The Windows Concept Journey — NTUSER.DAT
The NTUSER.DAT contains user account settings and customizations of a specific Windows user (which can be a local user or a domain user), think about the wallpaper settings as an example or the preferred keyboard layout. It is created by the operating system the first time a user logs on the system. The file is located in the user profile directory of the user “%userprofile%\NTUSER.DAT” (https://appuals.com/ntuser-dat-file-explained/).
Overall, the file is hidden thus we can see it using the “/a” flag of “dir” which is a builtin command of cmd.exe (https://medium.com/@boutnaru/the-windows-process-journey-cmd-exe-windows-command-processor-501be17ba81b) — as shown in the screenshot below. The “NTUSER.DAT” is basically a registry hive (https://medium.com/@boutnaru/the-windows-concept-journey-registry-0767e79387a9) which is loaded to “HKEY_USERS” and is pointed by “HKEY_CURRENT_USER” when the user logs on to the system.
Lastly, there are also backups and transaction logs for the “NTUSER.DATA” (also stored in the %userprofile% directory with extensions like “.log”). The “ntuser.ini” file describes roaming profiles used in networked environments (https://www.techtarget.com/searchenterprisedesktop/blog/Windows-Enterprise-Desktop/Understanding-NTUserdat-in-Windows-10). As with the files of the system’s registry (“%windir%\system32\config”), both “NTUSER.DAT” and its related files are opened exclusively by the operating system when the user is logged on.
See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.
