8
3
On Windows, a user account name would be different from the user profile name after it's being changed from Control Panel.
How to find the original user profile name from a changed user account name?
Fenixtriver
Posted 2017-06-24T13:48:02.787
Reputation: 101
6
There are two "name" properties of each account, so let me clarify things a bit so we don't get confused. One is the SAM (Security Account Manager) account name, which shows up in the output of net user. This is the name of the account as far as low-level OS components are concerned. The other is the display name, which shows up in Control Panel's User Accounts page and in the Start menu. The Local Users and Groups snap-in for MMC (lusrmgr.msc) shows both: the SAM name in the Name column, and the display name in the Full Name column. The SAM name is what's used to produce the profile folder.
It is not very easy to change the SAM name unless you use this MMC snap-in. Only changes to the SAM name produce event 4781. I suspect, given that you don't see an event 4781 in your log, that only the display name was changed. This only produces event 4738 ("a user account was changed"). Event 4738 only lists the new value for the display name, not the old value, and I suspect the history of display names isn't kept anywhere (your best hope would be to dig through the logs for more instances of 4738).
Fortunately, finding the profile path from a display name isn't too hard. Open PowerShell and type this command:
gwmi win32_useraccount
You get a bunch of entries that look like this:
AccountType : 512
Caption : <redacted>\tester
Domain : <redacted>
SID : S-1-5-21-<redacted>-1018
FullName : Test Account
Name : tester
Find the one with the FullName showing the display name of the account. Then look at the SID value (I've redacted my machine SID here). Open the Registry and navigate to the key mentioned by harrymc:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Open the subkey named the same as the SID you found. The ProfileImagePath value holds the path to their profile folder.
Ben N
Posted 2017-06-24T13:48:02.787
Reputation: 32 973
8
Look in the Windows Security System Event log for EventID 4781: The name of an account was changed:
4781: The name of an account was changed
The user identified by Subject: changed either the normal logon name or the pre-Win2k logon name of the user identified by Target Account:. Event 4738 actually provides better information on this change.
This event is logged both for local SAM accounts and domain accounts.
You will also see event ID 4738 informing you of the same information.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Target Account:
- Security ID: SID of the account
- Account Name: name of the account
- Account Domain: domain of the account
- Old Account Name: old logon name
- New Account Name: new logon name
DavidPostill
Posted 2017-06-24T13:48:02.787
Reputation: 118 938
I couldn't find this event in the Event Log. Is there any other possibility other than the user account name being changed for the user account name to be different from the user profile name? Or is there any other way to identify? – Fenixtriver – 2017-06-24T17:48:43.220
@FeniXtriver You looked in the Security event log? I don't know about other ways to change the user profile name unless someone hacked the registry. – DavidPostill – 2017-06-24T18:01:23.760
1I suspect there's some confusion about SAM account name vs. display name going on here. I just tested and changing the display name (e.g. with Control Panel) doesn't create event 4781 because it doesn't change the SAM name. – Ben N – 2017-06-24T18:12:51.397
@DavidPostill Yes, I've looked into the Security event log. I believe Ben N's is right. And I've marked his answer as correct. Thanks for your help anyway. Feel free to let me know if you still have anything to add on. :) – Fenixtriver – 2017-06-27T06:38:53.327
8
This answer is based on the fact that renaming the user account does not automatically change the profile path.
If the account was renamed but the profile path was not changed,
the path-name can be found in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
in the item named ProfileImagePath whose value will be
C:\Users\old-user-name.
To convert the marked SID to the current user account name, enter in cmd the command:
click for a larger imagewmic useraccount where sid='S-1-3-12-12451234567-1234567890-1234567-1434' get name
harrymc
Posted 2017-06-24T13:48:02.787
Reputation: 306 093
1To add more... doesn't net user list the old usernames too? Okay, if there are plenty of usernames, its still hard to figure out, but on a pc it usually isn't. – LPChip – 2017-06-24T14:28:39.813
1@harrymc How would you know which profile path is for which account name then? – Fenixtriver – 2017-06-24T17:40:08.167
1One way would be to take the key, which is a long string starting with 'S' and enter in cmd the command wmic useraccount where sid='S-1-3-12-12451234567-1234567890-1234567-1434' get name. – harrymc – 2017-06-24T18:13:36.410
@LPChip, you are right. – Fenixtriver – 2017-06-27T06:41:29.780
@harrymc The problem is we wouldn't know what's the SID at the first place. I've marked Ben N's answer correct at the moment. Thank you very much for your input anyway. Feel free to let me know if you have anything to add on. :) – Fenixtriver – 2017-06-27T06:42:24.147
The SID is the name of the registry key underneath which you will find ProfileImagePath as C:\Users\old-user-name. – harrymc – 2017-06-27T08:45:59.323
I get this error message after I entered the command as stated by you:
Get-LocalUser : The term 'Get-LocalUser' is not recognized as the name of a cmdlet....– Fenixtriver – 2017-06-24T18:47:03.660@FeniXtriver Oops, it looks like the
Get-LocalUsercmdlet doesn't exist in the Windows 7 version of PowerShell. (I tested on Windows 10.) I edited my answer to work on Windows 7 as well. – Ben N – 2017-06-24T18:53:06.793I actually tested on Windows 10 as well, but it doesn't seem to work. Anyway, the new command given works now. Thanks a lot for your valuable input. I've marked your answer correct. :) – Fenixtriver – 2017-06-27T06:35:32.547