Profile deletion on startup

Question

Profile deletion on startup

Darko Bozilovic 1

We have a very weird problem and can not pinpoint why is it happening. Users are loosing their profile randomly. This is a big problem as it happens to executives and log files don't say much. I tried to pinpoint why its happening, but no success. Let me know if anyone else has this problem or how to solve this issue would be appreciated.
Let me know what info you need and i will provide it to you.

Darko Bozilovic 1 Reputation point

2021-06-22T14:42:16.217+00:00

Here are System and Application logs from the PC. Profile deletion occur on 7:54am on 6/22/2021 when user logged in Windows created a new profile. Previous day on 6/21/2021 around 5:02 user shut the laptop down.

108178-application.txt 108252-system.txt
MotoX80 35,986 Reputation points

2021-06-22T16:50:19.08+00:00

Is the entire C;\Users\YourUserName folder and subfolders getting deleted, or do you see names like C;\Users\YourUserName.001?

I'd suggest turning on file system auditing on C:\users and audit for "everyone" for file and folder deletes. You'll at least know when it occurs and what process is deleting the files.
Darko Bozilovic 1 Reputation point

2021-06-22T17:05:32.547+00:00

Everything is deleted, like its brand new PC. Not renamed, deleted. Including registry keys.
Reza-Ameri 17,236 Reputation points Moderator

2021-06-22T17:15:13.89+00:00

What is the type of your hard disk?
Is it SSD or HDD?
Did you installed any program before this problem started?
Are they part of the domain?
Darko Bozilovic 1 Reputation point

2021-06-23T10:42:38.67+00:00

SSD and in some cases m.2
Darko Bozilovic 1 Reputation point

2021-06-23T14:07:07.937+00:00

None programs were installed. Yes, they are part of the domain. I checked GP and couldn't find anything. Went to forums already searched for everything....and wasn't able to find anything that applied to my case.
Reza-Ameri 17,236 Reputation points Moderator

2021-06-23T15:21:26.323+00:00

Just for test try to remove it from the domain and restart the PC and see if the problem persist?
Did you find anything suspicious in the Event Viewer?
Darko Bozilovic 1 Reputation point

2021-06-24T17:03:45.177+00:00

That will be hard to do. They are in the production. It happens randomly. I already turn the audit on. SO seat back and wait for it to happen again. Nothing in Event Viewer. I had EV from at least 4 different machines. Same thing on all, nothing happens. Just log that Windows search had to create new profile due to profile deletion. That's all.
Darko Bozilovic 1 Reputation point

2021-06-24T17:49:00.7+00:00

Did not find anything in EV. Just that Windows search could not load the profile due to deletion. Nothing else. Limited info. As far as disjoin form domain its impossible as they are production systems and the thing happens randomly. Its not like i can repeat it anytime. So out of 130 back office employees it happened to like 10 of them. random times.....and some had it happen twice.
MotoX80 35,986 Reputation points

2021-06-25T00:37:28.913+00:00

Pick one PC. Implement file auditing. Create and then delete a folder. Check the security event log to look for a "file/folder" delete event to verify that file auditing works.

If it doesn't work, fix it so that it does. Implement on all affected machine.

In a simplistic statement, you've got files getting deleted. But forum user have no idea what processes are running on your PC's that might cause that to happen. We don't have a magic crystal ball that will tell us what is deleting your files. Without any specific information, I don't think that there is a lot that we can do to help you.
Jenny Feng 14,226 Reputation points

2021-06-28T06:45:24.953+00:00

Hi,

Just checking in to see if the information provided was helpful.

If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.
Darko Bozilovic 1 Reputation point

2021-06-29T10:04:56.493+00:00

Since it happens randomly, i can not remove it from domain....have like 30 PC's that are production 24/7. EV is not showing anything. I did turn on audit so waiting for it to happen again.
Darko Bozilovic 1 Reputation point

2021-06-29T10:07:05.777+00:00

There is no answer on a problem. Just suggestions on how to find what is going on. I tried one suggestion that i haven't before and waiting to see if i can pinpoint what is a cause. But it needs to happen again for me to pinpoint, therfore i can not mark the answer as there isn't any yet.

2 answers

Your answer

Darko Bozilovic 1 Reputation point

2021-06-22T14:42:16.217+00:00

Here are System and Application logs from the PC. Profile deletion occur on 7:54am on 6/22/2021 when user logged in Windows created a new profile. Previous day on 6/21/2021 around 5:02 user shut the laptop down.

108178-application.txt 108252-system.txt
MotoX80 35,986 Reputation points

2021-06-22T16:50:19.08+00:00

Is the entire C;\Users\YourUserName folder and subfolders getting deleted, or do you see names like C;\Users\YourUserName.001?

I'd suggest turning on file system auditing on C:\users and audit for "everyone" for file and folder deletes. You'll at least know when it occurs and what process is deleting the files.
Darko Bozilovic 1 Reputation point

2021-06-22T17:05:32.547+00:00

Everything is deleted, like its brand new PC. Not renamed, deleted. Including registry keys.
Reza-Ameri 17,236 Reputation points Moderator

2021-06-22T17:15:13.89+00:00

What is the type of your hard disk?
Is it SSD or HDD?
Did you installed any program before this problem started?
Are they part of the domain?
Darko Bozilovic 1 Reputation point

2021-06-23T10:42:38.67+00:00

SSD and in some cases m.2
Darko Bozilovic 1 Reputation point

2021-06-23T14:07:07.937+00:00

None programs were installed. Yes, they are part of the domain. I checked GP and couldn't find anything. Went to forums already searched for everything....and wasn't able to find anything that applied to my case.
Reza-Ameri 17,236 Reputation points Moderator

2021-06-23T15:21:26.323+00:00

Just for test try to remove it from the domain and restart the PC and see if the problem persist?
Did you find anything suspicious in the Event Viewer?
Darko Bozilovic 1 Reputation point

2021-06-24T17:03:45.177+00:00

That will be hard to do. They are in the production. It happens randomly. I already turn the audit on. SO seat back and wait for it to happen again. Nothing in Event Viewer. I had EV from at least 4 different machines. Same thing on all, nothing happens. Just log that Windows search had to create new profile due to profile deletion. That's all.
Darko Bozilovic 1 Reputation point

2021-06-24T17:49:00.7+00:00

Did not find anything in EV. Just that Windows search could not load the profile due to deletion. Nothing else. Limited info. As far as disjoin form domain its impossible as they are production systems and the thing happens randomly. Its not like i can repeat it anytime. So out of 130 back office employees it happened to like 10 of them. random times.....and some had it happen twice.
MotoX80 35,986 Reputation points

2021-06-25T00:37:28.913+00:00

Pick one PC. Implement file auditing. Create and then delete a folder. Check the security event log to look for a "file/folder" delete event to verify that file auditing works.

If it doesn't work, fix it so that it does. Implement on all affected machine.

In a simplistic statement, you've got files getting deleted. But forum user have no idea what processes are running on your PC's that might cause that to happen. We don't have a magic crystal ball that will tell us what is deleting your files. Without any specific information, I don't think that there is a lot that we can do to help you.
Jenny Feng 14,226 Reputation points

2021-06-28T06:45:24.953+00:00

Hi,

Just checking in to see if the information provided was helpful.

If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.
Darko Bozilovic 1 Reputation point

2021-06-29T10:04:56.493+00:00

Since it happens randomly, i can not remove it from domain....have like 30 PC's that are production 24/7. EV is not showing anything. I did turn on audit so waiting for it to happen again.
Darko Bozilovic 1 Reputation point

2021-06-29T10:07:05.777+00:00

There is no answer on a problem. Just suggestions on how to find what is going on. I tried one suggestion that i haven't before and waiting to see if i can pinpoint what is a cause. But it needs to happen again for me to pinpoint, therfore i can not mark the answer as there isn't any yet.

Answer 1

@Darko Bozilovic
Hi,

When this happens, every time the user tries to log on to the computer using the username and password, the profile fails to load. This enforces Windows to create a new temporary profile to allow the user to log on to the computer. This temporary profile is also automatically deleted as soon the user logs off. Every time the user attempts to log on to the computer and the default profile fails to initialize, a new profile is created at each successful logon and gets deleted while logging off.

I agree with MotoX80, check your GPO settings to see if it is the cause of this problem.

For your reference:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/551ca112-e8ea-4314-94d5-f9f39b5ec2d4/user-profiles-may-be-deleted-after-you-logoff-from-a-computer?forum=winservergen

Hope above information can help you.

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

Darko Bozilovic 1 Reputation point

2021-06-23T10:49:35.797+00:00

It is not temp profile. Its brand new user profile. Temp does not get created. Its not happening all the time. Its happens randomly. Very few times we had same user loosing profile twice. We had at least 10 users that this happened to. Again temp is not getting created, that is not the case.

Answer 2

MotoX80 35,986

Everything is deleted, like its brand new PC.

Does "everything" include installed software? If so, it sounds like your desktop build process is either not finishing (or thinks that it's not finished and is retrying) or there is a leftover task that is running that is wiping things out.

Scan the output of autoruns and look for something that your organization might use/define that could wipe out the PC.

https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

What about Group Policy? Have you reviewed those settings? Are you deploying software with GP?

Again, by implementing file auditing, you should be able to catch the process name that is deleting the users profile.

Darko Bozilovic 1 Reputation point

2021-06-23T10:46:38.013+00:00

No, software is there, i meant everything as far as user profile. Its not renamed, it gets deleted. Its not in recycle bin. Registry inputs for user profile gets deleted as well. Admin profile stays. Only user gets deleted. Checked GP nothing. We did not deploy any software lately. Not via manual install nor via GP. Thanks for suggestions, i will implement file auditing. Only thing is i couldn't find how to do it remotely on bunch of systems. There is a part you can do in GP but then you have to visit each machine manually to set it up on folder itself.

Share via

Profile deletion on startup

2 answers

Your answer