Windows User Profiles: Composition, Architecture, and Mandatory Profile Internals

1. User Profile Composition

A Windows user profile encapsulates user-specific data, configuration settings, and application states. Its primary components are registry hives and a hierarchical file system structure.

1.1 Component List

  • Registry Hives:
    • NTUSER.DAT: The core registry hive file located directly within the user's profile root directory (e.g., C:\Users\Username\NTUSER.DAT). Upon user logon, this hive is loaded by the User Profile Service (ProfSvc) and mounted into the registry under HKEY_USERS\<User_SID>. The well-known HKEY_CURRENT_USER (HKCU) root key is then established as a symbolic link to HKEY_USERS\<User_SID>. This hive stores the majority of user-specific registry settings, including application preferences, environment variables, connected hardware configurations (printers, mapped drives), Windows interface customizations (themes, colors, desktop settings), and control panel configurations. The handling of this file (read-write vs. read-only persistence) fundamentally distinguishes profile types like Roaming and Mandatory.4
    • UsrClass.dat: A supplementary user registry hive located by default at %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat. This hive is mounted during logon at HKEY_CURRENT_USER\Software\Classes (HKCU\Software\Classes).3 It stores per-user Component Object Model (COM) registrations, file type associations, and other class-specific information, separating them from the main NTUSER.DAT hive.3 Its default location within the AppData\Local directory signifies that it is not typically included in standard Roaming User Profile synchronization.3 Potential issues can arise if applications attempt registry writes to HKCU\Software\Classes early in the logon sequence before ProfSvc has fully mounted UsrClass.dat, potentially leading to incorrect registrations within NTUSER.DAT or conflicts.6
  • File System Folders: The primary container for the user profile's file system components is the user's profile directory, typically located at C:\Users\<Username> (identified by KNOWNFOLDERID FOLDERID_Profile {5E6C858F-OE22-4760-9AFE-EA3317B67173}).1 Within this directory, a standard set of subfolders, many corresponding to KNOWNFOLDERID GUIDs, store various categories of user data and application settings.11 An list of standard user-profile-specific folders includes:
    • AppData\Roaming (FOLDERID_RoamingAppData): %USERPROFILE%\AppData\Roaming. Stores application settings designed to follow the user via Roaming Profiles.1
    • AppData\Local (FOLDERID_LocalAppData): %USERPROFILE%\AppData\Local. Stores application data not intended for roaming, such as caches, machine-specific settings, or large data files. Also contains UsrClass.dat and Credential Manager vaults.1
    • AppData\LocalLow (FOLDERID_LocalAppDataLow): %USERPROFILE%\AppData\LocalLow. Stores data for applications running with a low integrity level, such as browsers in protected mode.9
    • Desktop (FOLDERID_Desktop): %USERPROFILE%\Desktop. Contains files, folders, and shortcuts visible on the user's desktop.1
    • Documents (FOLDERID_Documents): %USERPROFILE%\Documents. Default storage location for user-created documents.1
    • Downloads (FOLDERID_Downloads): %USERPROFILE%\Downloads. Default location for files downloaded from the internet.11
    • Favorites (FOLDERID_Favorites): %USERPROFILE%\Favorites. Stores Internet Explorer/Edge Legacy favorites.11
    • Music (FOLDERID_Music): %USERPROFILE%\Music. Default location for music files.11
    • Pictures (FOLDERID_Pictures): %USERPROFILE%\Pictures. Default location for picture files.11 Includes subfolders:
      • Camera Roll (FOLDERID_CameraRoll): %USERPROFILE%\Pictures\Camera Roll.11
      • Saved Pictures (FOLDERID_SavedPictures): %USERPROFILE%\Pictures\Saved Pictures.11
      • Screenshots (FOLDERID_Screenshots): %USERPROFILE%\Pictures\Screenshots.11
    • Videos (FOLDERID_Videos): %USERPROFILE%\Videos. Default location for video files.11
    • Start Menu (FOLDERID_StartMenu): %APPDATA%\Microsoft\Windows\Start Menu. Contains user-specific shortcuts and folders appearing in the Start Menu.1 Includes subfolders:
      • Programs (FOLDERID_Programs): %APPDATA%\Microsoft\Windows\Start Menu\Programs.12
      • Startup (FOLDERID_Startup): %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp. Programs/shortcuts launched automatically at user logon.11
    • SendTo (FOLDERID_SendTo): %APPDATA%\Microsoft\Windows\SendTo. Contains shortcuts appearing in the "Send To" context menu.11
    • Templates (FOLDERID_Templates): %APPDATA%\Microsoft\Windows\Templates. Stores user document templates.11
    • Cookies (FOLDERID_Cookies): %APPDATA%\Microsoft\Windows\Cookies. Stores internet cookies (primarily legacy IE).11
    • History (FOLDERID_History): %LOCALAPPDATA%\Microsoft\Windows\History. Stores internet browsing history (primarily legacy IE).11
    • Recent (FOLDERID_Recent): %APPDATA%\Microsoft\Windows\Recent. Stores shortcuts to recently used files and folders.11
    • Network Shortcuts (FOLDERID_NetHood): %APPDATA%\Microsoft\Windows\Network Shortcuts. Stores shortcuts to network locations.11
    • Printer Shortcuts (FOLDERID_PrintHood): %APPDATA%\Microsoft\Windows\Printer Shortcuts. Stores shortcuts related to printers.11
    • User Pinned (FOLDERID_UserPinned): %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned. Contains subfolders for Taskbar and implicitly pinned Start Menu items.11
      • TaskBar: %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar. Stores shortcuts (.lnk files) for items pinned to the taskbar.20
      • ImplicitAppShortcuts (FOLDERID_ImplicitAppShortcuts): %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts. Stores shortcuts for applications implicitly associated with certain tasks or file types.11
    • Contacts (FOLDERID_Contacts): %USERPROFILE%\Contacts.11
    • Links (FOLDERID_Links): %USERPROFILE%\Links.11
    • Saved Games (FOLDERID_SavedGames): %USERPROFILE%\Saved Games.11
    • Searches (FOLDERID_SavedSearches): %USERPROFILE%\Searches.11
    • 3D Objects (FOLDERID_Objects3D): %USERPROFILE%\3D Objects.11
    • AccountPictures (FOLDERID_AccountPictures): %APPDATA%\Microsoft\Windows\AccountPictures.11
    • Application Shortcuts (FOLDERID_ApplicationShortcuts): %LOCALAPPDATA%\Microsoft\Windows\Application Shortcuts.11
  • Other Components:
    • User Tile Image (Legacy): %SystemDrive%\Users\<username>\AppData\Local\Temp\<username>.bmp. The mechanism for storing and retrieving the user tile image may have evolved in modern Windows versions.1

1.2 Comparative Table: Profile Type Discrepancies

The management of core profile components and user-generated changes varies significantly across different profile types. The following table summarizes these discrepancies:

Profile Type Discrepancies
Feature Local Profile Roaming User Profile Mandatory User Profile Super-Mandatory User Profile Temporary User Profile
NTUSER.DAT Local (%USERPROFILE%)
Read/Write		 Server Share (.Vxx folder)
Synced Logon/Logoff
Local cache Read/Write		 Server Share (.Vxx folder, as NTUSER.MAN)
Copied locally at logon
Local copy Read/Write		 Server Share (.Vxx.man or .Vxx folder, as NTUSER.MAN)
Copied locally at logon
Local copy Read/Write		 Local (C:\Users\TEMP...)
Read/Write (Session only)
UsrClass.dat Local (AppData\Local\...)
Read/Write		 Local (AppData\Local\...)
Not Synced
Read/Write		 Local (AppData\Local\...)
Not Synced
Read/Write (Session only)		 Local (AppData\Local\...)
Not Synced
Read/Write (Session only)		 Local (C:\Users\TEMP...\AppData\Local\...)
Read/Write (Session only)
AppData\Roaming Local (%USERPROFILE%\AppData\Roaming)
Read/Write		 Server Share (.Vxx folder)
Synced Logon/Logoff
Local cache Read/Write		 Server Share (.Vxx folder)
Copied locally at logon
Local copy Read/Write		 Server Share (.Vxx.man or .Vxx folder)
Copied locally at logon
Local copy Read/Write		 Local (C:\Users\TEMP...\AppData\Roaming)
Read/Write (Session only)
AppData\Local Local (%USERPROFILE%\AppData\Local)
Read/Write		 Local (%USERPROFILE%\AppData\Local)
Not Synced
Read/Write		 Local (%USERPROFILE%\AppData\Local)
Not Synced
Read/Write (Session only)		 Local (%USERPROFILE%\AppData\Local)
Not Synced
Read/Write (Session only)		 Local (C:\Users\TEMP...\AppData\Local)
Read/Write (Session only)
AppData\LocalLow Local (%USERPROFILE%\AppData\LocalLow)
Read/Write		 Local (%USERPROFILE%\AppData\LocalLow)
Not Synced
Read/Write		 Local (%USERPROFILE%\AppData\LocalLow)
Not Synced
Read/Write (Session only)		 Local (%USERPROFILE%\AppData\LocalLow)
Not Synced
Read/Write (Session only)		 Local (C:\Users\TEMP...\AppData\LocalLow)
Read/Write (Session only)
Persistence Changes saved locally Changes to roaming parts saved to server
Local-only parts saved locally		 Changes discarded at logoff (No sync back)1 Changes discarded at logoff (No sync back)22 Changes discarded at logoff
Profile deleted1
Offline Access Standard Uses local cache if available/enabled26 Uses local cache if available/enabled22 Logon blocked if server unavailable22 Not Applicable (Is the offline state)
Primary Mechanism Local storage only profilePath attribute/GPO; Sync at logon/logoff26 NTUSER.MAN on server prevents logoff sync4 NTUSER.MAN + .man folder path suffix prevents offline logon25 Fallback due to profile load error1
References for Table Data: 1

The inherent design of standard Roaming Profiles, specifically the exclusion of UsrClass.dat and the entire AppData\Local structure from synchronization, presents a significant challenge for achieving a truly consistent user experience across multiple machines. Many applications store critical configuration data, machine-specific identifiers, large caches, or per-user COM/file association registrations within these non-roaming locations.3 Consequently, users may encounter application errors, missing settings, or unexpected behavior when moving between workstations, as these local components are not transferred. This limitation often necessitates the use of supplementary technologies like Folder Redirection for specific user data folders or more comprehensive profile virtualization solutions (e.g., Microsoft UE-V, FSLogix Profile Containers) to capture and roam data stored outside the default roaming scope.15

Mandatory profiles inherit this limitation regarding AppData\Local and UsrClass.dat. While the NTUSER.MAN file enforces consistency for registry settings within HKCU (excluding HKCU\Software\Classes) and the AppData\Roaming folder content is reset at each logon from the server template, data written to AppData\Local or AppData\LocalLow during a session is discarded at logoff but is not actively managed or reset by the mandatory profile mechanism itself.41 The consistency guarantee primarily applies to the components defined within the server-side mandatory profile template.

1.3 User-Interactive Element Mapping

Specific user interface elements and configurations are stored in defined locations within the profile structure and managed by distinct system processes.

  • Desktop Background:
    • Storage: The path to the selected wallpaper image file is stored in the registry value HKCU\Control Panel\Desktop\Wallpaper. A history of recently used wallpapers is maintained in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers\BackgroundHistoryPath* values.43 Windows caches or transcodes the current wallpaper for efficient display, often storing it in files like TranscodedWallpaper (no extension) or within subfolders in %APPDATA%\Microsoft\Windows\Themes\.43
    • Management Processes: Explorer.exe is primarily responsible for reading the registry setting and displaying the background image. User configuration occurs through the Settings app (SystemSettings.exe) or legacy Control Panel interfaces. For slideshows or dynamic backgrounds (like Windows Spotlight), background task hosts (taskhostw.exe, potentially RuntimeBroker.exe for UWP components) or dedicated services manage the image rotation and updates.45
  • Application-Specific Settings (HKCU & AppData):
    • Storage: Application settings are predominantly stored within the user's registry hive (NTUSER.DAT, accessed via HKCU), typically under HKCU\Software\<VendorName>\<ApplicationName>. Applications also store configuration files, caches, user data, and state information within the profile's file system, utilizing AppData\Roaming for data intended to roam, and AppData\Local or AppData\LocalLow for non-roaming or machine-specific data.1
    • Management Processes: The application's own executable process is the primary entity reading and writing its settings during runtime. Installation and update processes may also modify these locations. ProfSvc manages the loading and unloading of the NTUSER.DAT hive containing the HKCU settings at logon/logoff.19 Explorer.exe interacts with settings related to shell integrations (e.g., context menu handlers registered under HKCU).
  • Start Menu/Taskbar Layout & Pinned Items:
    • Storage (Layout): Standardized Start layouts are typically defined by administrators using XML (LayoutModification.xml) or JSON (LayoutModification.json) files.50 These files are deployed via Group Policy (Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout or User Configuration equivalent) or MDM (Policy CSP - Start/StartLayout or Start/ConfigureStartPins).50 The system reads these policies and applies the defined layout. The default template resides at %LOCALAPPDATA%\Microsoft\Windows\Shell\DefaultLayouts.xml.50 User customizations to the layout, if permitted, are likely stored within the user's registry (NTUSER.DAT, potentially under keys like HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage* or related keys) or possibly user-specific layout files, although the exact mechanism for persisting user deviations from a policy-defined layout is less explicitly documented in the provided materials.
    • Storage (Pinned Items):
      • Taskbar: Pinned application shortcuts (.lnk files) are stored in the %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar folder.20 Registry state related to the taskbar, possibly including pin information or order, may be stored under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband.21
      • Start Menu: Program shortcuts (.lnk files) pinned by the user or applications appear based on their presence in %APPDATA%\Microsoft\Windows\Start Menu\Programs and the system-wide %ProgramData%\Microsoft\Windows\Start Menu\Programs.17 Modern Windows Store app pins are managed differently, likely via registry entries or internal databases associated with the Start menu host process.17 The legacy TileDataLayer database (%LOCALAPPDATA%\TileDataLayer\Database\vedatamodel.edb) mentioned for older Windows 10 versions is likely deprecated.17
    • Management Processes: Explorer.exe renders the taskbar and manages pinned item interactions.47 The Start Menu UI itself is handled by StartMenuExperienceHost.exe in Windows 10 version 1903 and later, and Windows 11.51 This separation was implemented to improve Start Menu reliability by isolating it from Explorer.exe.52 In earlier Windows 10 versions, ShellExperienceHost.exe played a more significant role in hosting Start and other shell elements.51 Userinit.exe initiates the shell launch sequence.53 The Group Policy Client (gpsvc) applies layout policies defined by administrators.50
  • Mapped Network Drives:
    • Storage: Persistent network drive mappings are stored in the registry under HKCU\Network\<DriveLetter>, detailing the remote path (RemotePath), provider (ProviderName), and other connection details.54 Historical mount point information, including previously mapped drives, may also reside under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2.56
    • Management Processes: Explorer.exe provides the user interface for mapping and disconnecting drives and displays them in "This PC". The mapping itself is handled by the Multiple Provider Router (mpr.dll) and relevant network provider DLLs (e.g., ntlanman.dll for SMB/CIFS). Userinit.exe processes logon scripts which often contain net use commands to establish mappings automatically.53 The underlying network communication relies on the SMB client redirector driver (mrxsmb.sys or newer variants) and associated services (LanmanWorkstation).57
  • Connected Printers:
    • Storage: User-specific network printer connections are primarily stored under HKCU\Printers\Connections. User preferences for printers (e.g., default printer) and potentially some device-specific settings are found under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices and HKCU\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts.58 System-wide printer definitions, drivers, and ports are located under HKLM\SYSTEM\CurrentControlSet\Control\Print.58
    • Management Processes: The Print Spooler service (spoolsv.exe) manages print queues, printer drivers, and communication with print devices.60 Explorer.exe and the Settings app provide user interfaces for adding and managing printers. Applications interact with the spooler via printing APIs when a print job is initiated.61 Userinit.exe can connect printers via logon scripts (e.g., using rundll32 printui.dll,PrintUIEntry).
  • User-Defined Environment Variables:
    • Storage: Environment variables defined specifically for the current user are stored in the registry under HKCU\Environment.62
    • Management Processes: Userinit.exe reads these registry values during logon and incorporates them into the initial environment block for the user's session.53 This environment block is then inherited by the shell (Explorer.exe) and subsequently by any process launched by the user during the session.62 Modifications can be made via the System Properties control panel applet (SystemPropertiesAdvanced.exe) or the Settings app, which write back to the HKCU\Environment key. PowerShell cmdlets ($Env:, SetEnvironmentVariable) can also modify these for the current process or persistently in the registry.64
  • Shell Folder Customizations:
    • Storage: Settings determining folder views (icon size, columns displayed, sorting) are stored within the user's registry hive (NTUSER.DAT), primarily under HKCU\Software\Microsoft\Windows\Shell\Bags and related keys like HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU.66 (Derived from context). Customizations like specific folder icons or info tips can be defined in hidden desktop.ini files within individual folders.67 Shell Namespace Extensions, which create virtual folders or modify existing ones, register their COM objects (CLSIDs) under HKEY_CLASSES_ROOT (for all users) or HKCU\Software\Classes (for the specific user, leveraging UsrClass.dat).66
    • Management Processes: Explorer.exe is the primary process responsible for reading these settings and rendering the folder views and icons accordingly. It loads and interacts with registered Shell Extensions (which might run in-process or be hosted in dllhost.exe for isolation) to provide customized context menus, columns, or folder contents.66
  • Credential Manager Entries:
    • Storage: Credentials (Web, Windows, Certificate-based, Generic) managed by Credential Manager are stored as encrypted data blobs within .vcrd files located in %LOCALAPPDATA%\Microsoft\Credentials\ and %LOCALAPPDATA%\Microsoft\Vault\.16 The encryption relies on the Windows Data Protection API (DPAPI), using keys derived from the user's logon credentials or system keys. A corresponding Policy.vpol file in the same directories stores metadata related to the vault and DPAPI protection.16 These credentials are not part of the standard roaming profile components due to their storage location in AppData\Local.
    • Management Processes: lsass.exe plays a central role, hosting the core security services including DPAPI (dpapisrv.dll logic) and likely the Credential Manager service logic (vaultsvc.dll) responsible for secure storage and retrieval.68 Client-side interactions (saving, retrieving, enumerating credentials) occur via the vaultcli.dll library, which provides APIs used by the Credential Manager control panel, command-line tools (cmdkey.exe, vaultcmd.exe), and applications calling Credential Manager APIs (e.g., CredRead, CredWrite, CredEnumerate).16 Authentication prompts related to credential access or saving are often handled via CredUIPromptForCredentials or similar APIs, potentially hosted by processes like LogonUI.exe or the calling application.74 The local storage ensures credentials are not easily accessible over the network via the roaming profile share but necessitates re-entry on different machines unless specific roaming solutions are used.

2. Profile Type Definitions

2.1 Roaming User Profile

A Roaming User Profile is configured within an Active Directory environment to allow a user's profile settings and data (specifically, the contents designated for roaming) to follow them across different domain-joined computers. The profile is stored on a centralized network file share.1

Mechanism:
The process is orchestrated by the User Profile Service (ProfSvc) on the client machine.

  1. Logon: When a user logs on, ProfSvc queries Active Directory (via LDAP) for the profilePath attribute associated with the user account.30 If this attribute is populated with a valid server path (e.g., \\Server\Profiles\%USERNAME%), the profile is identified as roaming. ProfSvc then compares the timestamp of the server-based profile (\\Server\Profiles\Username.Vxx) with the locally cached version (if one exists and caching is enabled via GPO). Files and registry settings (NTUSER.DAT, AppData\Roaming contents) that are newer on the server are downloaded via SMB to the local profile directory (C:\Users\Username), merging with or overwriting older local files.26 The NTUSER.DAT hive is loaded into the registry. Components residing in non-roaming locations like AppData\Local, AppData\LocalLow, and the UsrClass.dat hive are not synchronized from the server and rely on the local machine's state.
  2. Logoff: Upon user logoff, ProfSvc compares the timestamps of the files and registry hive within the local profile's roaming components (NTUSER.DAT, AppData\Roaming) against the versions on the server share. Any files or the NTUSER.DAT hive that have been modified locally during the session are uploaded via SMB back to the server share, overwriting the previous versions on the server.26
  3. Conflict Resolution: The default conflict resolution strategy is "Last Writer Wins".37 If a user has simultaneous sessions on multiple computers and modifies the roaming profile components in both, the changes saved during the logoff of the last session to terminate will overwrite any changes saved by earlier sessions, potentially leading to data loss.26 This behavior underscores the importance of using Folder Redirection or profile container solutions in multi-session environments to avoid synchronization conflicts for user documents and application data.

2.2 Mandatory User Profile

A Mandatory User Profile is a specialized, pre-configured roaming user profile used by administrators to enforce a consistent, standardized desktop environment for users.1 Its defining characteristic is its read-only nature concerning persistence: changes made by the user during a session are not saved back to the profile upon logoff.23

Technical Characteristics:

  • Read-Only Enforcement: The mandatory state is primarily enforced by renaming the user's registry hive file within the profile folder on the central network share from NTUSER.DAT to NTUSER.MAN.4
  • Logon Process: Similar to a roaming profile, the contents of the mandatory profile folder (including NTUSER.MAN) are copied from the network share via SMB to the local machine when the user logs on. The NTUSER.MAN file is renamed to NTUSER.DAT within the local profile copy, allowing the registry hive to be loaded correctly into HKEY_USERS\<User_SID> (and thus HKCU) for the session77 (Implicit).
  • Change Discard Mechanism: During the user session, applications and the user can modify the local copy of the profile (files in AppData\Roaming, AppData\Local, registry keys in HKCU). However, at logoff, the User Profile Service recognizes that the profile originated from an NTUSER.MAN file and deliberately skips the synchronization step that would normally upload changes back to the server share. The local cached copy is either left intact (to be overwritten at the next logon) or deleted, depending on the "Delete cached copies of roaming profiles" Group Policy setting.24 This ensures that the next logon starts with a fresh copy of the administrator-defined profile from the server.
  • Use Cases: Ideal for scenarios requiring strict standardization and preventing user modifications from persisting, such as public kiosks, computer labs, shared workstations, or environments with specific security or application configurations that must not be altered.22

Differentiation from Super-Mandatory Profiles:
While both Mandatory and Super-Mandatory profiles use the NTUSER.MAN file to prevent changes from being saved, they differ in their behavior when the network share hosting the profile is unavailable:

  • Mandatory Profile: The profile path specified in the user's AD account attribute (profilePath) points to a standard folder name (e.g., \\Server\Share\MandatoryProf). If this path is inaccessible at logon, Windows will attempt to load a locally cached copy of the mandatory profile if one exists (and caching is permitted by policy). If no cache exists or access fails, a temporary profile may be issued.22
  • Super-Mandatory Profile: The profile path specified in the user's AD account attribute (profilePath) must end with the .man extension (e.g., \\Server\Share\MandatoryProf.man).25 This suffix signals to ProfSvc that logon must not proceed if the specified network path is unavailable. The user will be prevented from logging on; loading from a local cache or using a temporary profile is disallowed in this scenario.22 This provides a stricter level of control, ensuring the user always logs on with the centrally defined mandatory environment or not at all.

3. Detailed Architecture of Profile Management

3.1 Core Architecture Overview

Windows user profile management is a complex orchestration involving multiple processes, services, APIs, and registry settings. It begins during the interactive logon sequence and continues through session initialization, runtime, and logoff. The architecture ensures that the correct user environment (settings, data, permissions) is established based on the configured profile type (Local, Roaming, Mandatory, Temporary) and that changes are persisted or discarded according to the profile's rules.

3.2 Component Roles

  • Processes:
    • Winlogon.exe: A critical system process responsible for managing the secure desktop, handling the Secure Attention Sequence (SAS, e.g., Ctrl+Alt+Del), and initiating the logon process. It launches the Logon User Interface (LogonUI.exe), which hosts Credential Providers to capture user credentials. After receiving credentials, Winlogon.exe invokes lsass.exe via LsaLogonUser for authentication. Upon successful authentication and subsequent profile loading coordinated with ProfSvc, Winlogon.exe starts Userinit.exe to initialize the user's session environment.78 It also handles secure actions like workstation lock/unlock and password changes.
    • Userinit.exe: A transient process launched by Winlogon.exe after the user profile has been successfully loaded. Its primary functions are executed sequentially: applying user-specific Group Policy settings (triggering gpsvc), executing logon scripts (defined via GPO or the user's scriptPath AD attribute), establishing the user's environment variables (merging system and HKCU\Environment settings), restoring persistent network connections (e.g., mapped drives), and finally, launching the user's designated shell process (typically Explorer.exe, as defined in HKLM\...\Winlogon\Shell) within the user's security context.53 Userinit.exe exits immediately after launching the shell. Its successful completion is vital for the user session to become interactive; failures often result in an immediate logoff.
    • explorer.exe: The default graphical shell for Windows. It provides the familiar desktop interface, taskbar, Start Menu (in conjunction with StartMenuExperienceHost.exe), and File Explorer. Running within the user's security context, it reads and applies numerous settings from the loaded user profile (HKCU, AppData folders, shell folder customizations) and interacts with shell extensions.47 It inherits the environment block established by Userinit.exe.
    • lsass.exe (Local Security Authority Subsystem Service): A core security process. It handles user authentication requests from Winlogon.exe, verifying credentials against the local SAM database or Active Directory (using Kerberos or NTLM authentication packages).78 It generates access tokens upon successful logon, enforces local security policies, manages LSA secrets, and provides critical services like DPAPI for credential encryption/decryption used by Credential Manager.68 On Domain Controllers, lsass.exe also hosts the Kerberos Key Distribution Center (KDC) and Active Directory Domain Services (NTDS) for processing LDAP requests.85
  • Services:
    • User Profile Service (ProfSvc): Runs within a shared service host (svchost.exe). This service is the central component responsible for the mechanics of loading and unloading user profiles. It interacts with Active Directory (LDAP) to determine profile type and path, communicates with file servers (SMB) to download or upload profile data (for roaming/mandatory types), manages the loading (RegLoadKey) and unloading of user registry hives (NTUSER.DAT, NTUSER.MAN, UsrClass.dat), applies profile-specific Group Policy settings, handles profile state management (including temporary profile issuance), and performs profile cleanup operations.49 Failures in ProfSvc are a common cause of profile-related logon errors.49
    • Group Policy Client (gpsvc): Also hosted in svchost.exe. Responsible for retrieving and applying Group Policy Objects (GPOs) from domain controllers during computer startup and user logon. It processes Computer Configuration and User Configuration settings defined in linked GPOs, including policies that directly affect user profile behavior (e.g., setting roaming profile paths, enabling folder redirection, configuring profile caching, applying mandatory profile optimizations).89 It works in coordination with Userinit.exe and ProfSvc to apply relevant policies at the correct stage of logon.
  • Key DLLs/Modules:
    • userenv.dll: Provides the primary high-level Win32 API for user profile and user environment management. Functions like LoadUserProfile, UnloadUserProfile, GetProfileType, GetAllUsersProfileDirectory, and CreateProfile are exported from this DLL and utilized by processes like Winlogon.exe and services like ProfSvc to interact with user profiles.91
    • profapi.dll: Contains lower-level, potentially internal, APIs supporting the functions in userenv.dll and ProfSvc. While specific exported functions are not detailed in the provided materials, its presence and linkage suggest a role in the fundamental operations of profile loading, unloading, and state management.91
    • Winlogon.exe (as host process): While Winlogon.exe itself is the main executable, it acts as the host environment that initiates LogonUI.exe. LogonUI.exe in turn loads the registered Credential Provider DLLs.78 In Windows versions prior to Vista, Winlogon.exe directly loaded and hosted a single GINA (Graphical Identification and Authentication) DLL.100
    • Credential Providers (e.g., authui.dll, SmartcardCredentialProvider.dll, third-party DLLs): These are COM objects implemented in DLLs, loaded by LogonUI.exe. Each provider is responsible for presenting one or more authentication methods ("tiles") to the user (e.g., password field, PIN prompt, biometric scan) and collecting the corresponding credentials for Winlogon.exe to pass to LSASS.79 This modular architecture replaced the monolithic GINA model.101
    • vaultcli.dll: The client-side DLL providing the API for applications and tools (vaultcmd.exe, cmdkey.exe, Control Panel) to interact with the Windows Credential Manager (Vault). It communicates (likely via RPC) with the vault service components hosted within lsass.exe to store, retrieve, enumerate, and delete credentials stored in the user's vault (.vcrd files).71

3.3 Configuration/Metadata Locations

Configuration settings, state information, and metadata pertaining to user profiles themselves (distinct from the user data within the profiles) are stored primarily in the Windows Registry and specific file system locations.

  • Registry:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<User_SID>: This is the central registry location containing metadata for each user profile recognized by the local machine. Each subkey, named after the user's Security Identifier (SID), holds critical information about that user's profile.96 Key values within each <User_SID> subkey include:
      • ProfileImagePath (REG_EXPAND_SZ): Specifies the full path to the root directory of the user's local profile (e.g., C:\Users\Username).96
      • Flags (REG_DWORD): A bitmask indicating the type and status attributes of the profile. While official Microsoft documentation detailing all bit meanings is sparse in the provided materials1, common interpretations based on system behavior and analysis tools suggest the following potential bit values:
        • 0x0001: Mandatory profile (PROFILE_MANDATORY)93 (Inferred consistency).
        • 0x0004: Roaming profile (PROFILE_ROAMING)93 (Inferred consistency).
        • 0x0008: Temporary profile (PROFILE_TEMP)93 (Inferred consistency).
        • Other potential flags relate to cache usage, slow links, partial sync status.
      • State (REG_DWORD): Represents the current operational state of the profile. Similar to Flags, comprehensive official documentation is lacking.102 Observed values and their inferred meanings include:
        • 0x0000: Profile OK (Local profile valid).
        • 0x0004: Profile is Mandatory.
        • 0x0008: Profile is Temporary.
        • 0x0100: Profile reconciliation needed (local/server mismatch).
        • 0x0200: Default network profile available/ready.106
        • 0x0400: Profile is currently loaded.
        • 0x0800: Profile is marked as corrupt.
        • 0x2000: Profile is pending deletion.
      • The presence of a .bak suffix appended to the SID key name itself (e.g., S-1-5-21-...-1001.bak) is a strong indicator that the original profile could not be loaded, and a temporary profile was created, with the original profile's registry entry being renamed.32
      • Sid (REG_BINARY): Stores the binary representation of the user's SID.96
      • Guid (REG_SZ): Contains a GUID associated with the profile instance on the machine, possibly used for internal tracking or linking to ProfileGuid entries.96
      • ProfileLoadTimeLow / ProfileLoadTimeHigh (REG_DWORD): Together form a 64-bit FILETIME structure indicating the last time the profile was loaded.96
      • RefCount (REG_DWORD): A reference counter, likely tracking active uses of the profile.96
      • RunLogonScriptSync (REG_DWORD): A flag (0 or 1) controlling whether logon scripts should run synchronously.96
      • CentralProfile (REG_SZ): Stores the roaming profile path if set via the "Set roaming profile path for all users logging onto this computer" GPO.107
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileGuid: Appears to map profile GUIDs back to user SIDs, potentially used for profile cleanup or management tasks, though specific usage details are limited in the provided materials.109
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: Contains system-wide logon configuration, including the paths for Userinit.exe and the default Shell (explorer.exe), auto-logon settings, legal notice text, and other logon behavior controls.82
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System: Stores computer-level Group Policy settings related to user profiles, such as DeleteRoamingCache (corresponds to "Delete cached copies of roaming profiles" GPO)111 and MachineProfilePath (corresponds to "Set roaming profile path for all users..." GPO).107
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters: Contains parameters for the User Profile Service, including UseProfilePathExtensionVersion which controls profile versioning behavior for roaming profiles across different OS versions.30
    • HKEY_USERS\.DEFAULT: Contains the default user profile settings, loaded from C:\Users\Default\NTUSER.DAT.2
    • HKEY_USERS\<User_SID>: The mount point for the currently logged-on user's NTUSER.DAT hive.
    • HKEY_USERS\<User_SID>_Classes: The mount point for the currently logged-on user's UsrClass.dat hive (equivalent to HKCU\Software\Classes).3
  • Files/Folders:
    • C:\Users\Default: This hidden system folder serves as the template for creating new local user profiles. It contains a default NTUSER.DAT and a basic profile folder structure.2
    • C:\Users\Public: Contains folders (Public Desktop, Public Documents, etc.) whose contents are accessible to all users logged onto the machine.11
    • C:\ProgramData: (Corresponds to FOLDERID_ProgramData, formerly CSIDL_COMMON_APPDATA). Stores application data shared among all users on the machine. Not part of any specific user profile but relevant to the overall user environment.11
    • Network Share for Roaming/Mandatory Profiles: e.g., \\Server\Share\Profiles\. Contains the server-side copies of user profiles, typically in folders named Username.Vxx (where .Vxx indicates the profile version, e.g., .V6 for Windows 10 1607+/Server 2016+).28 Mandatory profile folders might have specific names (e.g., MandatoryKiosk.V6) and contain NTUSER.MAN instead of NTUSER.DAT.38 Super-mandatory profiles are designated by a .man suffix on the folder path specified in AD.25
    • %windir%\debug\usermode\gpsvc.log: The log file for the Group Policy Client service, enabled via registry settings, useful for troubleshooting GPO application issues.89
    • %windir%\security\logs\winlogon.log: May contain logging related to Winlogon activities.
    • Sysvol & Netlogon Shares on DCs: Host Group Policy files (SYSVOL) and logon scripts (NETLOGON) used during the user environment setup.
  • Active Directory:
    • User Object Attributes: profilePath, scriptPath, homeDirectory, homeDrive, msDS-Primary-Computer. These attributes, queried via LDAP, control roaming/mandatory profile locations, logon script execution, home folder mapping, and primary computer associations.27

4. Profile Setup Procedures

4.1 Roaming User Profile Setup

Setting up Roaming User Profiles involves configuring a network share, setting appropriate permissions, and modifying Active Directory user accounts or applying Group Policy.

  1. Create Network Share: Establish a file share on a designated server (e.g., \\FileServer1\Profiles$). The '$' makes the share hidden.
  2. Configure Permissions: Proper permissions are critical for security and functionality. Apply the following Share and NTFS permissions:30
    • Share Permissions (on Profiles$):
      • Everyone or Authenticated Users: Change (Modify is often used in practice).
      • Administrators: Full Control.
      • (Note: Relying on NTFS permissions for fine-grained control is common; some configurations use Everyone: Full Control at the share level).
    • NTFS Permissions (on the root folder, e.g., E:\Profiles):
      • Disable permission inheritance on the root folder. Choose to convert inherited permissions into explicit ones.
      • Remove generic user/group entries like Users or Everyone (unless specifically required for the "This folder only" entries below).
      • Ensure/Add the following explicit permissions:
        • CREATOR OWNER: Full Control (Applies to: Subfolders and files only)
        • SYSTEM: Full Control (Applies to: This folder, subfolders and files)
        • Domain Admins (or a dedicated Profile Admins group): Full Control (Applies to: This folder, subfolders and files)
        • Authenticated Users (or the specific security group created for roaming profile users, e.g., "Roaming Profile Users"):
          • List folder / read data (Applies to: This folder only)
          • Read attributes (Applies to: This folder only)
          • Traverse folder / execute file (Applies to: This folder only)
          • Create folders / append data (Applies to: This folder only)
      • This configuration allows users to connect to the share and create their own profile folder during their first logon. The CREATOR OWNER permission then automatically grants that user full control over their newly created Username.Vxx subfolder and its contents, while the "This folder only" scope prevents them from accessing other users' profile folders at the root level.
  3. Configure User Accounts: In Active Directory Users and Computers (ADUC), navigate to the properties of the target user account. On the "Profile" tab, enter the UNC path to the network share in the "Profile path" field, using the %USERNAME% variable: \\FileServer1\Profiles$\%USERNAME%.30 Windows automatically appends the correct profile version suffix (e.g., .V6) based on the client OS version during logon.28
  4. Configure Group Policy Objects (GPOs) (Optional but Recommended): Create and link a GPO to the Organizational Units (OUs) containing the target users and/or computers. Configure relevant settings under Computer Configuration\Policies\Administrative Templates\System\User Profiles:
    • Enable OS Version Suffix: Ensure UseProfilePathExtensionVersion registry value (HKLM\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters) is set to 1 via GPO Preferences (Registry Item) or ensure the OS updates enabling this by default are installed.30 This is crucial for compatibility across different Windows versions.
    • "Set roaming profile path for all users logging onto this computer": An alternative to setting the profilePath attribute in AD. This computer-based policy forces all users logging onto the machine (including local accounts) to use the specified roaming profile path. It modifies the CentralProfile value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<User_SID> for each user logging on.107 Use with caution, as it overrides per-user AD settings and affects local accounts.
    • "Add the Administrators security group to roaming user profiles": If enabled, automatically adds the local Administrators group with Full Control permissions to the user's specific Username.Vxx folder when it's created.
    • "Delete cached copies of roaming profiles": Enabling this policy forces the deletion of the local copy of the roaming profile at user logoff. This saves disk space on client machines but requires the full profile to be downloaded at every logon, potentially increasing logon times. Disabling or not configuring it allows the local cache to persist, enabling faster logons (only changed files are synced) and offline access using the cache. Modifies HKLM\Software\Policies\Microsoft\Windows\System\DeleteRoamingCache (REG_DWORD 1 = Enabled).111
    • "Prevent roaming profile changes from propagating to the server": If enabled, prevents the logoff synchronization back to the server, effectively making the roaming profile behave like a mandatory profile (changes are discarded).
    • "Exclude directories in roaming profile": Allows specification of relative paths within %APPDATA% (e.g., AppData\Roaming\SomeApp\Cache) that should not be synchronized. Modifies HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ExcludeProfileDirs.15
  5. Server Folder Structure: After the first successful logon of a user with a configured roaming profile, a folder named Username.Vxx (e.g., JSmith.V6) will be created on the network share (\\FileServer1\Profiles$\). This folder will contain the user's NTUSER.DAT hive and the contents of their AppData\Roaming directory, along with other potentially roamed elements.30

4.2 Mandatory User Profile Setup

Creating a mandatory profile involves preparing a template profile, copying it to a network share with specific permissions, renaming the registry hive, and configuring user accounts to use it.

  1. Create and Customize Template Profile:
    • Log on to a reference computer (matching the target client OS version) using the built-in local Administrator account or another local admin account (do not use a domain account initially).28
    • Configure desired system-wide settings.
    • Create a temporary local user account (e.g., "TemplateUser"). Log in as this user.
    • Customize the user environment: configure desktop background, application settings, Start Menu/Taskbar (note limitations in Win10+28), install necessary Line-of-Business applications, and crucially, uninstall any unnecessary default/preinstalled applications to minimize profile size and improve logon speed.4
    • Log off the template user account.
  2. Prepare Profile using Sysprep (Recommended):
    • Log back in as the local administrator on the reference machine.
    • Create an unattend.xml answer file containing the <CopyProfile>true</CopyProfile> setting within the Microsoft-Windows-Shell-Setup component.4 This setting instructs Sysprep to copy the profile of the currently logged-on user (or the last logged-on user before generalization) to the C:\Users\Default profile.
    • Run Sysprep from an elevated command prompt: C:\Windows\System32\sysprep\sysprep.exe /oobe /reboot /generalize /unattend:unattend.xml.4
    • The machine will reboot and go through the Out-of-Box Experience (OOBE). Complete the setup, logging in again with the local administrator account. The C:\Users\Default profile now contains the customizations.
  3. Copy Profile to Network Share:
    • Create a dedicated network share for mandatory profiles (e.g., \\FileServer2\Mandatory$).
    • Configure Share and NTFS Permissions (see details below). Users need Read access; Administrators need Full Control (at least initially).38
    • Open the advanced System Properties (sysdm.cpl), go to the "Advanced" tab, and click "Settings..." under "User Profiles".
    • Select the "Default Profile" (if using Sysprep) or the "TemplateUser" profile. Click "Copy To...".4 Note: This GUI method might be disabled or unreliable in newer Windows versions.38 A manual copy using Robocopy /B /MIR /SEC or XCOPY /H /E /O /X from the source profile folder (e.g., C:\Users\Default or C:\Users\TemplateUser) to the network share might be necessary.
    • In the "Copy profile to" field, enter the UNC path for the mandatory profile folder, including the correct version suffix (e.g., \\FileServer2\Mandatory$\CorpStd.V6).28
    • Under "Permitted to use," click "Change," add the group that will use this profile (e.g., "Authenticated Users" or a specific group like "KioskUsers"), and click OK.4
    • Click OK to copy the profile.
    • After copying, verify the Owner of the profile folder on the share is the Administrators group.28 Use advanced security settings on the folder to set ownership if needed, ensuring "Replace owner on subcontainers and objects" is checked.
  4. Make Profile Mandatory (Rename Hive):
    • Navigate to the newly created profile folder on the network share (e.g., \\FileServer2\Mandatory$\CorpStd.V6).
    • Ensure hidden and system files are visible in File Explorer options.
    • Locate the NTUSER.DAT file.
    • Rename NTUSER.DAT to NTUSER.MAN.4
      • Significance: Renaming the hive file to .MAN is the crucial step that signals to ProfSvc that this is a mandatory profile. This flag prevents the service from attempting to synchronize any changes made in the local copy of the profile back to the server during logoff, thus ensuring the profile remains consistent across sessions.4
  5. Configure User Accounts in Active Directory:
    • Open Active Directory Users and Computers (ADUC).
    • Locate the user account(s) or group(s) that will use the mandatory profile.
    • Open the user account properties and navigate to the "Profile" tab.
    • In the "Profile path" field, enter the UNC path to the mandatory profile folder on the share, but omit the .Vxx extension (e.g., \\FileServer2\Mandatory$\CorpStd).28 Windows will determine the correct version folder to use based on the client OS.
    • To configure a Super-Mandatory profile, append .man to the folder path entered here (e.g., \\FileServer2\Mandatory$\CorpStd.man).25
    • Click OK.
  6. Configure Group Policy Objects (GPOs):
    • Apply GPOs to the relevant OUs to optimize logon performance for mandatory profiles. Key settings (under Computer Configuration\Policies\Administrative Templates) include28:
      • System\Logon\Show first sign-in animation: Disabled
      • Windows Components\Search\Allow Cortana: Disabled (if applicable)
      • Windows Components\Cloud Content\Turn off Microsoft consumer experiences: Enabled
    • Consider enabling System\User Profiles\Delete cached copies of roaming profiles if preventing local caching (and thus offline logon) is desired.24
    • Policies like "Prevent roaming profile changes from propagating to the server" are generally unnecessary as NTUSER.MAN inherently provides this behavior.
  7. Final Permission Lockdown (Optional but Recommended): After verifying the mandatory profile functions correctly, consider changing the NTFS permissions on the profile folder on the share (CorpStd.V6) to be strictly Read-only for all accounts, including Administrators.121 This prevents accidental modification of the template profile. To update the profile later, administrators would need to temporarily grant themselves write permissions, make changes, and then re-apply the read-only restriction.
    • Share/NTFS Permissions (Mandatory Profile Share):
      • Share Permissions (on Mandatory$):
        • Authenticated Users (or specific target group): Read
        • Administrators: Full Control
      • NTFS Permissions (on E:\MandatoryProfiles and inherited by CorpStd.V6):
        • SYSTEM: Full Control
        • Administrators: Full Control (Consider changing to Read-only after setup121)
        • Authenticated Users (or specific target group): Read & Execute, List folder contents, Read
      • This restricted permission set reflects that users only need to download (read) the profile, while administrators manage its content.
  8. Detailed Registry/File/Permission Trace during Setup:
    • Registry Modified (Reference Machine): HKLM\...\ProfileList entries created/modified for template user. C:\Users\Default\NTUSER.DAT potentially overwritten by CopyProfile.
    • Registry Modified (Server): None directly related to profile content. AD user object attributes modified via LDAP.
    • Registry Modified (AD): userAccount object attributes (profilePath).
    • Files Created/Modified (Reference Machine): C:\Users\TemplateUser folder and contents customized. C:\Users\Default folder potentially updated by Sysprep. unattend.xml created.
    • Files Created/Modified (Server): Profile folder (CorpStd.V6) created on share. Contents copied from reference machine. NTUSER.DAT renamed to NTUSER.MAN.
    • Permissions Set (Server): Share permissions applied to Mandatory$. NTFS permissions applied to E:\MandatoryProfiles and inherited/set on CorpStd.V6. Ownership of CorpStd.V6 set to Administrators.

5. Logon Process with a Mandatory Profile (Under the Hood)

The logon process for a user configured with a Mandatory User Profile involves a detailed sequence of interactions between client-side components, Domain Controllers (DCs), and the file server hosting the profile.

  1. Initial Winlogon.exe Phase & Credential Acquisition:
    • The process begins when the user initiates logon, typically by pressing the Secure Attention Sequence (SAS), Ctrl+Alt+Del.80
    • Winlogon.exe detects the SAS, switches to the secure Winlogon desktop, and launches LogonUI.exe.80
    • LogonUI.exe enumerates and loads registered Credential Providers (e.g., password provider in authui.dll, smart card provider).79
    • The relevant Credential Provider presents its user interface tile(s) and securely collects the user's credentials (e.g., username and password).79
    • The collected credentials are securely passed back from the Credential Provider (via LogonUI.exe) to Winlogon.exe.79
  2. Authentication (LSASS.exe):
    • Winlogon.exe makes a call to the LsaLogonUser function, passing the collected credentials to the Local Security Authority Subsystem Service (lsass.exe) for verification.80
    • lsass.exe identifies the appropriate authentication package based on the logon type (typically Kerberos for domain logons).80
    • Kerberos Authentication Flow:80
      • The client's lsass.exe process acts as the Kerberos client. It sends an Authentication Service Request (AS-REQ) to the Key Distribution Center (KDC) service (running within lsass.exe on a DC) for the target domain.
      • The KDC verifies the user's credentials against Active Directory. If valid, it returns an Authentication Service Reply (AS-REP) containing a Ticket-Granting Ticket (TGT) encrypted with the user's password hash.
      • The client lsass.exe decrypts the TGT and caches it. It then sends a Ticket-Granting Service Request (TGS-REQ), presenting the TGT, to the KDC. This request asks for service tickets for necessary resources:
        • The Domain Controller's LDAP service (Service Principal Name - SPN: ldap/<DC_FQDN>) for subsequent AD queries.
        • The File Server's CIFS (SMB) service (SPN: cifs/<FileServer_FQDN>) for accessing the profile share.
      • The KDC validates the TGT and issues a Ticket-Granting Service Reply (TGS-REP) containing the requested service tickets, encrypted with session keys.
    • NTLM Fallback: While Kerberos is preferred, NTLM challenge/response might be attempted if Kerberos fails, although accessing domain resources like the profile path typically requires successful Kerberos authentication.80
    • Upon successful authentication by the chosen package, lsass.exe creates a logon session for the user and generates their access token. This token encapsulates the user's SID, group SIDs, and privileges. lsass.exe returns a success status and a handle to the logon session/token back to Winlogon.exe.80
  3. User Profile Service (ProfSvc) Invocation:
    • Following successful authentication, Winlogon.exe signals the User Profile Service (ProfSvc) to proceed with loading the user's profile49 (Implicit interaction).
  4. User Object & Profile Path Retrieval (LDAP):
    • ProfSvc, requiring the location and type of the user's profile, initiates an LDAP query to a Domain Controller85 (Implicit step). The specific DC is found via the DC Locator process (DNS queries for SRV records).
    • The LDAP connection is established using an authenticated bind, leveraging the user's Kerberos credentials (the LDAP service ticket obtained during authentication).85
    • An LDAP search request is sent, typically targeting the user's domain partition (e.g., DC=contoso,DC=com), with a filter to identify the user object (e.g., (&(objectCategory=person)(objectClass=user)(sAMAccountName=<username>))).
    • The request specifies the attributes to retrieve, critically including objectSid and profilePath. Other relevant attributes like scriptPath might also be requested.30
    • The DC's lsass.exe (hosting the NTDS service) processes the query against the Active Directory database (ntds.dit) and returns the requested attributes to the client's ProfSvc.
  5. Profile Path Resolution & Type Determination:
    • ProfSvc parses the retrieved profilePath attribute value (e.g., \\FileServer2\Mandatory$\CorpStd or \\FileServer2\Mandatory$\CorpStd.man).
    • It determines the profile type based on the path and file existence checks:
      • If profilePath is empty or not set, it defaults to a local profile.
      • If profilePath ends with .man, it's identified as Super-Mandatory.25 ProfSvc checks accessibility; if the path is unavailable, logon is terminated.
      • If profilePath does not end with .man, ProfSvc resolves the full path including the OS-specific version suffix (e.g., \\FileServer2\Mandatory$\CorpStd.V6). It then checks for the existence of NTUSER.MAN within that directory.2 If NTUSER.MAN is found, the profile is identified as Mandatory. If the path is inaccessible, ProfSvc attempts to use a locally cached version (if caching is enabled); otherwise, it proceeds to create a temporary profile.28
      • If NTUSER.DAT is found instead of NTUSER.MAN, it's identified as Roaming.
    • Internal flags corresponding to the profile type (e.g., PT_MANDATORY, PT_TEMPORARY) are set, likely reflected in the Flags and State values under HKLM\...\ProfileList\<User_SID>.93
  6. Profile Download/Copy:
    • For a Mandatory or Super-Mandatory profile, ProfSvc initiates an SMB connection to the file server and share specified by the resolved profile path (e.g., \\FileServer2\Mandatory$\CorpStd.V6)77 (Implicit).
    • Authentication to the file server occurs using the user's Kerberos service ticket for the cifs SPN (obtained during authentication) or NTLM fallback.85
    • ProfSvc performs file copy operations:
      • Source: Contents of the server-side mandatory profile folder (\\FileServer2\Mandatory$\CorpStd.V6\*).
      • Destination: The local user profile directory (C:\Users\Username). A temporary staging directory might be used first to ensure atomicity before committing to the final path.
      • The NTUSER.MAN file from the server share is copied to the local profile directory and renamed to NTUSER.DAT77 (Implicit).
      • All other files and folders within the server profile template (AppData\Roaming, Desktop, etc.) are copied to the corresponding locations in the local profile directory.
    • File Locking Behavior: The NTUSER.MAN file on the server share is accessed for reading during the copy operation but is typically not held open with an exclusive lock by the client throughout the session77 (Inferred). This allows multiple users to concurrently download the same mandatory profile template at logon. The enforcement of the mandatory state relies on the read-only nature of persistence (discarding changes at logoff), not on locking the source file.
  7. Local Profile Initialization:
    • ProfSvc invokes the LoadUserProfile API (or an internal equivalent) provided by userenv.dll.92
    • LoadUserProfile internally calls functions like RegLoadKey (from advapi32.dll or kernel equivalents) to load the locally copied NTUSER.DAT hive file into the registry under the HKEY_USERS\<User_SID> key.95
    • The system establishes the HKEY_CURRENT_USER (HKCU) alias, linking it to HKEY_USERS\<User_SID>.1
    • ProfSvc may perform additional initialization steps, ensuring standard profile directories exist and potentially applying initial security descriptors.
  8. Environment Setup & Shell Launch:
    • The Group Policy Client service (gpsvc) is triggered to apply User Configuration GPOs. Policies are processed based on the user's location in AD and linked GPOs.89
    • Winlogon.exe starts the Userinit.exe process.53
    • Userinit.exe executes its initialization sequence53:
      • Reads and establishes the user's environment variables (system + HKCU\Environment).
      • Executes assigned logon scripts (GPO-defined or from scriptPath attribute).
      • Restores persistent network drive mappings defined in the profile.
      • Reads the shell path from HKLM\...\Winlogon\Shell (typically explorer.exe).
      • Launches explorer.exe (or the specified shell) under the user's security context, inheriting the established environment.
      • Userinit.exe terminates.
  9. Mandatory Profile Enforcement (Logoff/Session Behavior):
    • Mechanism: During the user's session, changes are made to the local copy of the profile (registry, files). At logoff, ProfSvc checks the profile type. Because it was loaded from a source containing NTUSER.MAN (or identified via flags/state), it intentionally skips the synchronization phase where changes would normally be uploaded back to the server share.1 This effectively discards all changes made during the session.
    • Local Cache Handling: The fate of the local profile directory (C:\Users\Username) at logoff depends on policy:
      • Default Behavior: The local cache is typically retained after logoff. However, at the next logon, it is overwritten by a fresh copy from the server's mandatory profile template.24 This allows for potential offline logon using the (potentially stale) cached mandatory profile if the server is unavailable.24
      • With "Delete cached copies..." GPO Enabled: If the Computer Configuration\Policies\Administrative Templates\System\User Profiles\Delete cached copies of roaming profiles GPO is enabled, ProfSvc will actively delete the entire local profile directory (C:\Users\Username) during the logoff process.24 This prevents offline logon using the cache and ensures no residual data remains, but requires a full profile download at every logon.
  10. Process/Module Responsibility Mapping Summary:
    • Authentication: Winlogon.exe, LogonUI.exe, Credential Providers, lsass.exe (Client & DC), Kerberos/NTLM DLLs.
    • LDAP Query: ProfSvc (via userenv.dll/profapi.dll, using wldap32.dll) -> DC lsass.exe (NTDS).
    • Profile Type Check: ProfSvc (using userenv.dll APIs like GetProfileType).
    • SMB Copy: ProfSvc (initiator) -> Client SMB Redirector (mrxsmb.sys) -> Server LanmanServer service & srv2.sys/srv.sys driver.
    • Registry Load: ProfSvc (via userenv.dll API LoadUserProfile) -> advapi32.dll (RegLoadKey).
    • GPO Application: gpsvc.
    • Environment/Scripts/Shell Launch: Userinit.exe.
    • Logoff Change Discard: ProfSvc (by skipping sync based on mandatory flag).
    • Cache Deletion: ProfSvc (if GPO enabled).

6. Server-Side Processes and Interactions (Mandatory Profile Context)

The successful loading of a mandatory profile relies on specific processes and services running on both the Domain Controller(s) and the File Server hosting the profile share.

6.1 Domain Controller (DC):

  • lsass.exe: This core process hosts multiple critical services involved in the logon and profile retrieval process:
    • Kerberos Key Distribution Center (KDC) Service: Responsible for authenticating users and computers within the domain. During logon, it receives AS-REQ messages from the client, validates credentials against AD, and issues Ticket-Granting Tickets (TGTs) in AS-REP messages. It subsequently receives TGS-REQ messages (containing the TGT) from the client and issues Service Tickets (encrypted session keys) for specific services like the DC's own LDAP service and the file server's CIFS service, returning these in TGS-REP messages.85
    • LDAP Service (Active Directory Domain Services - NTDS): Listens for LDAP requests (typically on TCP ports 389 and 636). It receives the authenticated LDAP search request from the client's ProfSvc, parses the query (filter, base DN, requested attributes), accesses the Active Directory database (ntds.dit), retrieves the required user object attributes (including profilePath, objectSid), and sends the results back to the client.85

6.2 File Server (hosting the mandatory profile share):

  • srv2.sys / srv.sys: These are the kernel-mode file server drivers responsible for handling the Server Message Block (SMB) protocol (SMB 2/3 handled by srv2.sys, legacy SMB 1 by srv.sys). They receive SMB requests from the client's redirector (mrxsmb.sys/mrxsmb20.sys), process commands like file reads, directory listings, and session management, interact with the underlying NTFS file system to access the profile data, and send SMB responses back to the client.126
  • LanmanServer Service (Server Service): A user-mode service (srvsvc.dll hosted in services.exe or svchost.exe) that manages file shares and server-side aspects of SMB sessions. It works in conjunction with lsass.exe to handle incoming connection requests, authenticate the user attempting to access the share (validating the provided Kerberos service ticket or NTLM credentials), enforce share-level permissions, and authorize access to the specific files and directories within the share based on their NTFS Access Control Lists (ACLs).126

6.3 Network Interaction Sequence (Mandatory Profile Logon):

  1. Client -> DC (Authentication - Kerberos): Client lsass.exe performs AS-REQ/AS-REP and TGS-REQ/TGS-REP exchanges with DC lsass.exe (KDC) to obtain a TGT and service tickets for LDAP (DC) and CIFS (File Server).
  2. Client -> DC (Profile Path Lookup - LDAP): Client ProfSvc uses the LDAP service ticket to bind to the DC's LDAP service (hosted by DC lsass.exe) and sends a search request for the user's profilePath attribute. The DC processes the request and returns the path.
  3. Client -> File Server (Profile Download - SMB):
    • Client ProfSvc initiates an SMB connection request to the file server specified in the profilePath.
    • The client presents the CIFS service ticket to the File Server's LanmanServer service / lsass.exe for authentication.
    • The File Server validates the ticket and checks share permissions for the user.
    • The client sends SMB commands (e.g., SMB2 CREATE, SMB2 READ) via its redirector (mrxsmb20.sys) to request the contents of the mandatory profile folder (e.g., CorpStd.V6).
    • The File Server's LanmanServer checks NTFS permissions for each requested file/directory.
    • If authorized, the srv2.sys driver reads the data from the file system (NTFS).
    • srv2.sys sends the file data back to the client via SMB responses.
  4. Client (Profile Load & Session Init): Client loads the profile locally, applies GPOs (potentially contacting DC again), runs scripts (potentially contacting DC/Netlogon share), and launches the shell.
  5. Client -> File Server (Logoff): No profile data is uploaded back to the file server due to the mandatory profile type. The SMB session is simply terminated.

This sequence highlights the critical dependence on network connectivity and the availability and correct functioning of services on both the Domain Controller (KDC, LDAP) and the File Server (SMB, Permissions) for mandatory profile logons to succeed. Troubleshooting often requires examining logs and network traces between these three components (Client, DC, File Server).

Works cited

  1. About User Profiles (Windows) - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892(v=vs.85)
  2. Where Is the Windows Registry Stored - Ultimate Systems Blog, accessed May 9, 2025, https://blog.usro.net/2024/10/where-is-the-windows-registry-stored/
  3. Information About Windows Registry - HACKLIDO, accessed May 9, 2025, https://hacklido.com/blog/51-information-about-windows-registry
  4. windows-itpro-docs/windows/client-management/client-tools/mandatory-user-profile.md at public - GitHub, accessed May 9, 2025, https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/client-management/client-tools/mandatory-user-profile.md
  5. What is mandatory profile - Microsoft Community, accessed May 9, 2025, https://answers.microsoft.com/en-us/windows/forum/all/what-is-mandatory-profile/2b594ca1-d3a5-4f2a-8ef7-4bee3c0e50dc
  6. Windows 10 Application Log Event ID 1542 No start button/Windows - Microsoft Community, accessed May 9, 2025, https://answers.microsoft.com/en-us/windows/forum/windows_10-start/windows-10-application-log-event-id-1542-no-start/babcf9c5-937a-43cd-87c0-8cb470b3bfac?page=3
  7. Where does the USrClass.dat file get its information from when a profile is created?, accessed May 9, 2025, https://answers.microsoft.com/en-us/windows/forum/all/where-does-the-usrclassdat-file-get-its/57814d82-9d8d-4d4e-8941-c8c8d8b9b0b9
  8. Profile loading fails - Windows Server | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/desktop-location-unavailable
  9. Difference between Local, Locallow, Roaming folder. - Microsoft Community, accessed May 9, 2025, https://answers.microsoft.com/en-us/windows/forum/all/difference-between-local-locallow-roaming-folder/5f46d671-9303-4260-8226-82f5d4e509cc
  10. Why are there directories called Local, LocalLow, and Roaming under \Users\
  11. KNOWNFOLDERID (Knownfolders.h) - Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/shell/knownfolderid
  12. User Shell Folders - Armour Infosec, accessed May 9, 2025, https://www.armourinfosec.com/user-shell-folders/
  13. How to manually change the default location of user files in Windows - Geeks in Phoenix, accessed May 9, 2025, https://www.geeksinphoenix.com/blog/post/2023/02/26/how-to-manually-change-the-default-location-of-user-files-in-windows
  14. KNOWNFOLDERID | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/previous-versions/bb762584(v=vs.85)
  15. Disabled roaming profiles but APPDATA is still pointing to the roaming location instead of local - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/721945/disabled-roaming-profiles-but-appdata-is-still-poi
  16. Credentials from Password Stores: Windows Credential Manager, Sub-technique T1555.004 - Enterprise | MITRE ATT&CK®, accessed May 9, 2025, https://attack.mitre.org/techniques/T1555/004/
  17. Where are ALL locations of Start Menu folders in Windows 10? - Super User, accessed May 9, 2025, https://superuser.com/questions/960406/where-are-all-locations-of-start-menu-folders-in-windows-10
  18. CSIDL (Shlobj.h) - Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/shell/csidl
  19. Configure Startup Applications in Windows - Microsoft Support, accessed May 9, 2025, https://support.microsoft.com/en-us/windows/configure-startup-applications-in-windows-115a420a-0bff-4a6f-90e0-1934c844e473
  20. Understanding the Taskbar: Key Features and Functions Explained - Lenovo, accessed May 9, 2025, https://www.lenovo.com/us/en/glossary/taskbar/
  21. How to Back Up and Restore Your Pinned Taskbar Items on Windows - MakeUseOf, accessed May 9, 2025, https://www.makeuseof.com/windows-back-up-restore-pinned-taskbar-items/
  22. Types of User Profiles: Mandatory Profile [Breakdown] – Ivanti, accessed May 9, 2025, https://www.ivanti.com/blog/profile-series-mandatory-profile-gotchas
  23. learn.microsoft.com, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/shell/mandatory-user-profiles#:~:text=A%20mandatory%20user%20profile%20is,when%20the%20user%20logs%20off.
  24. Are Mandatory User Profiles Deleted at Logoff - or Cached? - Helge Klein, accessed May 9, 2025, https://helgeklein.com/blog/are-mandatory-user-profiles-deleted-at-logoff-or-cached/
  25. Creating a mandatory profile on Windows 10 1803 – james-rankin.com, accessed May 9, 2025, https://james-rankin.com/articles/creating-a-mandatory-profile-on-windows-10-1803/
  26. Roaming user profile - Wikipedia, accessed May 9, 2025, https://en.wikipedia.org/wiki/Roaming_user_profile
  27. Folder Redirection, Offline Files, and Roaming User Profiles overview | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview
  28. Create mandatory user profiles | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/client-management/client-tools/mandatory-user-profile
  29. Mandatory User Profiles (Windows) | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776895(v=vs.85)
  30. Deploy roaming user profiles | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles
  31. mandatory user profile in The Network Encyclopedia, accessed May 9, 2025, http://www.thenetworkencyclopedia.com/entry/mandatory-user-profile/
  32. How to Fix Temporary Profile in Windows - Fortect, accessed May 9, 2025, https://www.fortect.com/how-to-guides/how-to-fix-temporary-profile-in-windows/
  33. Windows 10 Reports That You Are On a Temporary Profile | Dell US, accessed May 9, 2025, https://www.dell.com/support/kbdoc/en-us/000134012/windows-10-reports-you-are-on-a-temporary-profile
  34. Local Profile vs. Roaming Profile: Advantages and Disadvantages, accessed May 9, 2025, https://www.itsasap.com/blog/local-vs-roaming-profile
  35. Group Policy: Automatically Delete User Profiles Older Than Certain Number of Days Win 10 not working. - Microsoft Q&A, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/441800/group-policy-automatically-delete-user-profiles-ol
  36. LocalAppData Roaming - Microsoft Q&A, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/282423/localappdata-roaming
  37. Profile Management use cases - Citrix Product Documentation, accessed May 9, 2025, https://docs.citrix.com/en-us/profile-management/2402-ltsr/how-it-works/use-cases.html
  38. Customize default local user profile - Windows Client | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/customize-default-local-user-profile
  39. Fix You've been signed in with a temporary profile in Windows 10, accessed May 9, 2025, https://www.tenforums.com/tutorials/48012-fix-youve-been-signed-temporary-profile-windows-10-a.html
  40. Mandatory Profiles - The Good, the Bad and the Ugly - Helge Klein, accessed May 9, 2025, https://helgeklein.com/blog/mandatory-profiles-the-good-the-bad-and-the-ugly/
  41. Create mandatory user profiles | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/client-management/mandatory-user-profile
  42. User profile management for Azure Virtual Desktop with FSLogix profile containers, accessed May 9, 2025, https://learn.microsoft.com/en-us/azure/virtual-desktop/fslogix-profile-containers
  43. How do I find the pic I'm using for my desktop background : r/Windows10 - Reddit, accessed May 9, 2025, https://www.reddit.com/r/Windows10/comments/107x7gg/how_do_i_find_the_pic_im_using_for_my_desktop/
  44. How to Find Your Current Desktop Wallpaper's File Location in Windows 11 - MakeUseOf, accessed May 9, 2025, https://www.makeuseof.com/find-desktop-wallpapers-file-location-windows-11/
  45. Windows background apps and your privacy - Microsoft Support, accessed May 9, 2025, https://support.microsoft.com/en-us/windows/windows-background-apps-and-your-privacy-83f2de44-d2d9-2b29-4649-2afe0913360a
  46. What background processes are okay to close - Microsoft Community, accessed May 9, 2025, https://answers.microsoft.com/en-us/windows/forum/all/what-background-processes-are-okay-to-close/dafa0090-ce1a-4268-878a-179ab7f9758f
  47. Customize the Taskbar in Windows - Microsoft Support, accessed May 9, 2025, https://support.microsoft.com/en-us/windows/customize-the-taskbar-in-windows-0657a50f-0cc7-dbfd-ae6b-05020b195b07
  48. How to Access and Manage the AppData Folder in Windows 10 and 11? - SmartWindows, accessed May 9, 2025, https://smartwindows.app/blog/how-to-access-and-manage-the-appdata-folder-in-windows-10-and-11/
  49. How do i fix "the user profile service failed the sign in" without logging into an account?, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/1635289/how-do-i-fix-the-user-profile-service-failed-the-s
  50. Customize The Start Layout For Managed Windows Devices | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/configuration/start/layout
  51. Troubleshoot Start menu errors - Windows Client | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors
  52. What was new in 19H1 Windows 10 Insider Preview Builds - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows-insider/archive/new-in-19h1
  53. What does userinit.exe do? - Server Fault, accessed May 9, 2025, https://serverfault.com/questions/411189/what-does-userinit-exe-do
  54. Files and Folders Located on a Mapped Drive Become Unselected, accessed May 9, 2025, https://support.carbonite.com/articles/Server-Windows-Files-and-Folders-Located-on-a-Mapped-Drive-Become-Unselected
  55. Can I rearrange drive letters of my mapped network drives? - Super User, accessed May 9, 2025, https://superuser.com/questions/916326/can-i-rearrange-drive-letters-of-my-mapped-network-drives
  56. How to Find Mapped Drives in a Remote PC Registry - Small Business - Chron.com, accessed May 9, 2025, https://smallbusiness.chron.com/mapped-drives-remote-pc-registry-57951.html
  57. How to Map a Network Drive: A Step-by-Step Guide - Lansweeper, accessed May 9, 2025, https://www.lansweeper.com/blog/itam/how-to-map-a-network-drive-a-step-by-step-guide/
  58. How to Check a Registry Key for a Printer on Your Computer - Small Business - Chron.com, accessed May 9, 2025, https://smallbusiness.chron.com/check-registry-key-printer-computer-57663.html
  59. Installed Printers via Registry | Detection - Insider Threat Matrix, accessed May 9, 2025, https://insiderthreatmatrix.org/detections/DT006
  60. Best practices for configuring Windows Print Servers - PaperCut, accessed May 9, 2025, https://www.papercut.com/kb/Main/PrintQueueSetUpOnWindows/
  61. Fix printer connection and printing problems in Windows - Microsoft Support, accessed May 9, 2025, https://support.microsoft.com/en-us/windows/fix-printer-connection-and-printing-problems-in-windows-fb830bff-7702-6349-33cd-9443fe987f73
  62. Get Environment Variable - N-able, accessed May 9, 2025, https://documentation.n-able.com/N-central/userguide/Content/Automation/Objects/System/GetEnvironmentVariable.htm
  63. Environment Variables and Windows 10 – 3SL Blog – Threesl.com, accessed May 9, 2025, https://www.threesl.com/blog/environment-variables-windows-10/
  64. about_Environment_Variables - PowerShell | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=powershell-7.5
  65. Setting Env Variables in Windows, Linux & MacOS: Beginner's Guide - Configu, accessed May 9, 2025, https://configu.com/blog/setting-env-variables-in-windows-linux-macos-beginners-guide/
  66. Implementing the Basic Folder Object Interfaces - Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/shell/nse-implement
  67. CBFS Shell | Windows Shell Virtual Folders - Callback Technologies, accessed May 9, 2025, https://www.callback.com/cbfsshell
  68. Cached and Stored Credentials Technical Overview - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)
  69. Considerations and known issues when using Credential Guard - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues
  70. Windows Credential Manager (recommended) - DigiCert Docs, accessed May 9, 2025, https://docs.digicert.com/en/digicert-keylocker/overview/secure-credentials/set-up-secure-credentials-for-windows/windows-credential-manager.html
  71. script to delete saved password for IE/Edge - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/720237/script-to-delete-saved-password-for-ie-edge
  72. Detection: Windows Credentials Access via VaultCli Module | Splunk Security Content, accessed May 9, 2025, https://research.splunk.com/endpoint/c0d89118-3f89-4cd7-8140-1f39e7210681/
  73. T1555.004 - Credentials from Password Stores: Windows Credential Manager - Atomic Red Team, accessed May 9, 2025, https://www.atomicredteam.io/atomic-red-team/atomics/T1555.004
  74. Credential Manager in Windows - Microsoft Support, accessed May 9, 2025, https://support.microsoft.com/en-us/windows/credential-manager-in-windows-1b5c916a-6a16-889f-8581-fc16e8165ac0
  75. Unsupported DFS-R and DFS-N deployment scenario - Windows Server | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/support-policy-for-dfsr-dfsn-deployment
  76. Profile Management 7.15 - Citrix Product Documentation, accessed May 9, 2025, https://docs.citrix.com/en-us/profile-management/downloads/profile-management-7-15.pdf
  77. windows 10: create local mandatory (unchangeable) user profile, accessed May 9, 2025, https://superuser.com/questions/1190789/windows-10-create-local-mandatory-unchangeable-user-profile
  78. List of Microsoft Windows components – Wikipedia, accessed May 9, 2025, https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_components
  79. Credentials Processes in Windows Authentication - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication
  80. Microsoft Windows Security, accessed May 9, 2025, https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=8
  81. Windows Credential Provider - LDAPWiki, accessed May 9, 2025, https://ldapwiki.com/wiki/Wiki.jsp?page=Windows%20Credential%20Provider
  82. MSGina.dll Features - Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/secauthn/msgina-dll-features
  83. Boot or Logon Initialization Scripts: Logon Script (Windows), Sub-technique T1037.001, accessed May 9, 2025, https://attack.mitre.org/techniques/T1037/001/
  84. How User Account Control works | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works
  85. How to troubleshoot high Lsass.exe CPU utilization on Active Directory Domain Controllers, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/troubleshoot-high-lsass.exe-cpu-utilization
  86. Troubleshooting High LSASS CPU Utilization on a Domain Controller (Part 1 of 2), accessed May 9, 2025, https://techcommunity.microsoft.com/blog/askds/troubleshooting-high-lsass-cpu-utilization-on-a-domain-controller-part-1-of-2/394888
  87. Please wait for the user profile service problem - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/1659194/please-wait-for-the-user-profile-service-problem
  88. Essential Windows Services: User Profile Service / ProfSvc | The Core Technologies Blog, accessed May 9, 2025, https://www.coretechnologies.com/blog/windows-services/profsvc/
  89. Applying Group Policy troubleshooting guidance - Windows Server | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/applying-group-policy-troubleshooting-guidance
  90. Group Policy Client service failed the logon. Access denied. - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/35476/group-policy-client-service-failed-the-logon-acces
  91. CreateProfile function (userenv.h) – Win32 apps - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/api/userenv/nf-userenv-createprofile
  92. GetProfileType function (userenv.h) - Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/api/userenv/nf-userenv-getprofiletype
  93. GetAllUsersProfileDirectoryA function (userenv.h) – Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/api/userenv/nf-userenv-getallusersprofiledirectorya
  94. LoadUserProfileA function (userenv.h) – Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/api/userenv/nf-userenv-loaduserprofilea
  95. FSlogix Black Screen - Microsoft Q&A, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/414883/fslogix-black-screen
  96. Internet explorer crashing for few users - Microsoft Q&A, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/466589/internet-explorer-crashing-for-few-users
  97. Windows 10 DLL File Information - profapi.dll - NirSoft, accessed May 9, 2025, https://windows10dll.nirsoft.net/profapi_dll.html
  98. profapi.dll - Windows 7 DLL File Information, accessed May 9, 2025, https://www.win7dll.info/profapi_dll.html
  99. Winlogon and GINA - Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina
  100. GINA - Win32 apps | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/secauthn/gina
  101. Windows registry information for advanced users - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users
  102. In the Windows Registry under ProfileList key there are subkeys for - Microsoft Community, accessed May 9, 2025, https://answers.microsoft.com/en-us/windows/forum/all/in-the-windows-registry-under-profilelist-key/63d22f5f-5b65-4267-ad06-f34e6eb86fd8
  103. accessed January 1, 1970, https://social.technet.microsoft.com/wiki/contents/articles/1120.user-profile-service-event-id-1509-error-detail-the-system-cannot-find-the-file-specified.aspx
  104. accessed January 1, 1970, https://social.technet.microsoft.com/Forums/windows/en-US/708707f1-78fa-4c1e-adf1-916e2d8848d7/meaning-of-profilelist-state-flags?forum=w7itprogeneral
  105. Why does my Windows roaming profile always change to a local profile on a particular PC?, accessed May 9, 2025, https://superuser.com/questions/1857066/why-does-my-windows-roaming-profile-always-change-to-a-local-profile-on-a-partic
  106. Set roaming profile path for all users – Windows Server | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-roaming-profile-path-all-users-applies-all-acccounts
  107. 'You Have Been Logged On With a Temporary Profile' when all profiles have been redirected to a specific location - Weird & Wonderful IT, accessed May 9, 2025, https://www.craig-tolley.co.uk/2015/02/26/you-have-been-logged-on-with-a-temporary-profile-when-all-profiles-have-been-redirected-to-a-specific-location/
  108. Scripts to clean profile folder and prevent TEMP user profile creation - Windows Server, accessed May 9, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-server/support-tools/scripts-to-cleanup-profile-folder-information-and-prevent-temp-user-profiles-from-being-created
  109. Registry keys are not created via Powershell - Microsoft Q&A, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/1667241/registry-keys-are-not-created-via-powershell
  110. New files copied, old files not deleted during roaming profile login - Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/2189009/new-files-copied-old-files-not-deleted-during-roam?forum=windowserver-all&referrer=answers
  111. ADMX_UserProfiles Policy CSP | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-userprofiles
  112. Weird user profile folders in C:/Users - can I delete them? - Microsoft Community, accessed May 9, 2025, https://answers.microsoft.com/en-us/windows/forum/all/weird-user-profile-folders-in-cusers-can-i-delete/6c965099-2046-417a-af70-3c951b443247
  113. Share and NTFS Permissions - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/iis/web-hosting/configuring-servers-in-the-windows-web-platform/configuring-share-and-ntfs-permissions
  114. Secure | Profile Management 2503 - Citrix Product Documentation, accessed May 9, 2025, https://docs.citrix.com/en-us/profile-management/current-release/secure.html
  115. Permissions required for secure roaming profiles & redirected folders – ITProMentor, accessed May 9, 2025, https://www.itpromentor.com/profile-permission/
  116. Secure | Profile Management 2411 - Citrix Product Documentation, accessed May 9, 2025, https://docs.citrix.com/en-us/profile-management/current-release/secure
  117. Roaming Windows User Profiles - SambaWiki, accessed May 9, 2025, https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
  118. how to enable roaming profile user sign in only one system - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/answers/questions/2185071/how-to-enable-roaming-profile-user-sign-in-only-on
  119. Access Control Overview | Microsoft Learn, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/access-control
  120. Mandatory profiles NTFS rights – Ivanti Community, accessed May 9, 2025, https://forums.ivanti.com/s/question/0D51B00005BxoOYSAZ/mandatory-profiles-ntfs-rights?language=en_US
  121. Sample Chapters from Windows Internals, Sixth Edition, Part 1 - Download Center, accessed May 9, 2025, https://download.microsoft.com/download/1/4/0/14045a9e-c978-47d1-954b-92b9fd877995/97807356648739_samplechapters.pdf
  122. Security Briefs: Customizing GINA, Part 2 - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/archive/msdn-magazine/2005/june/security-briefs-customizing-gina-part-2
  123. RegLoadKey • Win32 Programmer's Reference, accessed May 9, 2025, http://winapi.freetechsecrets.com/win32/WIN32RegLoadKey.htm
  124. RegLoadAppKeyA function (winreg.h) - Win32 apps - Learn Microsoft, accessed May 9, 2025, https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regloadappkeya
  125. Critical "SMBleed", Vulnerability: Why Should You Be Worried? - FireCompass, accessed May 9, 2025, https://www.firecompass.com/critical-smbleed-vulnerability-smbghost-risk-analysis/
  126. The Srv2.sys breaks when the computer responds to the SMB client in Windows Server 2012 R2 - Microsoft Support, accessed May 9, 2025, https://support.microsoft.com/en-us/topic/the-srv2-sys-breaks-when-the-computer-responds-to-the-smb-client-in-windows-server-2012-r2-e2771056-93d1-7346-0629-0fb9519d0a0b