WR 4.7.0 secure mode net admin@win 10 1909, Reg Backup: ntuser.dat doesn't exist

[Iarsin]

Hello,

I'm trying to fix some things with Windows Repair, as mentioned in the subject. I'm on Windows 10.0.18363 64bit.

Unfortunately I had some trouble on ReparsePoints, and now I'm not able to create flawlessy a Registry Backup.

Code: [Select]

[22.11.2019 - 18:15:31] Backing Up File: C:\Users\Administrator\ntuser.dat
[22.11.2019 - 18:15:31] Result: Failed - Error: -1 (API Reg Save Failed (), Tried File Copy, File In use, Cannot copy.)
I also had to use the Fallback method, even I'm able to run vssadmin in powershell, and I deleted older VSS Snapshots successfully. I also started the VSS service.

Here are the errors without the fall back method:

Log_vss.txt

Code: [Select]

C:\>
--------------------------------------------------------------------------------
[22.11.2019 - 18:09:21]
--------------------------------------------------------------------------------
"C:\Windows\temp\vss_start.bat"

C:\>set path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\registry_backup_tool\files

C:\>"C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\registry_backup_tool\files\vss_7_8_2008_2012_64.exe" -script="C:\Windows\temp\vss-setvar.bat" -exec="C:\Windows\temp\vss.bat" C:

--------------------------------------------------------------------------------
[22.11.2019 - 18:09:21]
--------------------------------------------------------------------------------

VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.


(Option: Generate SETVAR script 'C:\Windows\temp\vss-setvar.bat')
(Option: Execute binary/script after shadow creation 'C:\Windows\temp\vss.bat')
(Option: Create shadow copy set)
(Gathering writer metadata...)
(Waiting for the asynchronous operation to finish...)
Error during the last asynchronous operation.
- Returned HRESULT = 0x80042302
- Error text: VSS_E_UNEXPECTED
- Please re-run VSHADOW.EXE with the /tracing option to get more details
Log_Backup.txt

Code: [Select]

[...]
[22.11.2019 - 18:09:19] Waiting for Volume Shadow Copy snapshot...

[22.11.2019 - 18:09:49] Volume Shadow Copy Failed! vss_7_8_2008_2012_64.exe isn't running. Check the Log_VSS.txt file to view any errors.
[22.11.2019 - 18:09:49] Is vss_start.exe Running: True
[22.11.2019 - 18:09:49] Is vss_7_8_2008_2012_64.exe Running: False
[22.11.2019 - 18:09:49] Is vss_pause.exe Running: False
[...]
[22.11.2019 - 18:09:51] Backing Up File: C:\Users\Administrator\ntuser.dat
[22.11.2019 - 18:09:51] Result: Failed - Error: -1 (API Reg Save Failed (), Tried File Copy, File In use, Cannot copy.)
[...]

I also tried to see, if the Admin account is activated, I doubt that.

Code: [Select]

PS C:\Windows\temp> net user Administrator /active
Der Befehl wurde erfolgreich ausgeführt.

PS C:\Windows\temp> net user Administrator
Benutzername                        Administrator
Vollständiger Name
Beschreibung                        Vordefiniertes Konto für die Verwaltung des Computers bzw. der Domäne
Benutzerbeschreibung
Länder-/Regionscode                 000 (Standardsystemvorgabe)
Konto aktiv                         Ja
Konto abgelaufen                    Nie

Letztes Setzen des Kennworts        ‎22.‎11.‎2019 18:20:58
Kennwort läuft ab                   ‎03.‎01.‎2020 18:20:58
Kennwort änderbar                   ‎22.‎11.‎2019 18:20:58
Kennwort erforderlich               Ja
Benutzer kann Kennwort ändern       Ja

Erlaubte Arbeitsstationen           Alle
Anmeldeskript
Benutzerprofil
Basisverzeichnis
Letzte Anmeldung                    ‎11.‎04.‎2019 13:06:53

Erlaubte Anmeldezeiten              Alle

Lokale Gruppenmitgliedschaften      *Administratoren
                                    *HomeUsers
Globale Gruppenmitgliedschaften     *None
Der Befehl wurde erfolgreich ausgeführt.

Code: [Select]

PS C:\Windows\temp> ls "C:\Users\Administrator\ntuser.dat"
ls : Das Element C:\Users\Administrator\ntuser.dat konnte nicht gefunden werden.
In Zeile:1 Zeichen:1
+ ls "C:\Users\Administrator\ntuser.dat"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\Administrator\ntuser.dat:String) [Get-ChildItem], IOException
    + FullyQualifiedErrorId : ItemNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

I'm not sure, but I think that, if the admin account is not "active", that means, there is not yet an admin account with a ntuser.dat on the system, or is that a defect?

If that's not a defect, I can safely omit or ignor the errors, am I right?

Thank you in advance!

[Boggin]

I'm not sure if that cmd net user administrator /active has activated the hidden admin account as the cmd would normally be net user administrator /active:yes to activate it and no would be used to disable it.

The original user on a computer is automatically afforded admin rights.

Did the Pre-Scan of the repair program snag some missing reparse points and the program's repair of those not complete ?

Open a Command Prompt (Admin) and enter these cmds -

dism /online /cleanup-image /startcomponentcleanup

dism /online /cleanup-image /restorehealth

sfc /scannow

Enter exit to close the cmd window when done but let me know if you get any error messages for either cmd.

[Boggin]

I've just run the Pre-Scan on my Win 10 1909 and it came back without error.

I then opened the repairs in normal mode and checked to see if it had created a registry back up - which it did.

I then went into Event Viewer and saw this error which it has been producing of late and of which others have reported -

Log Name:      Application
Source:        Application Error
Date:          22/11/2019 22:15:46
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      KAM4-TOSH
Description:
Faulting application name: TweakingRegistryBackup.exe, version: 3.5.0.3, time stamp: 0x582f3b59
Faulting module name: MSVBVM60.DLL, version: 6.0.98.15, time stamp: 0x49b01fc3
Exception code: 0xc000041d
Fault offset: 0x000c9ba6
Faulting process ID: 0x1e94
Faulting application start time: 0x01d5a18255d7d455
Faulting application path: C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\registry_backup_tool\TweakingRegistryBackup.exe
Faulting module path: C:\WINDOWS\SYSTEM32\MSVBVM60.DLL
Report ID: 6bbef93a-06f5-40ae-8dd2-fc7c8076aeb7
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-11-22T22:15:46.091252100Z" />
    <EventRecordID>14815</EventRecordID>
    <Channel>Application</Channel>
    <Computer>KAM4-TOSH</Computer>
    <Security />
  </System>
  <EventData>
    <Data>TweakingRegistryBackup.exe</Data>
    <Data>3.5.0.3</Data>
    <Data>582f3b59</Data>
    <Data>MSVBVM60.DLL</Data>
    <Data>6.0.98.15</Data>
    <Data>49b01fc3</Data>
    <Data>c000041d</Data>
    <Data>000c9ba6</Data>
    <Data>1e94</Data>
    <Data>01d5a18255d7d455</Data>
    <Data>C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\registry_backup_tool\TweakingRegistryBackup.exe</Data>
    <Data>C:\WINDOWS\SYSTEM32\MSVBVM60.DLL</Data>
    <Data>6bbef93a-06f5-40ae-8dd2-fc7c8076aeb7</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

I've reported this to Shane but haven't had any feed back on it yet.

[Iarsin]

Hi, thank you Tom for your kind reply.

I'm rather worrying abeout the missing(?) ntuser.dat. I think, it might be missing because the admin account isn't activated. I don't know exactly how I can tell that with a simple cmd on the console.

Tweaking Windows Repair 4.70 Registry Backup results in 16/17 files backed up. All registry files but the ntuser.dat of the administrator.

Regarding the Reparse files (symlinks), I had a mimetype_icons of the faenza_icon_theme in the download folder, and 7zipped that, because that came with thousands of symlinks.

[Boggin]

I'm not sure if this will confirm if your account is activated as an admin but go Start - Settings - Accounts and check to see what it says in Your Info.

Mine shows as this but run those Dism cmds.

[Iarsin]

I now restarted the program under my login and didn't restart in save mode.

But I also activated the Administrator Account, because yes is the default. If i issue the command without :yes or :no.

Code: [Select]

PS C:\Windows\system32> net user Administrator|findstr "Konto aktiv" ("Account active") shows that.

Code: [Select]

[22.11.2019 - 23:58:00] Backing Up File: C:\Users\Administrator\ntuser.dat
[22.11.2019 - 23:58:00] Result: Successful (512,00 KB) - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\registry_backup_tool\Backups\Windows10\22.11.2019_23.57.58\C\Users\Administrator\ntuser.dat

So everything is fine now. The culprit was, that the admin account wasn't activated, I guess, though I'm not sure. Maybe, the culprit was the save mode and starting the program with admin rights. Thank you!

[Boggin]

Can you try the registry backup again.

[Iarsin]

As I mentioned in my last post, everything is fine now.

[Boggin]

Okay.