User folder missing
I’m stumped. There are lots of ways to lose a user folder, but I can’t find any record of one vanishing like this. First, there was only one user. Now there are none. The client, of course, has data they want retrieved.
My first idea was to pull the drive and try to copy files from a working computer. That’s how I discovered that there was no user folder to copy from.
Second, I attempted to recover the whole partition. The theory was that perhaps the folder was somehow de-listed and I might recover it whole.
Third, I ran a file recovery to pull out files individually by their extensions. This did not bring up even one file of the type requested by the client. I was able to identify some document files that belonged to the client, so there is data there to recover.
I put the hard drive back into the original machine to attempt repairing the file system from an install stick with chkdsk and sfc. Chkdsk corrected some errors, but there was no visible change. Sfc was unable to perform the requested operation.
Since all the basic stuff didn’t have any effect, I turned to google. Most of the solutions I found were generic “missing folder” scenarios such as accidentally setting one to hidden, or numerous others assuming that you could still log in to windows. Others focused on downloading some recovery software or other (also assuming you could still log in). I found a couple references that mentioned how the file could be misplaced by an error in the registry, similar to the issue where the user file is renamed and a temporary profile comes up after an update gone wrong.
This is where it gets weird. I pulled up regedit with cmd, which was running from the repair options on an install stick. I opened it from C:/Users which should point it at the drive I’m trying to repair. The only entries under HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList are the three defaults S-1-5-18, S-1-5-19, and S-1-5-20. I was expecting one with an SID.
That brings us to the question: How do you delete the only user profile so completely that the registry entry goes with it? And how would I bring it back?
Consider this: Any physical damage is astronomically unlikely to nuke both the user folder and the registry entry for it. Any intentional deletion from within windows faces numerous obstacles and would require another profile. Any malicious actor would gain nothing from an attack like this.