WINDOWS REGISTRY PROFILELIST

The State information for each profile is stored in the following location:

The State information for each profile is stored in the following location:
Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\SID
Value: State
DataType: REG_DWORD
Data:
A value of 256 in the State would be decoded in this manner:
256 = 200 + 040 + 010 + 002 + 004
You can math the numbers with the following terms to determine the flag
settings on the profile:
001 = PROFILE_MANDATORY
Profile is mandatory.
002 = PROFILE_USE_CACHE
Update locally Cached profile.
004 = PROFILE_NEW_LOCAL
Using a new local profile.
008 = PROFILE_NEW_CENTRAL
Using a new central profile.
010 = PROFILE_UPDATE_CENTRAL
Need to update central profile.
020 = PROFILE_DELETE_CACHE
Need to delete cached profile.
040 = PROFILE_UPGRADE
Need to upgrade profile.
080 = PROFILE_GUEST_USER
Using guest user profile.
100 = PROFILE_ADMIN_USER
Using administrator profile.
200 = DEFAULT_NET_READY
Default net profile is available & ready.
400 = PROFILE_SLOW_LINK
Identified slow network link.
800 = PROFILE_TEMP_ASSIGNED
Temporary profile loaded.

 

If you ignore the 8000h bit, this is a new local administrator.

 

 

1000000100000100 - 33028 (8104h) - temporary user backup
1000000100000000 - 33024 (8100h) - also from a temporary user backup
100101100000100 - 19204 (4B04) - temporary account
1100000100 - 772 (304h) - not sure
100000000 - 256 (100h) - seems like normal status

 

 

In the registry, I have the following values under this key:
....\ProfileList\S-1-5-21-1534095646-1438609452-5522801-16269
- State: 19204 (decimal)
- ProfilePath: %SystemDrive%\Documents and Settings\TEMP
It seems that Windows also makes a backup of my original profile before
logging me in with the above path:
....\ProfileList\S-1-5-21-1534095646-1438609452-5522801-16269.bak\
- State: 33024 (decimal)
- ProfilePath: %SystemDrive%\Documents and Settings\msoultanian