Total User Accounts...
 
Notifications
Clear all

Total User Accounts Listed in "Users" vs SAM Reg Records

2 Posts
2 Users
0 Likes
328 Views
(@siris)
Posts: 5
Active Member
Topic starter
 

Hello,

I am analysing a Windows Server 2016 OS.

I have question regarding the total number of user accounts listed within the "Users" directory VS the total number of user accounts recorded in the SAM Reg hive (there is quite a big difference when comparing the two).

Within the "Users" directory, X-Ways has listed 20 user accounts.

However, after parsing the SAM registry (I used RegRipper and MiTec Reg Recovery tools), there are a number of user accounts that do not appear listed in the "Users" directory (these add up to an additional 30 user accounts).

I have noticed that a portion of the users accounts listed in the SAM Reg hive have never logged in. I identified this from the RegRipper output results that record these accounts with a Last Login Date of "Never". With this in mind, I determined that because these profiles never logged in on this system, the user profiles would therefore never be created and listed within the "Users" directory. (I hope this so far makes a sound assessment).

HOWEVER, there are some user accounts listed in the SAM Reg hive that HAVE logged in before. I have identified this from the RegRipper output results that list certain accounts with a "Last Login Date" timestamp.

So with that in mind, why do these user account that HAVE logged in before not appear listed within the "Users" directory?

Thank you in advance.

 
Posted : 02/05/2019 9:30 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

There could be a number of reasons, but unfortunately, you're looking at the artifacts in isolation. That is to say, you're looking at the SAM contents, and the contents of the Users folder, without considering and correlating other data sources.

For example, you said that this system is Windows 2016, which is a server OS. Is Terminal Services running? Are there logins?

It's likely that many of the profiles created in the Users folder are domain user accounts, rather than user accounts local to the system. You can verify this by reviewing the contents of the ProfileList key and comparing SIDs.

HTH

 
Posted : 02/05/2019 10:02 am
Share: