows
startup and login.
Thank you VanguardLH.
D***@MadCow.net
2018-05-06 19:56:44 UTC
Permalink
Post by VanguardLH
Post by Mike S
About once a week for the past 3 weeks my w7 x64 ult boots really slow,
taking over a minute for the desktop to appear. I see, "Please wait for
the User Profile Service" for many seconds, then a black screen for
another long delay, and finally the desktop. I read somewhere that
flushing the DNS cache resolved this for some people, and it seems like
that has been working for me, whenever I do that I get about a week or
normal boot speeds. Does anyone have any idea what is causing this and
how to resolve it? Should I figure out how to run a script at shutdown
to flush the DNS cache every shutdown?
The User Profile Service manages the user profiles after Windows startup
followed by loading whatever user profile into which you log into (aka
Windows account). Profiles can be copied, deleted, added/created, and
even become corrupt. Because of possible corruption of a user profile
is why you should NEVER use the Administrator account as your own
personal account. Administrator should be left alone for use only in
emergencies. If you run out of admin-level Windows accounts, you lose
control of managing Windows.
In the services manager (services.msc), the following is the description
This service is responsible for loading and unloading user profiles.
If this service is stopped or disabled, users will no longer be able
to successfully logon or logoff, applications may have problems
getting to users' data, and components registered to receive profile
event notifications will not receive them.
I recall but not the specifics that there was something about fixing the
shutdown of this service upon Windows shutdown. I think it was called
the User Profile Hive Cleanup Service (UPHClean). I used it back in
Windows XP but didn't need it thereafter.
http://www.majorgeeks.com/files/details/microsoft_user_profile_hive_cleanup_service.html
https://searchenterprisedesktop.techtarget.com/tip/Use-UPHCLEAN-to-fix-profile-problems
These kind of OS-specific fixes is why I do *not* upgrade to a new
version of Windows. I start with a fresh install of the OS and then
review what apps to install again but in the fresh OS install and
migrate my data from my backups. You don't want to be lugging along
fixes for the prior OS that are not applicable or incompatible with the
new OS. Upgrades can be faster but they carry along more pollution.
You could try restoring your user profile folder (%userprofile%) from
your backups that were saved before the problem arose. Else, you could
create a new user profile (Windows account) and copy what you can from
your old profile folder.
https://neosmart.net/wiki/corrupt-user-profile/
You need an admin-level Windows account to create or manage profiles and
why I mentioned you should NEVER use the Administrator account except in
these type of emergencies. In fact, after installing Windows, I usually
create a secondary admin-level account called AdminBackup (in addition
to my own personal-use account since I do too many things that require
admin privs so a restricted user account is not an option). Instead and
for quite a while, I rely on backups to get me back to a prior working
state.
Your user profile is in the file system on your storage media (disk).
Like with any file system, a defective drive could cause corruption of
the file system or of the files themselves. When was the last time you
ran "chkdsk c: /r"? Do you have a drive monitor running that checks the
S.M.A.R.T. attributes to monitor the health of your drive(s)?
https://blogs.technet.microsoft.com/askds/2010/10/20/mythical-creatures-corrupt-user-profiles/
I've encountered only 1 actually corrupted user profile so I know it can
happen. There were no backups so it was easier to create a new user
profile and move on with that. With users installing lots of software
without realizing the impact on load during startup, often they neglect
that some of that software adds startup programs, services, WinLogon
events, logon scripts by account, and other means of loading software on
starting Windows or as part of the logon process.
That flushing the local DNS cache ("ipconfig /flushdns") temporarily
eliminates the logon hang is more likely due to some software you choose
to install and loads on either Windows startup or upon login. For
example, maybe you are running a local caching DNS proxy that loads on
Windows startup or login, and it has a problem with the Windows' DNS
Client's cache. When the problem arises next time, see what happens
when you boot into Windows' safe mode. That eliminates loading of
startup programs and non-critical services. You could also peek into
Event Viewer to see if it reports problems at the time of a Windows
startup and login.
Thanks for a lot of info.

I have Win 7 Pro. User Accounts only shows 2 Accounts:

- My Account which is says my user name and Administrator

- Guest Account.

I use Macrium Reflect regularly to have recent backups of Windows and
all installed programs. Whenever I want to make some significant
change, I will make an image first. Then after the change seems to
work ok, I'll make another image. I keep a notebook log on all that
kind of stuff.

2 questions:

To avoid losing the only Administrator account, should I create
another Administrator account and not use it unless my account gets
trashed?

Above, you said "I rely on backups to get me back to a prior working
state." Can you explain what backups you mean?

thanks.

DC
Paul
2018-05-06 20:56:32 UTC
Permalink
Post by D***@MadCow.net
Post by VanguardLH
Post by Mike S
About once a week for the past 3 weeks my w7 x64 ult boots really slow,
taking over a minute for the desktop to appear. I see, "Please wait for
the User Profile Service" for many seconds, then a black screen for
another long delay, and finally the desktop. I read somewhere that
flushing the DNS cache resolved this for some people, and it seems like
that has been working for me, whenever I do that I get about a week or
normal boot speeds. Does anyone have any idea what is causing this and
how to resolve it? Should I figure out how to run a script at shutdown
to flush the DNS cache every shutdown?
The User Profile Service manages the user profiles after Windows startup
followed by loading whatever user profile into which you log into (aka
Windows account). Profiles can be copied, deleted, added/created, and
even become corrupt. Because of possible corruption of a user profile
is why you should NEVER use the Administrator account as your own
personal account. Administrator should be left alone for use only in
emergencies. If you run out of admin-level Windows accounts, you lose
control of managing Windows.
In the services manager (services.msc), the following is the description
This service is responsible for loading and unloading user profiles.
If this service is stopped or disabled, users will no longer be able
to successfully logon or logoff, applications may have problems
getting to users' data, and components registered to receive profile
event notifications will not receive them.
I recall but not the specifics that there was something about fixing the
shutdown of this service upon Windows shutdown. I think it was called
the User Profile Hive Cleanup Service (UPHClean). I used it back in
Windows XP but didn't need it thereafter.
http://www.majorgeeks.com/files/details/microsoft_user_profile_hive_cleanup_service.html
https://searchenterprisedesktop.techtarget.com/tip/Use-UPHCLEAN-to-fix-profile-problems
These kind of OS-specific fixes is why I do *not* upgrade to a new
version of Windows. I start with a fresh install of the OS and then
review what apps to install again but in the fresh OS install and
migrate my data from my backups. You don't want to be lugging along
fixes for the prior OS that are not applicable or incompatible with the
new OS. Upgrades can be faster but they carry along more pollution.
You could try restoring your user profile folder (%userprofile%) from
your backups that were saved before the problem arose. Else, you could
create a new user profile (Windows account) and copy what you can from
your old profile folder.
https://neosmart.net/wiki/corrupt-user-profile/
You need an admin-level Windows account to create or manage profiles and
why I mentioned you should NEVER use the Administrator account except in
these type of emergencies. In fact, after installing Windows, I usually
create a secondary admin-level account called AdminBackup (in addition
to my own personal-use account since I do too many things that require
admin privs so a restricted user account is not an option). Instead and
for quite a while, I rely on backups to get me back to a prior working
state.
Your user profile is in the file system on your storage media (disk).
Like with any file system, a defective drive could cause corruption of
the file system or of the files themselves. When was the last time you
ran "chkdsk c: /r"? Do you have a drive monitor running that checks the
S.M.A.R.T. attributes to monitor the health of your drive(s)?
https://blogs.technet.microsoft.com/askds/2010/10/20/mythical-creatures-corrupt-user-profiles/
I've encountered only 1 actually corrupted user profile so I know it can
happen. There were no backups so it was easier to create a new user
profile and move on with that. With users installing lots of software
without realizing the impact on load during startup, often they neglect
that some of that software adds startup programs, services, WinLogon
events, logon scripts by account, and other means of loading software on
starting Windows or as part of the logon process.
That flushing the local DNS cache ("ipconfig /flushdns") temporarily
eliminates the logon hang is more likely due to some software you choose
to install and loads on either Windows startup or upon login. For
example, maybe you are running a local caching DNS proxy that loads on
Windows startup or login, and it has a problem with the Windows' DNS
Client's cache. When the problem arises next time, see what happens
when you boot into Windows' safe mode. That eliminates loading of
startup programs and non-critical services. You could also peek into
Event Viewer to see if it reports problems at the time of a Windows
startup and login.
Thanks for a lot of info.
- My Account which is says my user name and Administrator
- Guest Account.
I use Macrium Reflect regularly to have recent backups of Windows and
all installed programs. Whenever I want to make some significant
change, I will make an image first. Then after the change seems to
work ok, I'll make another image. I keep a notebook log on all that
kind of stuff.
To avoid losing the only Administrator account, should I create
another Administrator account and not use it unless my account gets
trashed?
Above, you said "I rely on backups to get me back to a prior working
state." Can you explain what backups you mean?
thanks.
DC
Using a Macrium emergency boot disc, you are Administrator at
that time. And you have permission to replace the entire C:
and System Reserved, with the one recorded in the MRIMG file.

If you want to create another account, then go to Groups
and add the Administrator Group to the account, that will
give you a spare account to use.

control userpasswords2

That should offer some options.

Paul
D***@MadCow.net
2018-05-06 21:28:46 UTC
Permalink
Post by Paul
Post by D***@MadCow.net
Post by VanguardLH
Post by Mike S
About once a week for the past 3 weeks my w7 x64 ult boots really slow,
taking over a minute for the desktop to appear. I see, "Please wait for
the User Profile Service" for many seconds, then a black screen for
another long delay, and finally the desktop. I read somewhere that
flushing the DNS cache resolved this for some people, and it seems like
that has been working for me, whenever I do that I get about a week or
normal boot speeds. Does anyone have any idea what is causing this and
how to resolve it? Should I figure out how to run a script at shutdown
to flush the DNS cache every shutdown?
The User Profile Service manages the user profiles after Windows startup
followed by loading whatever user profile into which you log into (aka
Windows account). Profiles can be copied, deleted, added/created, and
even become corrupt. Because of possible corruption of a user profile
is why you should NEVER use the Administrator account as your own
personal account. Administrator should be left alone for use only in
emergencies. If you run out of admin-level Windows accounts, you lose
control of managing Windows.
In the services manager (services.msc), the following is the description
This service is responsible for loading and unloading user profiles.
If this service is stopped or disabled, users will no longer be able
to successfully logon or logoff, applications may have problems
getting to users' data, and components registered to receive profile
event notifications will not receive them.
I recall but not the specifics that there was something about fixing the
shutdown of this service upon Windows shutdown. I think it was called
the User Profile Hive Cleanup Service (UPHClean). I used it back in
Windows XP but didn't need it thereafter.
http://www.majorgeeks.com/files/details/microsoft_user_profile_hive_cleanup_service.html
https://searchenterprisedesktop.techtarget.com/tip/Use-UPHCLEAN-to-fix-profile-problems
These kind of OS-specific fixes is why I do *not* upgrade to a new
version of Windows. I start with a fresh install of the OS and then
review what apps to install again but in the fresh OS install and
migrate my data from my backups. You don't want to be lugging along
fixes for the prior OS that are not applicable or incompatible with the
new OS. Upgrades can be faster but they carry along more pollution.
You could try restoring your user profile folder (%userprofile%) from
your backups that were saved before the problem arose. Else, you could
create a new user profile (Windows account) and copy what you can from
your old profile folder.
https://neosmart.net/wiki/corrupt-user-profile/
You need an admin-level Windows account to create or manage profiles and
why I mentioned you should NEVER use the Administrator account except in
these type of emergencies. In fact, after installing Windows, I usually
create a secondary admin-level account called AdminBackup (in addition
to my own personal-use account since I do too many things that require
admin privs so a restricted user account is not an option). Instead and
for quite a while, I rely on backups to get me back to a prior working
state.
Your user profile is in the file system on your storage media (disk).
Like with any file system, a defective drive could cause corruption of
the file system or of the files themselves. When was the last time you
ran "chkdsk c: /r"? Do you have a drive monitor running that checks the
S.M.A.R.T. attributes to monitor the health of your drive(s)?
https://blogs.technet.microsoft.com/askds/2010/10/20/mythical-creatures-corrupt-user-profiles/
I've encountered only 1 actually corrupted user profile so I know it can
happen. There were no backups so it was easier to create a new user
profile and move on with that. With users installing lots of software
without realizing the impact on load during startup, often they neglect
that some of that software adds startup programs, services, WinLogon
events, logon scripts by account, and other means of loading software on
starting Windows or as part of the logon process.
That flushing the local DNS cache ("ipconfig /flushdns") temporarily
eliminates the logon hang is more likely due to some software you choose
to install and loads on either Windows startup or upon login. For
example, maybe you are running a local caching DNS proxy that loads on
Windows startup or login, and it has a problem with the Windows' DNS
Client's cache. When the problem arises next time, see what happens
when you boot into Windows' safe mode. That eliminates loading of
startup programs and non-critical services. You could also peek into
Event Viewer to see if it reports problems at the time of a Windows
startup and login.
Thanks for a lot of info.
- My Account which is says my user name and Administrator
- Guest Account.
I use Macrium Reflect regularly to have recent backups of Windows and
all installed programs. Whenever I want to make some significant
change, I will make an image first. Then after the change seems to
work ok, I'll make another image. I keep a notebook log on all that
kind of stuff.
To avoid losing the only Administrator account, should I create
another Administrator account and not use it unless my account gets
trashed?
Above, you said "I rely on backups to get me back to a prior working
state." Can you explain what backups you mean?
thanks.
DC
Using a Macrium emergency boot disc, you are Administrator at
and System Reserved, with the one recorded in the MRIMG file.
If you want to create another account, then go to Groups
and add the Administrator Group to the account, that will
give you a spare account to use.
control userpasswords2
That should offer some options.
Paul
I Googled "add the Administrator Group" and "control userpasswords2".
Looks like I have some reading to do.

Amazing what a person can find when you have the right keywords!

Thanks, Paul.

DC
VanguardLH
2018-05-06 21:26:15 UTC
Permalink
Post by D***@MadCow.net
- My Account which is says my user name and Administrator
- Guest Account.
The User Accounts app will not show hidden accounts. By default, the
Administrator account is hidden.

https://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/

Since the Administrator account should ONLY be used in emergencies, tis
probably better to leave it hidden. Instead of using the cutsy
bobble-head logon screen that divulges half of the security of a login
(the username) and because I'd rather specify the account than pick one
in a list, I configured Windows to show the standard login screen. It
has one big security advantage over the bobble-head login screen: it
guarantees the login credentials were captured only by the OS because
that is the OS presenting the login window, not some malware pretending
to be a login screen (Windows intercepts the Ctrl+Alt+Del keyboard scan
code to ensure the login screen you see is the one from the OS). I
don't need the Administrator account listed in the bobble-heads login
window. I can simply enter "Administrator" as the account name in the
standard login screen (Loading Image...).

control.exe userpasswords2

Users tab:
"Users must enter a user name and password to use this computer":
Enabled
(auto-login means anyone can physcially use your account on that
computer even with a locked screen saver - just reboot)

Advanced tab:
Secure login - Requires users to press Ctrl+Alt+Delete
Enabled
Post by D***@MadCow.net
I use Macrium Reflect regularly to have recent backups of Windows and
all installed programs. Whenever I want to make some significant
change, I will make an image first. Then after the change seems to
work ok, I'll make another image. I keep a notebook log on all that
kind of stuff.
If UAC is enabled, you get a prompt to allow Macrium run with admin
privileges. Backup jobs scheduled in Macrium create Task Scheduler
events that run under the SYSTEM account.
Post by D***@MadCow.net
To avoid losing the only Administrator account, should I create
another Administrator account and not use it unless my account gets
trashed?
Your normal logon is in the Administrators newsgroup. When you see your
Windows account with "Administrator" under in the User Accounts wizard,
that only means that Windows account was added to the Administrators
security group. Your account is likely also a member of the Home Users
security group. An account can be included in multiple security groups.
To see some more info about your account, run:

control.exe userpasswords2

Alas, I have the Home edition which does not include the group policy
editor (gpedit.msc). That would let you see a list of the security
groups by their names. As I recall, it also listed the privileges of
each one.

You can use "net user" to get a list of Windows accounts (that you're
allowed to use). To get more info on your account, like to which
security groups your account is assigned, run:

net user <youraccount>

To see which account is attached to which security group, run "net
localgroup <securitygroup>". For example:

net localgroup (list all the user security groups)
net localgroup Administrators (all in the Administrator security group)
net localgroup homeusers (all in the Home Users security group)

Getting a list of what privileges (aka permissions) are specified in
which security group (SYSTEM, Administrators, Home Users, etc) is more
tricky requiring, for example, use of the icacls command. I only touch
that when I'm forced to so I'm not expert with it. That's why I miss
the gpedit.msc wizard in the Home edition. I'm not talking about folder
and file permissions (ACLs, or access control lists) in NTFS that you
can see in Windows Explorer by right-clicking a folder or file, pick
Properties from the context menu, and looking under the Security tab.
There are permissions in security groups (to which accounts are
assigned) that say what that account can do in the OS. File permissions
in NTFS is a separate security mechanism but can also be assigned by
account name or security group.

If you perform regularly scheduled backups (so they actually get done
instead of relying on you to do them), you don't need a backup
Administrator account. When you restore from an image backup, you'll
get back your user profile just like it was at backup time.

If you don't do backups then, yes, make sure the admin-level account you
use is one that was created for you, not the Administrator account.
Only use the Administrator account in emergencies. Awhile back, I also
created a duplicate of the Administrator account: create a new account
as an administrator (i.e., in the Administrators security group) named
something like AdminBackup, and never touch it unless somehow you screw
up the Administrators account which you shouldn't be using, anyway. To
make it a duplicate, you need 3 admin account: yours, Administrator, and
AdminBackup. You copy the Administrator profile atop of the AdminBackup
profile using your admin-level account (copying of user profiles
requires admin privs). In your admin-level account, run:

control.exe sysdm.cpl

Go under the Advanced tab and click on Settings for User Profiles.
There you can copy Adminstrator's profile atop of AdminBackup's (or
whatever you called the backup admin emergency-only account). You
cannot be logged into the account whose profile you want to copy from or
copy into hence the need for the 3rd admin-level account to do the
profile copying. You could just leave AdminBackup with its own profile
which has nothing setup as in the Administrator profile. You just
create the AdminBackup account in the Administrators group. I usually
do some setup in Administrator that I also want in the backup
Administrator account.

If you don't logon and use the Administrtator account as your daily
account then you probably don't need a backup Administrator account,
especially if you schedule regular image backups of the OS partition.
Obviously image backups are useless if saved on the save disk (even in
another partition) when the disk dies. You need to save image backups
somewhere else than the disk with the OS partition.
Post by D***@MadCow.net
Above, you said "I rely on backups to get me back to a prior working
state." Can you explain what backups you mean?
I do image backups of the partition(s) with the OS and apps. Partitions
with just data can be saved using image or logical (file level) backups.
With an image backup, a restore puts back the disk to the same state is
was during the backup. That is still a logical state so files may not
occupy the same sectors. The only way to get an exact state restore is
to perform a sector-by-sector copy but that wastes a lot of time if most
of the disk is empty (unused clusters in the file system).

System Restore might work but too often it fails. It is only a *system*
restore and somewhat flaky at that. It does not restore your apps or
your data. I turned it off because it is, to me, a waste of disk space.
Anyone doing image backups should kill System Restore; however, that
means you perform regularly scheduled image backup. Anytime the user is
left in charge of doing the backups means they won't get done except
once or twice and then forgotten. My image backups are scheduled to run
once per day. When I'm about to perform some major surgery on the OS
(e.g., Windows updates) or even before installing software (because
uninstallers are very often incomplete), I perform a manual image
backup. To dare a change means you should plan an escape route.
D***@MadCow.net
2018-05-06 21:36:47 UTC
Permalink
Post by VanguardLH
Post by D***@MadCow.net
- My Account which is says my user name and Administrator
- Guest Account.
The User Accounts app will not show hidden accounts. By default, the
Administrator account is hidden.
https://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/
Since the Administrator account should ONLY be used in emergencies, tis
probably better to leave it hidden. Instead of using the cutsy
bobble-head logon screen that divulges half of the security of a login
(the username) and because I'd rather specify the account than pick one
in a list, I configured Windows to show the standard login screen. It
has one big security advantage over the bobble-head login screen: it
guarantees the login credentials were captured only by the OS because
that is the OS presenting the login window, not some malware pretending
to be a login screen (Windows intercepts the Ctrl+Alt+Del keyboard scan
code to ensure the login screen you see is the one from the OS). I
don't need the Administrator account listed in the bobble-heads login
window. I can simply enter "Administrator" as the account name in the
standard login screen (https://i.stack.imgur.com/HHZBm.png).
control.exe userpasswords2
Enabled
(auto-login means anyone can physcially use your account on that
computer even with a locked screen saver - just reboot)
Secure login - Requires users to press Ctrl+Alt+Delete
Enabled
Post by D***@MadCow.net
I use Macrium Reflect regularly to have recent backups of Windows and
all installed programs. Whenever I want to make some significant
change, I will make an image first. Then after the change seems to
work ok, I'll make another image. I keep a notebook log on all that
kind of stuff.
If UAC is enabled, you get a prompt to allow Macrium run with admin
privileges. Backup jobs scheduled in Macrium create Task Scheduler
events that run under the SYSTEM account.
Post by D***@MadCow.net
To avoid losing the only Administrator account, should I create
another Administrator account and not use it unless my account gets
trashed?
Your normal logon is in the Administrators newsgroup. When you see your
Windows account with "Administrator" under in the User Accounts wizard,
that only means that Windows account was added to the Administrators
security group. Your account is likely also a member of the Home Users
security group. An account can be included in multiple security groups.
control.exe userpasswords2
Alas, I have the Home edition which does not include the group policy
editor (gpedit.msc). That would let you see a list of the security
groups by their names. As I recall, it also listed the privileges of
each one.
You can use "net user" to get a list of Windows accounts (that you're
allowed to use). To get more info on your account, like to which
net user <youraccount>
To see which account is attached to which security group, run "net
net localgroup (list all the user security groups)
net localgroup Administrators (all in the Administrator security group)
net localgroup homeusers (all in the Home Users security group)
Getting a list of what privileges (aka permissions) are specified in
which security group (SYSTEM, Administrators, Home Users, etc) is more
tricky requiring, for example, use of the icacls command. I only touch
that when I'm forced to so I'm not expert with it. That's why I miss
the gpedit.msc wizard in the Home edition. I'm not talking about folder
and file permissions (ACLs, or access control lists) in NTFS that you
can see in Windows Explorer by right-clicking a folder or file, pick
Properties from the context menu, and looking under the Security tab.
There are permissions in security groups (to which accounts are
assigned) that say what that account can do in the OS. File permissions
in NTFS is a separate security mechanism but can also be assigned by
account name or security group.
If you perform regularly scheduled backups (so they actually get done
instead of relying on you to do them), you don't need a backup
Administrator account. When you restore from an image backup, you'll
get back your user profile just like it was at backup time.
If you don't do backups then, yes, make sure the admin-level account you
use is one that was created for you, not the Administrator account.
Only use the Administrator account in emergencies. Awhile back, I also
created a duplicate of the Administrator account: create a new account
as an administrator (i.e., in the Administrators security group) named
something like AdminBackup, and never touch it unless somehow you screw
up the Administrators account which you shouldn't be using, anyway. To
make it a duplicate, you need 3 admin account: yours, Administrator, and
AdminBackup. You copy the Administrator profile atop of the AdminBackup
profile using your admin-level account (copying of user profiles
control.exe sysdm.cpl
Go under the Advanced tab and click on Settings for User Profiles.
There you can copy Adminstrator's profile atop of AdminBackup's (or
whatever you called the backup admin emergency-only account). You
cannot be logged into the account whose profile you want to copy from or
copy into hence the need for the 3rd admin-level account to do the
profile copying. You could just leave AdminBackup with its own profile
which has nothing setup as in the Administrator profile. You just
create the AdminBackup account in the Administrators group. I usually
do some setup in Administrator that I also want in the backup
Administrator account.
If you don't logon and use the Administrtator account as your daily
account then you probably don't need a backup Administrator account,
especially if you schedule regular image backups of the OS partition.
Obviously image backups are useless if saved on the save disk (even in
another partition) when the disk dies. You need to save image backups
somewhere else than the disk with the OS partition.
Post by D***@MadCow.net
Above, you said "I rely on backups to get me back to a prior working
state." Can you explain what backups you mean?
I do image backups of the partition(s) with the OS and apps. Partitions
with just data can be saved using image or logical (file level) backups.
With an image backup, a restore puts back the disk to the same state is
was during the backup. That is still a logical state so files may not
occupy the same sectors. The only way to get an exact state restore is
to perform a sector-by-sector copy but that wastes a lot of time if most
of the disk is empty (unused clusters in the file system).
System Restore might work but too often it fails. It is only a *system*
restore and somewhat flaky at that. It does not restore your apps or
your data. I turned it off because it is, to me, a waste of disk space.
Anyone doing image backups should kill System Restore; however, that
means you perform regularly scheduled image backup. Anytime the user is
left in charge of doing the backups means they won't get done except
once or twice and then forgotten. My image backups are scheduled to run
once per day. When I'm about to perform some major surgery on the OS
(e.g., Windows updates) or even before installing software (because
uninstallers are very often incomplete), I perform a manual image
backup. To dare a change means you should plan an escape route.
Wow, I need to be careful what I ask for. Thanks for all your help!

DC

Loading...