Figuring out if there's a deleted user account on Windows 7

0

We are trying to determine which one of 20-30 computers were used by a previous employee. We know that the computer at one point had two user accounts, but one of them was deleted around 6 months ago. The computer in question is the only computer that had a deleted account the last year. Very few of the other computers have had deleted accounts, so it's not a crisis if all deleted user accounts are found, not only the one deleted this year.

Both user accounts had Admin rights. There are no system restore points dating that far back.

The purpose of this is to use some third party tool to recover some lost data from that account. We don't want to try this on all computers, as it might be time consuming, and potentially a risky process. We know the password of the account.

Is there a way to, without installing any software, determining if a user account has been deleted (and if possible the name of said account)?

Edit:

I'd like to recover excel-files, small .txt-files (a few kB), files used by a specific simulation tool etc. Anything stored in My Documents, and/or the folder C:\SimulationTool\Folder\Data.

I've tried searching through the server (where project specific files should be stored) for files owned by that user, but no files were found. This was very strange, but it's possible, since the employee was only employed for a short time.

Stewie Griffin

Posted 2018-10-15T07:16:12.763

Reputation: 499

Recover data that was deleted 6 months ago, from a computer that's been actively used ever since? I'd go with "completely hopeless". – user1686 – 2018-10-15T07:30:18.393

You can look at the event logs, but if it was logged, is entirely determined by your login configuration. However, data recovery, might not be possible if that data was already overwritten. What data are you trying to recover exactly? Edit your question and provide the relevant information required to answer your question – Ramhound – 2018-10-15T07:31:49.003

@Ramhound edited. Anything that can be recovered might be helpful. Discouraging to see that it might be completely hopeless. :/ – Stewie Griffin – 2018-10-15T07:48:25.557

Answers

0

It would be difficult in the least to determine if an account was deleted so long ago. Depending on the computers usage, any recoverable files quite possibly have been written over. Your best bet to recover the files is to install file recovery software on another computer and use it to examine the drive of the computer in question.

However, if you want to try manually looking, you can try the following:

First off, start by looking at all the Event Viewer logs. Comb through every entry, even new ones. Perhaps a log will list the account name. I would pay close attention to error logs. Perhaps this account was used to set up a service. If the service is no longer functioning, it hopefully list the account name or SID associated with it.

Speaking of SIDs, you could list the owner/creator of all the files on the system. While the account name will not show, a SID will remain for all files associated to that account.

If you want to go even further, look at every .log and .txt file for some record of the accounts existence.

Keltari

Posted 2018-10-15T07:16:12.763

Reputation: 57 019

Asked: 2018-10-15T07:16:12.763

Viewed: 60 times

Active: 2018-10-15T10:28:36.833