There are multiple TEMP* accounts in \Users\ since switching to a limited account

user-accounts administrator uac temporary-files limited-user-account

11,630

I thought I was going to get to bed early last night, but thanks to this, I ended up staying up until 5:30am and got almost 90 whole minutes of sleep. After a lot of poking around, monitoring, web-searching, and experimentation, I fixed it.

I discovered that the default administrator account had no files. Somehow its profile (not the registered account, but the actual on-disk files) were missing. I’m not sure how it happened, presumably something went wrong while I was trying to harden and lock down Windows, but the directory was in fact, not actually present on the drive. This is congruent with information about temporary profiles. (Some of the confusion may have stemmed from the fact that when I deleted a previous similarly-named admin account I had created in an effort to have admin access without using the built-in account, Windows had decided to leave the profile behind instead of deleting it.)

Unfortunately there does not seem to be any information on the Internet on re-creating the built-in administrator account (most of the information is simply about enabling it).

One option would be to copy the directory from a freshly-installed copy of Windows 7 or the installation disc, but unlike with FAT, NTFS has permissions and other meta-data which may be involved and so complicates a simple file-copy.

I decided to copy the default-user profile since that is what Windows does whenever you create a new account (figure 1):

Run SystemPropertiesAdvanced
Click the [Settings] button next to User Profiles
Select the Default Profile and click [Copy To]
Enter the appropriate directory
Select the approprtiate user account to set the correct permissions
[OK]

Windows copies the default user profile to the administrator account’s directory. Reboot, and Windows should no longer need to use a temporary profile for the administrator account.

Another way to do it is to actually nuke the administrator account because then Windows will indeed re-create it. It sounds scary and suspicious, but it actually worked perfectly:

Delete the account’s profile if necessary (e.g., if you have already re-created it yourself)
Run the registry editor as admin
Navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3517681861-3532196175-3983141175-500
Delete it (or just rename it to something else like #S-1-5-21-3517681861-3532196175-3983141175-500
Repeat for the backup entry if it exists (i.e., S-1-5-21-3517681861-3532196175-3983141175-500.bak)
Reboot into safe-mode
Reboot into normal mode

Windows should have re-created the entire Administrator account from scratch when you booted into safe-mode. (It’s interesting to note that Windows actually puts a little more stuff in the new account when you do it this way than when you simply copy the default-user profile, but nothing important, just installed-program related files and directories.)

Hopefully, now whenever someone needs to fix/recreate the built-in administrator account for whatever reason, they can find the information they need.

(As for why there were multiple profiles, it seems that Windows was creating a new one each time I rebooted. Why it didn’t delete the previous temporary profile is beyond me.)

Figure 1: Screenshot of produced to copy default-user to administrator

Screenshot of produced to copy default-user to administrator

11,630

Synetech

Sadly, I’ve become soured by the SE network. It started great, but went downhill. Some mods are too aggressive/bias, policies are arbitrarily/capriciously/selectively applied, and some users treat the sites as MMOGs, “rep-whoring”, copying others’ work, and posting random guesses to game the system by abusing and exploiting auto-bounty assignment. I care(d) about the integrity of the site, so I feel anywhere that allows such disreputable behavior isn’t somewhere worth staying. My OCD not withstanding, I won’t be contributing much here anymore and will find somewhere else to help people. I apologize to all of the people I would have helped here in the future. Press the chemise key to continue… 😈 Images As a visual-learner, I often add images to my posts to make them more effective. Sometimes I take photos, sometimes I create them with software, sometimes I find them through Google Images or Wikipedia. Mod I’ve been asked hey bro, y u no b mod? get u POWR! impr0ve site (or some other variation). I had considered it and was even tempted to run a few times, but I just have too much to do already, so I can’t take on that kind of commitment when I know I won’t be able to do as good a job as I’d like, or as Sweet Brown would say, ain’t nobody got time fo’ dat. Besides, as the behavior of the other mods became more and more apparent, I realized that it would be pointless.

Updated on September 18, 2022

Comments

Synetech over 1 year
Ever since I switched my normal Windows 7 user account to a limited account (for some reason, the default is an admin account ◔_◔), there have been multiple TEMP* accounts accumulating in C:\Users. Here are a few facts:
- The first one was simply called TEMP, the second is named TEMP. Foobar (where foobar is the computer name), then TEMP.Foobar.000 and so on.
- The current batch of foreign accounts seem to all have been created the last time I rebooted (give or take a few hours).
- Some of them have a few files, some have more, and some have no files at all (just a couple of empty folders).
- The files and folders contained in the unexplained accounts don’t seem to be of much diagnostic help because they are general Microsoft/Windows stuff that any new account would likely have.
- This all began after switching my main account to a limited account.
- There is only one admin-level account on the system, and it already has its directory in C:\Users.
- Whenever I get the UAC dialog, I enter the password for the (only) admin-level account.
- Some of the prompt for admin privileges to access their contents, some don’t.
- The first two can be deleted, but the last one is in use.
- The one that is in use has locked files by the following:
  - Task Manager
  - SpeedFan
  - LSASS which hosts the following services:
    - Credential Manager
    - CNG Key Isolation
    - Encrypting File System
    - Security Accounts Manager
What information I have been able to find seems to indicate that it has something to do with creating a temporary account for elevation purposes, but that doesn’t make sense because I am using the existing admin-level account for that, so it should not be creating a new, temporary account. This is probably the reason that I cannot seem to get the Task Manager settings to stick; when I set them, they only affect the currently used admin, temporary account, but when I reboot, a new one is used, so the previous settings are lost.

This is really frustrating and I find it baffling that using a limited account would be such hard work and difficult to make work because it promotes just giving up and using a privileged account for day-to-day work.

Does anybody have any concrete information about why/where/when/how all these TEMP accounts are being created and how to stop it? Conversely, can anyone explain why Windows keeps creating new, temporary accounts for elevating instead of using the existing admin account even though it is specifically be used?
- Ramhound about 10 years
  
  The non-Administrator account is part of the User group correct? Additionally is this account a domain or local user account?
- David about 10 years
  
  What is the profile directory for your limited user's account? I rather suspect that those temp user profile directories are being created when you do a task that gets elevated.
- Synetech about 10 years
  
  @Ramhound, yes, it is part of the Users group and the admin account is part of the Administrators group. This is a local system.
- Synetech about 10 years
  
  @David, yes that’s what I said, but like I already said, there should not be a reason to create a temporary account because whenever an elevated task is run, it uses the existing admin-level account.
- Synetech about 10 years
  
  @Ramhound Intel laptop. (How would the GPU affect user accounts?)
- Ramhound about 10 years
  
  @Synetech - Nvidia for awhile, don't know if they stopped doing this, would create a User level account to support automatic updates to their drivers through a service. Since you didn't indicate how many I assumed its not less then say hundreds but more then a couple. Could there be some application that is started when you logged in that you installed while you were an Administrator and since you no longer are one its not behaving itself?
- Synetech about 10 years
  
  At first it was only TEMP, the last time I booted, the two new ones were created. Presumably the next one would be TEMP.<computername>.001.
- Synetech about 10 years
  
  I do have three programs that run on startup which require admin privileges. I tried using the task-scheduler to auto-run them, setting them to run under the existing admin account as well as under the regular account. In either case, it should not be using a temp account; either it should use the existing admin account or prompt me for its password.
- and31415 about 10 years
  
  What's the output of the wmic useraccount get name,sid command? Which registry keys are there in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList? Check if you can reproduce the issue after switching to administrator and then back to a limited account: 1. Restart in safe mode 2. Log on with the existing admin account. 3. Delete/rename all TEMP* folders. 4. Change the limited account type. 5. Restart Windows. 6. Log on and check whether the folders are created again.
- Synetech about 10 years
  
  @and31415, What's the output of the wmic … command? As expected; it lists the regular limited account, the admin account, and the guest account (which is not enabled or used). Which registry keys are there in HKLM\…\ProfileList There’s the usual ones: systemprofile, LocalService, NetworkService, my account, Administrator; as well as another admin one (I think it was a temp admin account I had created to test living with a limited account, but I deleted it… obviously Windows leaves traces of old accounts), and the most recent TEMP account. I’ll try those steps the next time I can reboot.
- Canadian Luke about 10 years
  
  It creates those extra folders when it can't read your old profile (i.e. bad hard drive, bad security setting, etc). Create a new profile, log in and out of that new one a few times. Does it still do it?
- EliadTech about 10 years
  
  @Synetech Usually when a user gets a temp profile, it's being written in the event log. Try searching for any unusual events around the time you logged on with your limited user. Also, try deleting your profile's records (but not the account itself) with DelProf2 - it solved my problems several times (just make sure to backup everything beforehand).
Yannis Dran over 3 years

I came exactly for looking how to delete the leftover folders, that it is beyond you (and me of course) as you say. Any ideas? Perhaps just deleting them would be enough, but I am not sure.