NTUSER.DAT Sizes, in the Profiles / User Environment forum on BrianMadden.com

I have notice over the last few months that I have ntuser.dat file that grow in size. I have found some ntuser.dat files to be 60 megs and of course because these are roaming profiles it causes major issues for the end user.

I was wondering if there is a tool out there that could tell me why the ntuser.dat file is growing?

Is there a tool that can clean these ntuser.dat files so they go back to the original size with changing any user settings?

Maybe someone already has posted this question, but I could not find any posts with registry tools.

I've been working for years now with Roaming Profiles but I have never heard of ntuser.dat files of this size ! Are you referring to the single ntuser.dat file or to the entire user profile folder ?

Btw, how long does it take for the user profile to load upon logon ???

I am refering to the single ntuser.dat file and not the entire user profile. I do not know how long it takes to get this large. I just know that I have had them that large. I have delete these profiles and no longer have any NTUser.DAT files larger than 2 megs.

My default profile ntuser.dat file is 768 KB, and I understand that an individual ntuser.dat file is going to grow because of different settings. Is there any way to figure out what is taking up all this space, is it corruption, some sort of application, or something else?

Your group policy for folder redirection is not working and the ntuser.dat is saving more changes than it should be. Also look inside the server or PC for the registry and clean up any orphaned entries.

With the proper redirection policies, the ntuser.dat normally stays under 4megs at most.

Are you talking about User Config - System - User Profiles - Exclude directories in roaming profile? We are already excluding most directories.

Is there another GP that I should be using to control the size of the roaming profile?

Which Group Policy are you referring to?

This continues to be a problem for me. Is there any other ideas as to why the NTUSER.DAT files grows to this size?

Hello-- My ntuser.dat file has grown to over 5MB. I couldn't read it with FileAlyzer because it's locked. I read somewhere that sites you visit and files you view are recorded here. This makes sense because the registry should basically be static; that is if you change a parameter from 1 to 0, for instance, I see no reason why the file should grow when you are merely changing a byte. I use xp pro, so what I did was create a new user account (say "Joe2") and give it admin privileges. Then my current account (say "Joe") with the 5MB ntuser.dat was changed to limited privileges. I then started the process of deleting the Joe account. When prompted whether or not to delete Joe's account files, I clicked the "keep files" button rather than deleting everything. After this was done the Joe2 directory was now in the Documents & Settings folder, as was the original Joe directory. However Joe is no longer listed as a user, but Joe's subfolders like Application Data, User Data, & Local Settings are still there. More importantly, the 5MB ntuser.dat file was still intact. I tried opening Joe's ntuser.dat but it was still locked (!!!), even though Joe's account was gone.

To work around this, restart the computer and hold down the F8 key as Windows begins to start. This will get you to the DOS-like screen where you can choose how to start the system. Choose "Safe Mode with Command Prompt," press Enter, and then choose the operating system (only one choice for me). Windows opens in Safe Mode with a Command Prompt window. The DOS prompt is in the directory "C:\Documents and Settings\Administrator." Type 'cd..' (without the quotes) & press Enter to drop a directory to "C:\Documents and Settings." Now type 'dir', press Enter, & you will see the directory list for the users. Type 'cd Joe' (or whoever you are) & you will be in Joe's directory. Enter the command 'dir' again & you will NOT see ntuser.dat because it is hidden. To see it, enter the command 'dir /a:h' & you will see the two ntuser.dat files. The goal here is to rename them so they are accessible in Windows Regular Mode. However at this point you cannot rename them using the rename command because they are hidden, so you must change their attributes. The command 'attrib -h ntuser.dat' will unhide the file. Verify this by using the 'dir' command. Then enter 'ren ntuser.dat ntuser.txt'. Wallah!! Use the same procedure for the ntuser.dat.LOG file. Reboot the machine.

Using FileAlyzer (from the makers of Spybot- it's free), you can now open the file. Choose the Hex Dump tab, & click List Strings. The strings list shows up in the left frame of FileAlyzer. It shows short one-line strings of actions taken. There are strings referencing keys pressed, scrolling locations, window sizes, addresses, etc. The right frame is divided into two sections. The left part shows the hex values & the right is a mixture of code symbols & text. I saw file names of pictures, text documents, etc. that I had opened since I installed XP, as well as program names. I didn't see any text showing web sites visited, although the word "address" does appear in the left frame. Perhaps the site names are within the code or in another .dat file. From what I've read it seems the web logging is linked to Internet Explorer. The word address doesn't appear that much, as I hardly use IE. I've been using Firefox for a while, and I have all caching turned off. However I did see the name of a web page file that I saved from Firefox using the "Save Page As..." command.

In essence this file seems to contain a complete history of just about everything a user does on the computer since it was first booted. So a 60MB+ file size contains quite a long history. In my readings on ntuser.dat I have found it also stores passwords, form information, etc. To me this is a definite privacy issue, as this is done without the knowledge of the user. This is like buying a new dresser for your room, unaware that there are devices inside it recording everything you put in, take out, or place on top. It's possible ole Billy Boy is doing this as a tool to fight cyber crime. But what happens when this file is hacked? All of a user's personal information is there for the taking, and the user doesn't even know it.

Well I hope this helped. Take care, surf safely, and always clean those files up.

After working with Microsoft over the last few months we have found our problem to be the following key.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Backup

We have since fixed our PRF file to stop this registry key from growing.

ORIGINAL: SuperPippo

I've been working for years now with Roaming Profiles but I have never heard of ntuser.dat files of this size ! Are you referring to the single ntuser.dat file or to the entire user profile folder ?

Btw, how long does it take for the user profile to load upon logon ???

60 meg WOW, Our ntuser.dat files are around 2mb

That's got to be either the entire profile or a corrupted dat file, as I've never seen one this big. The ntuser.dat file on my workstation is 14MB and I've got all kinds of software installed i.e. Visual Studio, SQL Server, Office 2003 Pro, OpenOffice 2.0, NextGen (our Medical App)...

What did you do to fix the prf-file? We are experiencing the same problem. ntuser.dat files grows to over 50Mb due to backup entries in the windows messaging subsystem key.

thanks.

try cleaning you registry using tools like ccleaner.

ORIGINAL: Guest

What did you do to fix the prf-file? We are experiencing the same problem. ntuser.dat files grows to over 50Mb due to backup entries in the windows messaging subsystem key.

thanks.

Add an entry to your custom.prf file under General:

BackupProfile=No

Ever heared of this? My NTUSER.DAT file is apparently infected with a Data Miner virus, it is showing itself to be a Video CD Movie it currently is 4,096 kb in size, and unreconizable to any of my video playing software.(Unable to open it, delete it, or shred it) My antivirus software reconizeses it as a virus but unable to destroy it, I have tried many! Along with it is a ntuser.dat.Log (Text Document) 1Kb, also undeleteable. Inside my cookies folder is another (Video) Index.dat file 48 Kb, which creates txt 1kb files of my activity, however thay are deleteable. One of the two video files also keep creating a recently Used folder that is deleteable but it keeps comming back. Ever heard of anything like this? Any suggestions?