There are multiple TEMP* accounts in \Users\ since switching to a limited account

2

Ever since I switched my normal Windows 7 user account to a limited account (for some reason the default is an admin account ◔_◔), there have been multiple TEMP* accounts accumulating in C:\Users. Here’s a few facts:

  • The first one was simply called TEMP, the second is named TEMP.Foobar (where foobar is the computer name), then TEMP.Foobar.000 and so on.
  • The current batch of extraneous accounts seem to all have been created the last time I rebooted (give or take a few hours).
  • Some of them have a few files, some have more, and some have no files at all (just a couple of empty folders).
  • The files and folders contained in the unexplained accounts don’t seem to be of much diagnostic help because they are general Microsoft/Windows stuff that any new account would likely have.
  • This all definitely began after switching my main account to a limited account.
  • There is only one admin-level account on the system and it already has its own directory in C:\Users.
  • Whenever I get the UAC dialog, I enter the password for the (only) admin-level account.
  • Some of them prompt for admin privileges to access their contents, some don’t.
  • The first two can be deleted but the last one is in use.
  • The one that is in use has locked files by the following:
    • Task Manager
    • SpeedFan
    • LSASS which hosts the following services:
      • Credential Manager
      • CNG Key Isolation
      • Encrypting File Sstem
      • Security Accounts Manager

What information I have been able to find seems to indicate that it has something to do with creating a temporary account for elevation purposes, but that doesn’t make sense because I am using the existing admin-level account for that, so it should not be creating a new, temporary account. This is probably the reason that I cannot seem to get the Task Manager settings to stick; when I set them, they only affect the currently used admin, temporary account, but when I reboot, a new one is used, so the previous settings are lost.

This is really frustrating and I find it baffling that using a limited account would be such hard work and difficult to make work because it promotes just giving up and using a privileged account for day-to-day work.

Does anybody have any concrete information about why/where/when/how all these TEMP accounts are being created and how to stop it? Conversely, can anyone explain why Windows keeps creating new, temporary accounts for elevating instead of using the existing admin account even though it is specifically be used?

Synetech

Posted 2014-04-15T19:44:39.930

Reputation: 63 242

The non-Administrator account is part of the User group correct? Additionally is this account a domain or local user account? – Ramhound – 2014-04-15T19:51:08.493

What is the profile directory for your limited user's account? I rather suspect that those temp user profile directories are being created when you do a task that gets elevated. – David – 2014-04-15T19:52:16.430

@Ramhound, yes, it is part of the Users group and the admin account is part of the Administrators group. This is a local system. – Synetech – 2014-04-15T20:02:34.283

Nvidia or AMD GPU? – Ramhound – 2014-04-15T20:03:16.277

@David, yes that’s what I said, but like I already said, there should not be a reason to create a temporary account because whenever an elevated task is run, it uses the existing admin-level account. – Synetech – 2014-04-15T20:03:22.187

@Ramhound Intel laptop. (How would the GPU affect user accounts?) – Synetech – 2014-04-15T20:03:55.783

@Synetech - Nvidia for awhile, don't know if they stopped doing this, would create a User level account to support automatic updates to their drivers through a service. Since you didn't indicate how many I assumed its not less then say hundreds but more then a couple. Could there be some application that is started when you logged in that you installed while you were an Administrator and since you no longer are one its not behaving itself? – Ramhound – 2014-04-15T20:06:28.897

At first it was only TEMP, the last time I booted, the two new ones were created. Presumably the next one would be TEMP.<computername>.001. – Synetech – 2014-04-15T20:08:30.323

I do have three programs that run on startup which require admin privileges. I tried using the task-scheduler to auto-run them, setting them to run under the existing admin account as well as under the regular account. In either case, it should not be using a temp account; either it should use the existing admin account or prompt me for its password. – Synetech – 2014-04-15T20:10:18.740

1What's the output of the wmic useraccount get name,sid command? Which registry keys are there in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList? Check if you can reproduce the issue after switching to administrator and then back to a limited account: 1. Restart in safe mode 2. Log on with the existing admin account. 3. Delete/rename all TEMP* folders. 4. Change the limited account type. 5. Restart Windows. 6. Log on and check whether the folders are created again. – and31415 – 2014-04-15T21:03:21.690

@and31415, What's the output of the wmic … command? As expected; it lists the regular limited account, the admin account, and the guest account (which is not enabled or used). Which registry keys are there in HKLM\…\ProfileList There’s the usual ones: systemprofile, LocalService, NetworkService, my account, Administrator; as well as another admin one (I think it was a temp admin account I had created to test living with a limited account, but I deleted it… obviously Windows leaves traces of old accounts), and the most recent TEMP account. I’ll try those steps the next time I can reboot. – Synetech – 2014-04-15T21:19:05.063

It creates those extra folders when it can't read your old profile (i.e. bad hard drive, bad security setting, etc). Create a new profile, log in and out of that new one a few times. Does it still do it? – Canadian Luke – 2014-04-16T04:12:13.287

@Synetech Usually when a user gets a temp profile, it's being written in the event log. Try searching for any unusual events around the time you logged on with your limited user. Also, try deleting your profile's records (but not the account itself) with DelProf2 - it solved my problems several times (just make sure to backup everything beforehand). – EliadTech – 2014-04-16T12:43:55.563

Answers

2

I thought I was going to get to bed early last night, but thanks to this, I ended up staying up until 5:30am and got almost 90 whole minutes of sleep. After a lot of poking around, monitoring, web-searching, and experimentation, I fixed it.

I discovered that the default administrator account had no files. Somehow its profile (not the registered account, but the actual on-disk files) were missing. I’m not sure how it happened, presumably something went wrong while I was trying to harden and lock down Windows, but the directory was in fact, not actually present on the drive. This is congruent with information about temporary profiles. (Some of the confusion may have stemmed from the fact that when I deleted a previous similarly-named admin account I had created in an effort to have admin access without using the built-in account, Windows had decided to leave the profile behind instead of deleting it.)

Unfortunately there does not seem to be any information on the Internet on re-creating the built-in administrator account (most of the information is simply about enabling it).

One option would be to copy the directory from a freshly-installed copy of Windows 7 or the installation disc, but unlike with FAT, NTFS has permissions and other meta-data which may be involved and so complicates a simple file-copy.

I decided to copy the default-user profile since that is what Windows does whenever you create a new account (figure 1):

  1. Run SystemPropertiesAdvanced
  2. Click the [Settings] button next to User Profiles
  3. Select the Default Profile and click [Copy To]
  4. Enter the appropriate directory
  5. Select the approprtiate user account to set the correct permissions
  6. [OK]

Windows copies the default user profile to the administrator account’s directory. Reboot, and Windows should no longer need to use a temporary profile for the administrator account.

Another way to do it is to actually nuke the administrator account because then Windows will indeed re-create it. It sounds scary and suspicious, but it actually worked perfectly:

  1. Delete the account’s profile if necessary (e.g., if you have already re-created it yourself)
  2. Run the registry editor as admin
  3. Navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3517681861-3532196175-3983141175-500
  4. Delete it (or just rename it to something else like #S-1-5-21-3517681861-3532196175-3983141175-500
  5. Repeat for the backup entry if it exists (i.e., S-1-5-21-3517681861-3532196175-3983141175-500.bak)
  6. Reboot into safe-mode
  7. Reboot into normal mode

Windows should have re-created the entire Administrator account from scratch when you booted into safe-mode. (It’s interesting to note that Windows actually puts a little more stuff in the new account when you do it this way than when you simply copy the default-user profile, but nothing important, just installed-program related files and directories.)

Hopefully, now whenever someone needs to fix/recreate the built-in administrator account for whatever reason, they can find the information they need.

(As for why there were multiple profiles, it seems that Windows was creating a new one each time I rebooted. Why it didn’t delete the previous temporary profile is beyond me.)

Figure 1: Screenshot of produced to copy default-user to administrator

Screenshot of produced to copy default-user to administrator

Synetech

Posted 2014-04-15T19:44:39.930

Reputation: 63 242

Asked: 2014-04-15T19:44:39.930

Viewed: 9 601 times

Active: 2017-04-28T18:54:19.813