Search notes:

Windows: User account

Windows requires a user account for someone that accesses a Windows system.
User accounts are stored in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
More sensitive information (such as passwords) is stored in the registry under HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account
A list of the names of the users of a Windows installation is found under HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names
Windows treats user names case insensitively:
Microsoft views case-sensitivity as an unnecessary burden on the administrator that can lead to mistakes.

Opening the user account window in a command line

The user account window (= Control Panel applet?) can be opened in the command line (cmd.exe or PowerShell) like so 
C:\> control.exe userpasswords

Logging in

A user is authenticated by either
At least when logging in with a domain, a user's logon time is recorded and can be queried with net user USERNAME /domain.

Creating access tokens

When a user logs in, Windows (the Local Security Authority Subsystem lsass.exe) creates a logon session and an access token for this user.
If this user is an administrator, an additional (second) access token is created. Thus, an administrator session has two access tokens: a standard user access token and a an administrator access token.

Load the user's registry hive

Windows loads the user's registry hive which is stored in %UserProfile%\NTUSER.DAT and places it under the registry key HKEY_CURRENT_USER.
It also updates the hives that are stored under %SYSTEMROOT%\System32\config.
The following registry keys are parsed for applications and commands to run when when the system boots up and a user logs in:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
The 2nd and 4th key are not run when another user logs in after the first one (see KB 137367 and here)
Apparently, before (?) explorer.exe is started, the (Active-X ?) components under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components are loaded.
When a user logs on, the releveant Group Policy Objects are applied.

Start explorer.exe

explorer.exe is started with the created (standard user) access token.
explorer.exe then becomes (directly and indirectly) the parent process for all user-initiated processes.

Automatically starting apps

The Windows settings ms-settings:startupapps can be used to configure which apps are automatically started up when a user logs in.

Logging out

The current user can log him/herself out on the command line with 
C:\> shutdown /L

TODO

During the logon process, the Group Policy engine loads fdeploy.dll.

Adding users

First user

When Windows is installed, a user is also created.
This first user will belong to the Administrators group. So, the user has the highest set of privileges (but still doesn't seem able to open HKLM\SAM or HKLM\SECURITY.
But see also default local user accounts

Additional users

Additional users can be created on the command line with 
net user USERNAME PASSWORD /add

SID

A user's SID always starts with S-1-5-21-… and has an RID (last part of SID) that is greater or equal to 1000.
A user can query his SID with 
whoami /user

Adminstrator accounts vs standard accounts

Each account is either an
The administrator account has full (in Linux parlance: root) access over all ressources that are controlled by the local server. Such an account is needed, for example, to
This account's SID is S-1-5-domain-500 and has the display name Administrator.
At least in Windows, the administrator account is hidden by default.
A standard user account can be further divided into
In order to see which accounts belong to the users and to the administrators group, net localgroup can be used: 
C:\> net localgroup Users
C:\> net localgroup Administrators

Microsoft accounts vs local accounts

An account is either
A Microsoft account is identified with an email address.
A local account exists on one particular computer only.

SYSTEM account

Apparently, processes running under the SYSTEM account (such as SearchFilterHost.exe) cannot access HKEY_CURRENT_USER for logged on users.

TODO

c:\> start ms-settings:otherusers

Query information about the current user with PowerShell

The (DotNet) WindowsIdentity class, located in the System.Security.Principal namespace, represents a Windows user: 
PS C:\> [security.principal.windowsIdentity]::getCurrent()
AuthenticationType : Kerberos
ImpersonationLevel : None
IsAuthenticated    : True
IsGuest            : False
IsSystem           : False
IsAnonymous        : False
Name               : FOO\RENE
Owner              : S-1-5-21-1234567890-1234567890-1234567890-969913
User               : S-1-5-21-1234567890-1234567890-1234567890-969913
Groups             : {S-1-5-21-1234567890-1234567890-1234567890-513, S-1-1-0, S-1-5-32-545, S-1-5-4...}
Token              : 1176
See also a similar PowerShell command to check if PowerShell is executing in the Adminstrators group.

User account control

The __COMPAT_LAYER variable.
The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

Special predefined local accounts

Special predefined local accounts (that are not recognized by the security subsystem and don't have a password) are
  • LocalService
  • NetworkService
  • LocalSystem
LocalSystem seems to be the user with the most rights: it includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs.
With these rights, among others, it can access the registry key HKEY_LOCAL_MACHINE\SECURITY.

See also

Enable automatic logon in the registry.
%SystemDrive%\Users\Default
quser.exe displays information about users that are currently logged in.
A user's profile is stored in the directories below %USERPROFILE%.
RHKEY_LOCAL_MACHINE\SAM
User account control (UAC)
The values of LastLoggedOnUser and LastLoggedOnSAMUser under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI.
Local users (and groups) can be viewed with lusrmgr.msc.
Change User Access Control (UAC) settings with UserAccountControlSettings.exe.
Netplwiz.exe, the advanced user account control panel.
Privileges can be assigned to or taken away from a user with secpol.msc.
In .NET, a Windows user is represented by the System.Security.Principal.WindowsIdentity class.
The subkeys under the registry hive HKEY_USERS
LogonUI.exe
The .NET class System.Security.Principal.NTAccount
Some information about user accounts can be queried with wmic 
c:\> wmic useraccount get name, sid
c:\> wmic useraccount where name='peter' get sid
C:\> wmic useraccount where "localAccount='true'" get caption, disabled, domain, lockout, passwordExpires, SID, status
System Applet Control Panel -> Advanced -> User Profile
The value of User Name under System Summary in msinfo32.exe
The current user, represented as a System.Security.Principal.WindowsIdentity object is returned by that class's GetCurrent() method.

Index