As you know, Windows services are one of the most popular places for attacks on the operating system. In the worst case (for us, of course) the attacker gets the opportunity to act on the attacked computer in the context of the account under which the compromised service is running. And if this account has administrative rights, then the attacker actually gains full control of the computer. From version to version, new mechanisms appear in Windows that provide additional isolation of services and, as a result, enhance the security of the system as a whole. I would like to briefly consider what has fundamentally changed in this direction over the past few years.

The first significant changes in service protection mechanisms appeared in Windows XP Service Pack 2. It’s hard to imagine now, but before the release of SP2, all services of the operating system itself were launched in the context of the built-in Local System account, which had the most complete administrative rights on the computer. SP2 added two more entries: Local Service and Network Service. The fundamental differences between the three listed entries can be found in table. 1.

Table 1

Accordingly, starting with Windows XP SP2, the administrator could configure the service to run in the context of one of the built-in accounts, a local or domain account. However, most Windows services itself still run in the Local System context. But even if we abstract from this, the situation when several services are launched in the context of the same account leads to the fact that a successful hack of one service, even without administrative privileges, potentially opens up to the attacker any other resources that the compromised service account has access to.

IN Windows Vista Several mechanisms have emerged to increase service isolation. I'll stop at two.
The first mechanism is a unique service security identifier (Service SID). This SID is generated for each service by hashing the service name using the SHA-1 algorithm. The prefix S-1-5-80- is added to the result. You can view the SID of a service using the sc showsid command, specifying the service name as a parameter (see Figure 1).
Rice. 1

You can experiment with, for example, the W32Time service. For any folder on NTFS, in the permissions settings you only need to enter the username in the NT SERVICE\ format<имя службы>, in our case NT SERVICE\w32time (see Figure 2).

Rice. 2

Click Check Names, then OK and see the user (see Fig. 3) to whom you can assign rights.

Rice. 3

Let me emphasize again that w32time is not a user object. This is a SID, but since it is so, it can be used in ACLs, both in the graphical interface and on the command line and programmatically. Moreover, service SIDs can be used in Windows settings Firewall, applying certain rules to a specific service, or more precisely to a specific Service SID.

The second change introduced in Vista is a new type of security identifier - Write Restricted SID. If a service is marked with the Write Restricted SID type, then its SID is added to its own access token in special list– Restricted SID list. When such a service tries to write something to a file, the algorithm for checking access rights changes slightly. Namely, a service will be able to write to a file only if Write permission is explicitly granted to the SID of this service or to the Everyone group.
For example, ServiceAccount1 of some service Service1 is a member of Group1. Group1 and only it has Write permission to Folder1. What happens if the service tries to change something in Folder1? In a normal situation, ServiceAccount1 will be able to write to the folder due to its membership in Group1. But if Service1 is marked with a Write Restricted SID, then its access token is handled differently and it will not be able to write anything to the folder because it is not explicitly given Write permission, nor is Everyone given this right.
You can view the SID type using the sc qsidtype command (see Figure 4).

Rice. 4

In particular, in Fig. 4 you see that the service Windows Firewall belongs exactly to the mentioned type. Naturally, this type was introduced in order to further limit the capabilities of the service (the ability to erase or overwrite something) in the event of its successful hacking. It should also be added that this mechanism is intended primarily not for system administrators, but for service developers. If only they would use it.

In Windows 7 and Windows Server 2008 R2 work on service isolation continued. Virtual accounts and managed service accounts appeared. What exactly is the problem? We need to isolate services - let's create the required number of local (or domain) user accounts. Each critical service has its own account. Yes, that's the solution. But for local services that don't need network access to resources, you must manually set passwords that are long and complex. And also manually update them periodically. Well, since we are for safety. For services that must access resources over the network in the context of domain accounts, in addition to this, you also need to register a Service Principal Name (SPN), unique for each service. It is not comfortable. But the inconvenience becomes a real problem when the service cannot start due to an expired password. And the admin simply forgot to change the password for it.

So for local services you can use virtual accounts. A virtual account is used only to run a specific service, or rather to create a security context for a specific service. You won't find this entry among users in Computer Management. And yet, this is an account, with its own unique SID, with its own user profile. Therefore, you can assign permissions to it and, thereby, differentiate access rights and clearly control them. But the same as in the case of Local System, Local Service and Network Service operating system takes over the tasks of managing passwords for virtual accounts. We isolate the services we need, and we don't have to worry about passwords.

To create a virtual account, you need to specify in the service settings as an account: NT SERVICE\<имя службы>(see figure 5)

Rice. 5

After starting the service, the virtual account will appear in the Services console (Fig. 6), and in Users folder you will notice a new user profile appearing.
Rice. 6

The format is very similar to a service SID. But let me emphasize that this is not just an additional unique SID for a service as in Vista, it is a separate account and, accordingly, a different level of isolation. By default, virtual accounts are used, for example, for application pools in IIS 7.5 in Windows Server 2008 R2. It must be kept in mind that virtual accounts are intended for local use. If a service running in the context of a virtual account accesses over the network, then this access occurs on behalf of the account of the computer on which the service is running. If it is necessary that the service, for example SQL Server, worked on the network on behalf of a domain account, then managed service accounts will help here. However, there are more subtleties associated with them, and their consideration is beyond the scope of this post. You can get acquainted with MSA in more detail

User account corruption is a common Windows problem. The problem occurs when you enter a password or PIN on the lock screen and when you press enter you get the error "User Profile Service failed to sign in. The user profile could not be loaded" in Windows 10 or User Profile Service is preventing you from signing in in Windows 7. .

Solving the "User Profile Service could not log on" problem using Registry Editor

Option 1: Correct the user account profile

Sometimes your account may be damaged and this prevents you from accessing files in Windows 10. Let's go to the registry editor in several ways, through safe mode:

Step 1. Press the keyboard shortcut " windows + R" to call the command "run" and enter the command regedit to enter the registry.

Step 2. In the window that opens, follow the path:

Step 3. You will have several keys in the parameter s-1-5. You will need to select the longest key with a long array of numbers and your account that has the "User Profile Service failed to login" error. Make sure that the path is correct, click on the long key and there should be a name in the right column, if you haven’t found it, then scroll through all the long keys until you come across in the right column your broken profile, in my case, account .

Step 4. If you incorrectly renamed the user profile folder C:\User\site of the affected account, then open Explorer along the path C:\User\site and right-click on the broken profile, select rename and manually enter the correct profile name (site). After renaming, go back to the folder in the registry and make sure that the name is written as in the picture (step 3) C:\User\site.

See two options, step 6 and step 7, depending on who you are

Step 5. Now we will make two options, if we have one long key S-1-5-21-19949....-1001. bak(extension .bak at the end) and with the second without .bak those. just S-1-5-21-19949....-1001. Depending on who has two or one profile lined up.

Step 6. There is only one key at the end of s.bak (S-1-5-21-19949....-1001.bak).

• A) If you only have one key at the end with .bak(S-1-5-21-19949....-1001.bak), right-click on it and click rename. (see picture below).

• B) Delete the word itself with a dot .bak so that you get just numbers. Continue with step 8. (see picture below)

Step 7. If you have two identical keys, one without .bak, the second with .bak. (S-1-5-21-19949....-1001 and S-1-5-21-19949....-1001.bak) .

• A) In the left pane of the registry, right-click on the key without .bak and add a period, two letters .bk(see picture below).

• B) Now right-click on the key with .bak, select rename and delete .bak with a dot. (see picture below).

• B) Now go back and rename the first key with .bk V .bak. Press enter and continue with step 8.

Step 8. Select the key that you renamed without .bak and from the right in the column, double-click to open the parameter settings, and assign the value 0. If you do not have such a parameter, then right-click on the empty field with the right mouse button and create a DWORD (32-bit) parameter, rename it RefCount and set the value to 0.

Step 9. In the right field, select the key without .bak and in the parameter State set the value to 0. If there is no such parameter, then click on the empty field to the right and click create DWORD (32-bit), rename it to State and set the value to 0.

Step 10. Restart your computer and the “User Profile Service failed to log in” and “Unable to load user profile” errors in Windows 10 should disappear.

Option 2: Delete and create a new user profile for the account

This option will delete your user profile, causing you to lose all of your account settings and personalization.

Step 1. If there is another administrator account that does not have an error, log out of the current account (eg: site) and log into the administrator account.

If you don't have another admin account to log in to, you can do one of the following options below to enable the built-in admin account to log in to and proceed to step 2 below.

• A). Boot into safe mode, enable the built-in Administrator, log out and log in to Administrator.
• B). Open the window command line When booting, enable the built-in administrator, restart your computer and log in to Administrator.

Step 2. Do backup copy anything you don't want to lose in the C:\Users\(username) profile folder (eg: website) of the corresponding user account to another location. When done, delete the C:\Users\(username) folder.

Step 3. Click windows buttons+R to open the Run dialog box, type regedit and click OK.

Step 4. In Registry Editor, navigate to the location below.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Step 5. In the left panel in the ProfileList, click on the long key that has an account error. The profile is visible on the right.

Step 6. Delete error profiles with.bak and without.bak. Eg ( S-1-5-21-19949....-1001 and S-1-5-21-19949....-1001.bak)-delete.

Step 7. Close Registry Editor and restart your computer, after which it will automatically recreate the new user.

Let's solve the problem "Unable to load user profile" in a simple way

Method 1. This method It doesn't work for everyone, but it has helped many. Try to copy your documents in the folder (C:\Users\) to another location to create a backup just in case. Typically the problem occurs due to corruption of the "NTUSER.DAT" file located in the "C:\Users\Default" folder. To solve this problem you need to replace the "NTUSER.DAT" file with another profile. .

1. Log in to the system in safe mode with a profile account that works.
2. Find the file (C:\Users\Default) "NTUSER.DAT" and rename the .DAT extension to .OLD. It should be (NTUSER.OLD).
3. Find the file "NTUSER.DAT" in the work profile such as "Guest", "General". Example (C:\Users\Guest\NTUSER.DAT).
4. Copy it and paste it into the default folder C:\Users\Default.
5. To restart a computer.

You can copy this file from another computer with the same version of windows and paste it to your home along the path C:\Users\Default.

Method 2. You can try replacing the entire “C:\Users\” folder from another computer.

• Take a flash drive in FAT32 format and write the C:\Users\ folder onto it from another computer and transfer it to your computer.

If anyone knows how else to fix the error, “The User Profile Service prevents you from logging in” using another method, then write in the “report a bug” form.

Problems related to user profile corruption are among the most common, usually accompanied by the messages "Cannot sign in to your account" and "You are signed in with a temporary profile." Therefore, today we decided to tell you how the user profile is structured, what can lead to its damage, and what methods can be used to restore normal operation of the system.

Let's start with the symptoms, the first sign that something has gone wrong is the inscription Preparing Windows on the welcome screen, instead Welcome.

Then you will be "delighted" by a message "Can't sign in to your account" with options to re-enter and continue working.

If we close this window, we will see another message that sheds a little light on what is happening "You are logged in with a temporary profile".

If the profile is temporary, then it turns out that for some reason the permanent user profile could not be loaded. Therefore, let’s not get carried away, but try to figure out what a user profile is, what data it contains, and what could be the reason for the impossibility of loading it.

To a very first approximation, the user profile is the contents of the directory C:\Users\Name, Where Name- username, there we will see the folders familiar to everyone Desktop, Documents, Downloads, Music etc., and also hidden folder AppData.

Everything is clear with the visible part of the profile - these are standard folders for storing user data, by the way, we can easily reassign them to any other location. In recent Windows versions You can even reassign the Desktop.

This is quite convenient and justified, considering how much stuff users keep on their desktops, and those same SSDs are far from rubbery. But that’s not what we’re talking about; what’s hidden from the eyes of the average user is much more interesting.

Folder AppData designed to store settings and user data installed programs and in turn contains three more folders: Local, LocalLow And Roaming.

Let's look at them in more detail:

• Roaming- this is a “light” and, as the name suggests, a movable part of the profile. It contains all the basic settings of programs and the user’s working environment; if roaming profiles are used on the network, then its contents are copied to a shared resource and then loaded onto any workstation, where the user is logged in.
• Local- the “heavy” part of the profile, contains cache, temporary files and other settings that apply only to the current PC. It can reach significant sizes and does not move across the network.
• LocalLow- local data with low integrity. In this case, we again have an unsuccessful translation of the term low integrity level, in fact, integrity levels are another security mechanism. Without going into details, we can say that system data and processes have high integrity, standard integrity - for the user, and low integrity - for potentially dangerous ones. If we look into this folder, we will see there data related to browsers, flash players, etc. The logic here is simple - in the event of any emergency or attack, processes running from this folder will not have access to user data.

Now is the time to think, damage to which of the specified data can lead to problems loading the profile? Probably none. Therefore, there must be something else in the profile. Of course it is, and if we look closely at the screenshot of the user’s profile above, we will see a file there NTUSER.DAT. If you turn on the display protected system files , then we will see a whole set of files with similar names.

Now we get to the point. In file NTUSER.DAT there is a registry branch HKEY_CURRENT_USER for each user. And it is the corruption of the registry branch that makes it impossible to load the user profile. But not everything is as bad as it might seem at first glance. The registry is quite well protected from possible failures.

Files ntuser.dat.LOG contain a log of registry changes since the last successful boot, making it possible to roll back if any problems arise. Files with the extension regtrans-ms are a transaction log, which allows you to maintain a registry branch in a consistent form in the event of a sudden stop while making changes to the registry. In this case, all pending transactions will be automatically rolled back.

The files are of least interest blf- this is a magazine Reserve copy registry branches, for example, with a standard tool System Restore.

Thus, having found out what the user profile consists of and damage to which part of it makes it impossible to boot, we will consider ways to restore the system.

Method 1: Fix the problem in the user profile

First of all, if you have problems logging into your account, you should check the system volume for errors; to do this, boot into the recovery console or Windows environment PE and run the command:

Chkdsk c: /f

In some cases this may be sufficient, but we will consider the worst case scenario. After checking the disk, boot into the system and open the registry editor, go to the branch

On the left we will see a number of sections with the type name S-1-5 and a long tail that corresponds to user profiles. In order to determine which profile belongs to which user, pay attention to the key ProfileImagePath on right:

So, the required profile has been found, now we look again at the tree on the left, which should contain two branches, one of which ends bak.

Now our task is to rename the main profile to bak, A bak in the main one. To do this, add any extension to the main profile, say .ba, then rename the backup profile to the main one, removing from its name .bak, and rename again ba V bak.

By the way, there may be situations where only a branch exists for your account bak, in this case just remove its extension.

Then we find two keys in the new main profile RefCount And State and set both values ​​to zero.

Let's reboot. In most cases, if the profile is not seriously damaged, these steps will lead to success, otherwise move on to method 2.

Method 2. Create a new profile and copy user data there

In this case, official Microsoft documentation advises creating a new account and copying your profile data there. But this approach gives rise to a whole layer of problems, since New user- this is a new security subject, and, therefore, we immediately get a problem with access rights; in addition, we will need to reconnect all network accounts, re-import personal certificates, and export-import mail (if you use Outlook). IN general entertainment enough and it’s not a fact that all problems can be successfully overcome.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

and delete all branches related to your profile. Let's reboot.

Windows will then create a new profile for your account, just as if you were logging in for the first time. this system. But your security identifier (SID) will remain unchanged, you will again be the owner of all your own objects, certificates, etc., etc.

For further actions you will need another account with administrator rights, let's create it, in our case this is the account temp.

Then we log out of our main account (or reboot) and log into our secondary account. Our task is to copy all the contents of the old profile folder, except for the NTUSER files, to the new folder. For these purposes it is better to use file manager (Total Commander, Far, etc.) running with administrator rights.

At the end of the copying process, log in to your account again and check the operation of the account. All data and settings should be back in place. However, do not rush to delete the old folder and additional account; some data may need to be transferred again. This may be due to the fact that some programs that store settings in the damaged registry branch may decide that the new installation and overwrite the transferred files, in this case it is enough to selectively copy the necessary data.

After you have worked with the system for some time and are sure that everything is in place and working as it should, you can delete the old folder and additional account.

• Tags:

Please enable JavaScript to view the