Manage Learn to apply best practices and optimize your operations.

Understanding NTUser.dat in Windows 10

Saw a fascinating question on TenForums this morning, as I was making my “morning run” though the new threads there. It appeared in a thread named “ntuser.dat” and read “Why do I have so many ntuser.dat files?” Being one to look for evidence any time Windows quirks or behaviors are described, I immediately fired up voidtools’ (Search) Everything to look for that string in my file system. Right now, it turns up 60 objects, of which many are logs or pending registry transmissions (files of type .regtrans-ms). But there is also one file named ntuser.dat and eight more files named NTUSER.DAT. Obviously, there’s something interesting and useful going on with all these copies. And, as it turns out understanding NTUser.dat in Windows 10 hinges on understanding user profiles and typical accounts on a Win10 systems.

Of the 60 items with “ntuser.dat” in their names, these nine items shown take that name precisely on my production PC. What gives?

Why Bother Understanding NTUser.dat in Windows 10?

As it happens, each and every user profile created on a particular running instance of Windows 10 has its own NTUser.dat file. This file contains personal files and preference settings particular to each such user. As you can tell from looking at those files on my production PC (depicted in the preceding screenshot), this includes default and “behind-the-scenes” accounts as well as user accounts. That’s why we see a system account (…System32\Config\systemprofile), various service accounts (… NetworkService and …LocalService), and dot-NET accounts (dot-NET v4.5 Classic and dot-NET v.5), plus Administrator, Default and DefaultAppPool accounts. The only real user account is C:\Users\etitt. It reflects my Microsoft Account, which starts with the 5 characters “etitt”.

As it also turns out, messing with files with this name is NOT a good idea. Deleting an NTUser.dat file destroys the associated account’s preferences and settings and may even corrupt the associated user profile. Each such file has one or more backups, which appears as a file named NTUser.dat.log. If an error occurs in the master copy of NTuser.dat, Windows can use one or more log files to correct it. NTUser.ini files describe roaming profiles used in networked environments. You can rename this file But that changes the user profile from a user-controlled profile to a locked-down profile that users can alter only temporarily (changes are not saved when the user logs out).

Writing the NTUser.dat happens during login; essentially, it’s a copy of the Windows Registry’s HKEY_CURRENT_USER hive. The contents of the user profile changes constantly over time: it reflects changes that occur while Windows is running. Windows size and position, for example, changes each time you open, move, or resize an application window. And that’s just the tip of a very large iceberg of data that goes into keeping constant track of user activity.

How NTUser.dat Changes

Though user settings, preferences, and so forth change at runtime, NTUser.dat stays static. Rather, those changes go into a raft of  .regtrans-ms files that Windows 10 creates. Windows 10 processes these files whenever a user logs out, or the system shuts down or restarts. This controls and manages Registry writes, much like a “database commit” operation. (Note: database commit is a complex and interesting concept with many wrinkles, with much thought and effort required for proper implementation. For now, this means “changes either happen completely, or they don’t happen at all”. That keeps databases — including the Registry, in this case — consistent at all times.)

Thus, even when an uncontrolled shutdown or a BSOD occurs, NTUser.dat remains OK. User settings and preferences changes from the preceding session are lost. But user profiles remain intact and consistent.

I completely agree with long-time TenForums VIP and Guru member Bree (identified in the “ntuser.dat” thread mentioned at the outset of this blog post). Here’s his take on messing with or deleting files named NTUser.dat: “Best leave them alone then.” Well said, and advice worth following!

Virtual Desktop