lilith.tec-man.com [home]

Windows Profile Migration
Using
Brute Force and Ignorance

Almost 100% Command Line!

WARNING: The instructions below present all sorts of opportunities to break things in fantastic and horrible ways. This document was written with people who are already quite familiar with Windows internals in mind. If you are such a person then the following might facilitate a slight lessening of your misery. If you are not such a person and you continue then you will probably destroy many wonderful things that you love in a sadistic and hideous manner.

Introduction (yes, you can skip this section)

One of my major irritations with Windows is that non-domain user profiles are virtually locked to specific windows installs. This wouldn't be such a problem if one could do things in Windows like move the mouse or press the shift key without the operating system obliterating itself.

Sadly if one wishes to use windows without having Russian key loggers broadcast one's bank account/pin numbers over the Internet one must reinstall windows an average of once every minute. Failure to reinstall windows at least once every week typically causes the machine it is running on to run wild in the night, eating neighbor's pets and babies.

Every time one re-installs windows one must deal with the festering colostomy bags known as the Windows Profiles. Windows Profiles contain pretty much all user files and configurations. Hidden within a profile are millions and millions of user SID numbers. SID numbers are like UIDs from other operating systems expect that.

Below I present a fairly functional method of migrating non-domain Windows 2000/XP profiles from one windows install to another.

Things that you will need

Step 1: Make a User

Using the net command we can create a new user in the SAM

net user username /add

Step 2: Get The New User's SID

  1. Go to HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users/Names and find the key for your user.
  2. Get the default value of the key. This is the RID value (R = Relative, ID = ID ).
  3. Go to HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users/[RID]
  4. Open the user V structure.
  5. Look for a hex string of the form:
    "01 05 00 00 00 00 00 05 15 00 00 00 XX XX XX XX XX XX XX XX XX XX XX XX XX XX"
    (XX represents an unknown value). This is the user's SID, copy it down. Note: the last two pairs store the user's RID in reverse order (so 3ed would be "ed 03")

Step 3: "Solidify" The User's Profile Path

This is the one part where it is difficult to get by without actually *gag* using windows.

Even though we have created a user the user's profile path is undefined. We need to have it defined in the registry. I have yet to find a way to do this through the net command. The two other ways of doing this are:

  1. Log in as the user and log out again.
  2. Create the user profile information in the registry.

Method 2 is rather involved and I will not be dealing with it here. See the This footnote for (some) more information.

Step 4: Copy The Profile

I'm using cp/mv here. However you can use whatever you like.

Step 5: Change the User's Hive Permissions

This is the fun part. Throughout the user's hive are access control list entries. These entries are associated with the user's SID from the old windows install. What we do here is swap out all of the old SIDs with the new one.

The XXes represent what you found above in step 2, they are not literal XXes

  1. cd c:\Documents and Settings\username
  2. binmay -v -i ntuser.dat -o ntuser.dat.new -s "01 05 00 00 00 00 00 05 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" -S "ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" -r "01 05 00 00 00 00 00 05 15 00 00 00 XX XX XX XX XX XX XX XX XX XX XX XX XX XX"

Step 6: Change the User's File Permissions

NOTE: the duplicate lines below differ only by a backslash appended to the directory name. This is necessary because without the backslash it will effect the only the directory. Without a backslash it will effect only subdirectories and files of the selected directory, not the directory itself.

All Done!

You should now have your profile back. Beyond the numerous dead shorcuts your profile should be ready for use.

Footnotes

F1. Some User Profile Path Information

The following did work for a time a few years ago. It does not work now (I think I switched everything over to winreg.exe just to find that winreg.exe was shot). At least it will provide you with some clues.

If there is enough interest in this stuff then I might try to get it working again at some point. 

	HIVE=HKEY_LOCAL_MACHINE
	SACC="SAM\\SAM\\Domains\\Account"

	build_profile()
	{
		SIDRID=$(get_sidrid $1)

		UPATH='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList'
		SPATH='%SystemDrive%\\Documents and Settings'

		printf "%s\\\\$SIDRID\\\\ProfileImagePath\tEXPAND_SZ\t%s\\\\\\\\$1\n" $UPATH $SPATH

		printf "%s\\\\$SIDRID\\\\Sid\tBINARY\t%s\n" $UPATH $(get_binsid $1)
		printf "%s\\\\$SIDRID\\\\Flags\tDWORD\t00000000\n" $UPATH
		printf "%s\\\\$SIDRID\\\\State\tDWORD\t00000000\n" $UPATH
	}

	get_sid()
	{
		if [ "$GLOB_SID" != "" ]; then
			echo $GLOB_SID
			return
		fi
		STR='HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\V'

		STR2=$(winreg -F: -t $HIVE\\$SACC|grep $STR|cut -f2 -d:)

		WC=$(echo $STR2|wc -w)

		OFF=$(($WC-11))

		GLOB_SID=$(echo $STR2|cut -f$OFF-$(($WC)) -d" ")

		echo $GLOB_SID
	}

F2. Windows SAM (Security Accounts Manager)

Security Accounts Manager Information.