I'm using a service which stores data on disk. The service is running as "local system account".
Where is the stored data for that system user?
I'm thinking about C:\Documents and Settings\Default User but I'm not sure about that.
Can someone confirm that?
The data you are looking should not, by default, be located in "C:\Documents and Settings\Default User". That is the location of the default user profile, which is the template for new user profiles. Its only function is to be copied to a new folder for use as a user profile when a user logs onto the computer for the first time.
If the service is following Microsoft's guidelines, it will be storing data in the application data folder (%APPDATA%) or the local application data folder (%LOCALAPPDATA% on Windows Vista and later). It should not use the My Documents or Documents folders, but you might want to check there as well.
On a typical installation of Windows XP or Windows Server 2003, check the following locations for application data for programs running as Local System (NT AUTHORITY\SYSTEM):
On a typical installation of Windows Vista and later versions, check the following locations for application data for programs running as Local System (NT AUTHORITY\SYSTEM):
Of course, substitute the appropriate vendor name and program name for Vendor and Program.
[Edit - for bricelam] For 32 bit processes running on 64 bit windows, it would be in SysWOW64.
The destination is changing in time. On Windows 10:
%systemroot%\ServiceProfilesE.g.:
%systemroot%\ServiceProfiles\LocalService%systemroot%\ServiceProfiles\NetworkServiceHowever, the LocalSystem user data is stored in
%systemroot%\System32\config\systemprofileFrom a real process running as SYSTEM (S-1-5-18).
SYSTEMS-1-5-18CN=HYDROGEN,CN=Computers,DC=stackoverflow,DC=comSTACKOVERFLOW\HYDROGEN$HYDROGEN${b413b030-8e9a-49d2-9157-20afd58792dd}stackoverflow.com/Computers/HYDROGENUSER-PC02$@stackoverflow.comstackoverflow.com/ComputersHYDROGENC:\WINDOWS\TEMP\C:\WINDOWS\system32\config\systemprofile\AppData\RoamingC:\WINDOWS\system32\config\systemprofile\AppData\LocalC:\ProgramDataC:\WINDOWS\system32\config\systemprofileLOCAL SERVICES-1-5-1NT AUTHORITY\LOCAL SERVICEC:\WINDOWS\SERVIC~3\LOCALS~1\AppData\Local\Temp\C:\WINDOWS\ServiceProfiles\LocalService\AppData\RoamingC:\WINDOWS\ServiceProfiles\LocalService\AppData\LocalC:\ProgramDataC:\WINDOWS\ServiceProfiles\LocalServiceC:\WINDOWS\ServiceProfiles\LocalService\DocumentsCN=HYDROGEN,CN=Computers,DC=avatopia,DC=comAVATOPIA\HYDROGEN$HYDROGEN${b413b030-8e9a-49d2-9157-20afd58792dd}stackoverflow.com/Computers/HYDROGENUSER-PC02$@stackoverflow.comstackoverflow.com/ComputersHYDROGENC:\WINDOWS\SERVIC~3\NETWOR~1\AppData\Local\Temp\C:\WINDOWS\ServiceProfiles\NetworkService\AppData\RoamingC:\WINDOWS\ServiceProfiles\NetworkService\AppData\LocalC:\ProgramDataC:\WINDOWS\ServiceProfiles\NetworkServiceC:\WINDOWS\ServiceProfiles\NetworkService\Documents
Go to Sysinternals and download procmon. You will need to know the name of the exe that the service runs as. Then you can use the filter in procmon to only list those activities generated by that application.
You should now be able to run through the list and determine which file this application is using (NOTE: After several minutes of logging, you can use the file menu to stop monitoring)
The entire Sysinternal suite can be downloaded as a single zip file and you may find other utils in the kit that can be helpfull.
I have used a service running as the 'Local System' account and user data is stored in:
c:\Documents and Settings\LocalService
This is a hidden folder and took me a while to find it. Hope this helps.
On XP there is a "System Profile" located at C:\WINDOWS\system32\config\systemprofile
I thought that was where the Local System acct was located. The Network Service and Local Service accounts both have hidden profiles in the Documents and Settings folder.
The Default User folder is typically used as the base folder that new user accounts are created from. So if a new user were to log on to a system for the first time. Their settings would be copied from the Default User profile initially.
