ntuser.dat files….thick on the ground!

Topic

New Reply

This morning I un-hid my protected operating system files, and came across a nest of ntuser.dat files dating back to 2013. The files reside in folder C:Users[my username], and there are over two hundred of them, totaling 72.35 MB! 43935-Flummox

The files are arranged by date. On some days, the system generated as few as three ntuser.dat files. On other days, it generated as many as nine files.

Sometimes new files were created on consecutive days. Sometimes weeks would elapse before the system generated a new cluster.

So that you know what I’m looking at, here’s a partial screenshot:

http://i.imgur.com/g2vD5YU.png

Is it safe to delete old files (say, those dated between 2013-2015)?

Thanks for your help!

Brooks

Windows 7 Pro, x64, SP1

Reply | Quote

Replies

I think those are registry backups of the user settings.

Reply | Quote

Brooks,

From Wikipedia.org

NTUSER.DAT
Within the root of the profile, a file named NTUSER.DAT contains the user’s personalized settings for the majority of software installed on the computer; including Windows itself. When the user logs on, NTUSER.DAT becomes merged with the computer’s registry, such that it appears as the HKEY_CURRENT_USER branch of the registry tree. NTUSER.DAT is held open for writing (i.e., “locked”) whenever the user is logged on.

HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I believe if you created another admin account and logged in with that, you may be able to delete them then, but it isn’t advisable.

As you can only see them when you unhide, I’d just leave them and 72.5MB on today’s hard drives is nothing compared to some programs/updates that are installed.

Reply | Quote

If you leave

[*]the most recent set of two NTUSER.DAT{…}.regtrans-ms files
[*]and NTUSER.DAT{…}.blf,
[*]plus the ‘real’ NTUSER.DAT,
[*]plus the ntuser.dat.LOGn file(s),

then the older files could probably be deleted.

If it worries you not to have done this before, move those files you would have deleted somewhere safe, to give you the option of moving them back.

BATcher

Plethora means a lot to me.

Reply | Quote

As always, thanks, gents. Your help is much appreciated.

After more Googling, I do (I think) understand what these files do. What I’ve yet to see is any discussion of their rabbit tendency to multiply—no mention of the fact that three files might one day be hundreds, with no end in sight.

If one of you has an idle moment, would you look in the aforementioned location on your own computer, and verify that we are ALL, in fact, crotch-deep in ntuser.dat files?

I might try your experiment, Batcher, and if I do, I’ll report back. Will definitely back up the bunny hutch, just in case.

Thank you all again, and speaking of bunnies, Happy Easter!

Reply | Quote

Thanks, holdum! You have fewer files than I do, but your files, like mine, are variously dated. So it may be that churning out new ntuser.dat files is a thing Windows does, and the files simply accumulate over time. (If, a year from now, we discover that our stashes have quadrupled, we’ll know for sure!)

Reply | Quote

Files in C:UsersJohn:
43943-ntuser

Reply | Quote

Thanks, Coochin. Not a lot going on in your rabbit hutch! How old is your computer?

I don’t mess with them.:rolleyes:

And the more I think about it, the more I think you and Sudo are right. Best to leave ’em alone. Thanks, both.

Reply | Quote

…How old is your computer?…

I built the computer about three-and-a-half years ago but did a clean install of Win7 Pro x64 in July 2014.

Have not had any reason to mess w/ the “ntuser” files on any of my systems but have seen multiple instances of “ntuser” files on a few customers’ systems but never more than six-or-so.

You should be able to delete the older “ntuser.dat” files without causing any problems, but as someone else suggested it would be safest to move them to a temporary folder then restart Windows before deleting them (just in case). Windows won’t allow you to delete/move the one that is currently in use in any case.

Reply | Quote

I run it every now and then…it’s a windows feature!

Thanks, holdum! I like Disk Cleanup too, and usually run it before doing an image backup. (And run CCleaner on a daily basis.)

I would run Malwarebytes free and Adwcleaner.

I use Malwarebytes, but am not familiar with Adwcleaner. Will look into it, and thanks.

I always create a back up image of my OS before I try any thing like deleting this type of file!

Good idea! It’s almost time for my monthly image backup, so until that’s done, I’ll hold off tinkering.

You should be able to delete the older “ntuser.dat” files without causing any problems, but as someone else suggested it would be safest to move them to a temporary folder then restart Windows before deleting them (just in case).

Appreciate the tips. Am still dithering over whether or not to mess with those files, but if I do, I’ll backup everything first.

Thanks again for your input, guys.

Reply | Quote

Note that the subject files are grouped into trios, with one .blf and two .regtrans-ms files per trio, with the same date and guid. The .blf seems to always be 64KB and the two others are always 512KB.

Based on a number of references, including those below, it appears that each trio is a form of registry temp file. Apparently the temp files contain a copy of the old data from the registry prior to it being changed, just in case it needs to be rolled back. They’re not a backup, per se–i.e., the user doesn’t control the rollback. Rather, they seem to be just a temporary location the system uses when managing registry changes.

Unlike more familiar temp files, however, they don’t get deleted when no longer needed. They’re evidently left as a sort of scratchpad to be reused when necessary–more like the Windows clipboard. Note that even though they’re being reused the datestamps on the files are not altered; they’re left as of the date the trio was created.

Note each trio has a different guid. That would make sense if the registry changes are being made by different accounts or users–e.g., some antivirus programs, for instance, may be designed that way. Note the files don’t grow in size the longer they’re used, they just multiply if different guids access the registry.

IAC, according to the below references it seems there is no harm in deleting one or more trios, and other users have done so without incident. However, keep in mind the datestamps don’t change once created, so you can’t assume the older trios are more obsolete. In fact, the oldest trio is probably the main user acct and thus still in active use.

My system is a fairly recent clean install and, like Coochin, I only have one trio, with a datestamp as of the install date. I couldn’t delete the files because they were in active use, but mine is a multiboot system so I booted into a second OS and deleted the blf/regtrans-ms trio from my first OS partition. When rebooting back into the first OS, the trio was recreated with the same guid as before but now it had a new datestamp. All three file sizes were initially zero, but I opened regedit and made a few dummy changes and then the file sizes jumped up to their regular 64K/512K sizes.

So I’d have no qualms about deleting any trios the system will let me delete. If the system won’t let me delete a particular trio, then it’s in use and would just come back again if I were to delete it. If it’s from software that kicks in only once in a while, that particular trio will be regenerated when needed. But if it’s from old software or users no longer active, those trios aren’t needed anymore, so why not get rid of them?

references:

[*]Windows NT Registry File (REGF)
[*]NTUSER.DAT and UsrClass.dat files building up by the thousands
[*]6 Ways to Free Up Hard Drive Space Used by Windows System Files
[*]ntuser.dat locked by the system process
[*]

(Aside: not that it matters but just in case anyone missed this, note Coochin just looked in current user while BrooksNYC and holdum333 did a global search so they turned up extra trios under other user accts, as well. They do indeed have more trios than Coochin, but the screenshots make it look even worse because the other accounts are included.)

Reply | Quote

When I checked my users there was only one with a size of 1.5MB but when I clicked on Library and did a search, quite a few were found with one dating back to 2009.

That I assumed was from when Win 7 was installed as I only bought this laptop Dec. 2011.

Most were only a couple of hundred KB but with 545GB of free space on my HDD, I don’t think they will cause me any problems by just letting them remain.

Reply | Quote

When I checked my users there was only one with a size of 1.5MB

Are you saying that’s a .blf or .regtrans-ms file?

Everything examined by BrooksNYC, holdum333, Coochin, and myself consistently shows they only occur in trios and are always 64K/512K.

Does anyone else here have a system that doesn’t fit that pattern?

Reply | Quote

The 1.5MB one in users is listed as a DAT File and these are a sample of the ones after doing a search and as you will see, they aren’t all in threes or of the size you have quoted –

43964-ntuser

Reply | Quote

A handy program that – Thanks, but I’m not sure how to upload the info.

Reply | Quote

Sudo
What version of windows is that. I get nada when I search Library. A global search gets the triplets in my W7U. And I have no Regbackup folder except 1 under “C:UsersvvvvAppDataLocalVS Revo GroupRevo Uninstaller ProRegBackupLast”:cheers:

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Yes, I’ve got that – just haven’t been able to find a way to upload it though.

@ Wavy – I use Win 7 x64 Home Premium and I opened Windows Explorer – clicked on Computer then entered ntuser.dat into the file search box.

Reply | Quote

Hey Y’all,

Mine looks pretty clean by comparison.
43966-NTUserDAT

:cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Sudo

Try searching just in C:Users folder (with hidden and system files visible). Then sort on date. I suspect you will see what we are seeing. That Regbackup folder is obscuring your results.
:cheers:

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

When I go c:users with show hidden files, I’m presented with three categories which when opened, show these of which none were regbackup files.

Computer name – ntuser 22/03/2016 1,536KB

Default – NTUSER.LOG1 8/03/2016 185KB
NTUSER.LOG2 14/07/2009 0KB

Guest – None

Public – NTUSER 21/07/2015 8KB
ntuser.dat.bak 9/06/2015 256KB

Which is why I did the search on Computer – however, when I used Search Everything I got a rake which was too big for a PRTSC or the Snipping Tool, but I couldn’t find a way to upload the list.

Reply | Quote

This is all I could capture with the Snipping Tool, but as you can see – I entered ntuser.dat and there are 375 of them in total, but other than the search on Computer, I don’t know where they are located.

Reply | Quote

Sudo, most of yours are backups, you probably use some software that backs up the Registry each time it starts up or on a Schedule (It’s a Tosh? Maybe some OEM bloatware?).

For searching, I use Agent Ransack free version:

43974-AgentRansack

Reply | Quote

Hi I don’t know if this matters, but I used Search Everything to find my ntuser.dat
It’s a great freeware program that I use a lot!
https://www.voidtools.com/

Looks interesting, and in the Downloads there are Portable versions, which I prefer…states that these don’t make any system changes.

Reply | Quote

You whiz kids have totally left the old man in your dust! :D:

Here’s how I accidentally stumbled across those files—no search tools required:

[INDENT]From the toolbar in Windows Explorer, choose Tools > Folder Options

Click the View tab.

Check the box next to “Show hidden files, folders, or drives”

UNcheck the box next to “Hide protected operating system files (Recommended)”

Click “OK“.[/INDENT]

Don’t know that your experience will parallel mine, but in Windows Explorer (for Win 7 Pro), I then went to C:Usersmy username, scrolled down the list, and at the bottom of the list were the gazillion ntuser.dat files. (I have Administrator Privileges for both of my Windows accounts, if that matters.)

I haven’t touched the files, except to take a screenshot of them.

Reply | Quote

I found this: “Ntuser.dat is a system file that helps to Boot up your computer.”

Ntuser.dat is a registry hive. There are a half-dozen hives that comprise the system registry. You’ll find most of them in c:windowssystem32config, with the names “system”, “software”, “security” and “sam”. Those hives comprise the system-wide part of the registry. A couple more hives are user-related–“default” and “ntuser.dat”, the latter residing under the user’s account in c:users.

When you open regedit, the hives are amalgamated together into one tree, with the different hives populating different branches of the registry tree. The ntuser.dat hive for the actively-logged-in user is the HKEY_CURRENT_USER branch you see in regedit.

As ntuser.dat is the user’s hive, each user account will have it’s own ntuser.dat (i.e., c:users{accountname}ntuser.dat).

I see no indication Sudo has a virus. Note the location of Sudo’s files is c:regbackup. As satrow said, Sudo appears to have some sort of non-Microsoft program (perhaps even Toshiba bloatware) that is regularly backing up his registry hives. And in lieu of having to manually delete them, I would think said registry backup program might have a built-in feature by which Sudo can purge old registry backups.

But that’s a different topic than the focus of this thread, which was about the transitional registry files–the ones with the .blf and .regtrans-ms extensions.

Reply | Quote

As I’ve said, I have plenty of space on the HDD to accommodate them and the laptop is running fine and boots up in 48 – 52 seconds.

I have a lot of Toshibas services stopped in msconfig so not really sure what is generating them, but they haven’t bothered me now or previously so I’ll leave them alone.

Reply | Quote

Sudo
I should have said ‘Show System Files’ as well as show hidden. That done you should see what every one else does. :cheers:

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Where is that option ?

Reply | Quote

Where is that option ?

I think he means uncheck the “Hide protected operating system files (Recommended)” box.

Jerry

Reply | Quote

Thanks Jerry, I’ll give that a go later and then perhaps seeing if I can zip Search Everything and upload it in the Test Area.

Reply | Quote

Well, I’ve managed to upload the .zip but you’ll have to put ntuser.dat in yourself to see just those as Select all seems to mean just that

43989-ntuser

Did the unhide bits and when I went to my username, they were now all there.

Reply | Quote

I **suspect** that you can try to delete ALL these files . . . because the ONE set that is in use won’t allow itself to be deleted !

Don’t blame me if it all turns to custard though – I’m just musing :rolleyes:

Reply | Quote

Better to grab a list of ‘utility’ software installed so we can work out what creates the regbackups, it, and the associated recent backups, might just come in useful one day.

Reply | Quote

I have run the AIO a couple of times and while that auto creates a reg backup, it wouldn’t account for all of those.

These are a list of the services running –

43993-services

And these are a list of installed programs –

43994-InstProg

I’m not sure if this task list will help –

43995-Tasklist

Reply | Quote

Well, Sudo is on record as saying he’s got a good-sized hard drive and isn’t worried enough to go out of his way to recover a small bit of space. Looking at his ntuser.dat search results, I see no reason to try and change his mind. There’s always a risk if you start tinkering with system files, and by my reckoning the most he stands to reclaim is about 110 MB, and that amount may not be worth the effort or risk to him.

I’ve reattached Sudo’s search results with the list re-sorted and separated to make it easier to identify what’s actually shown. All files can be sorted into three groups. The first group is the files from that third-party backup program. The second group is the real registry hives and logs. The third group is the transitional registry files–the same kind that started this thread in the first place.

The first group is the c:regbackup files. On closer examination it turns out there’s only five backups, and all within the last three months. Note each backup set consists of 6 files, but they’re the ntuser.dat files from 6 different places or accounts, so they’re not merely duplicates of one another.

From Sudo’s list of installed programs, my guess would be these are generated by one of the tweaking.com programs. Tweaking.com’s website says they have a “Registry Backup” program and they mention, “Installed version of the program will default the backup location to C:RegBackup.”

That looks like it may be the culprit.

But note there’s only five backups. That’s not enough to be overly concerned about. And if he’s had the program installed for more than three months, that might suggest the program itself may automatically purge old backups, keeping only the last five. If so, that sounds like a reasonably-behaved program, so IMHO I’d need some other compelling reason to start changing it around.

The second group is the actual registry hives. Again, note there seem to be so many because they’re coming from different accounts or services. (For comparison, remember Coochin, RetiredGeek, and I only looked in one place, so our systems would also show more ntuser.dat files if we looked under the other accounts, as well.)

All the ntuser.dat and log files should not be tampered with. If there’s anything that might be removable from this second group, it would probably be the files with “new” or “bak” in the filenames, but that’s not going to make a big difference.

The third group consists of all the transitional registry files–the .blf and .regtrans-ms trios we were discussing earlier. Sudo has exactly 100 trios, so if we assume (as evidence seems to suggest) that the filesizes of each trio are always 64K+512K+512K, that means there’s around 108 MB tied up in those files.

I think there’s no danger deleting as many trios as you can, but that could be tedious and there’s no easy way to tell which trios will be in active use and which the system won’t let you delete. I can’t imagine how they would have any impact on system performance if they’re just left there, so it just comes down to how much effort Sudo wants to make to reclaim that space.

Reply | Quote

I won’t even ask how you managed to collate that lot

I think it was December 2015 when I got the Pro version and while it gives me an useful system tray icon, the program only backs up the registry prior to running the repairs and I’ve only run it a couple of times, although I’ve started it to check on various bits of the program and the auto reg back up kicks in – but I find it difficult to believe the program has created that many back ups.

Reply | Quote

I won’t even ask how you managed to collate that lot

A command-prompt window and an old DOS command turned your list (ntuser.efu) into my list (ntuser.txt) in about two seconds:

Code:

type ntuser.efu | sort > ntuser.txt

Then I eyeballed the result and made a few minor edits, adding some blank lines and a few other changes for readability.

I find it difficult to believe the program has created that many back ups.

There are only five backups: 29-Dec, 15-Feb, 8-Mar, 11-Mar, and 20-Mar. That doesn’t sound like an outlandish number to me.

Each backup is a set of six files, collected from six different places in your system. So at first glance it may look like a lot, but it’s only five backups.

Reply | Quote

That sounds about right then, so I guess the other 445 make up the older normal ones.

Reply | Quote