How to identify the (original) user profile name from a changed user account name in Windows?
How to find the original user profile name from a changed user account name?
Look in the Windows Security System Event log for EventID 4781: The name of an account was changed:
4781: The name of an account was changed
The user identified by Subject: changed either the normal logon name or the pre-Win2k logon name of the user identified by Target Account:. Event 4738 actually provides better information on this change.
This event is logged both for local SAM accounts and domain accounts.
You will also see event ID 4738 informing you of the same information.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Target Account:
- Security ID: SID of the account
- Account Name: name of the account
- Account Domain: domain of the account
- Old Account Name: old logon name
- New Account Name: new logon name
Source EventID 4781: The name of an account was changed
This answer is based on the fact that renaming the user account does not automatically change the profile path.
If the account was renamed but the profile path was not changed,
the path-name can be found in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
in the item named ProfileImagePath whose value will be
C:\Users\old-user-name.
click for a larger image
To convert the marked SID to the current user account name, enter in cmd the command:
wmic useraccount where sid='S-1-3-12-12451234567-1234567890-1234567-1434' get name
There are two "name" properties of each account, so let me clarify things a bit so we don't get confused. One is the SAM (Security Account Manager) account name, which shows up in the output of net user. This is the name of the account as far as low-level OS components are concerned. The other is the display name, which shows up in Control Panel's User Accounts page and in the Start menu. The Local Users and Groups snap-in for MMC (lusrmgr.msc) shows both: the SAM name in the Name column, and the display name in the Full Name column. The SAM name is what's used to produce the profile folder.
It is not very easy to change the SAM name unless you use this MMC snap-in. Only changes to the SAM name produce event 4781. I suspect, given that you don't see an event 4781 in your log, that only the display name was changed. This only produces event 4738 ("a user account was changed"). Event 4738 only lists the new value for the display name, not the old value, and I suspect the history of display names isn't kept anywhere (your best hope would be to dig through the logs for more instances of 4738).
Fortunately, finding the profile path from a display name isn't too hard. Open PowerShell and type this command:
gwmi win32_useraccount
You get a bunch of entries that look like this:
AccountType : 512
Caption : <redacted>\tester
Domain : <redacted>
SID : S-1-5-21-<redacted>-1018
FullName : Test Account
Name : tester
Find the one with the FullName showing the display name of the account. Then look at the SID value (I've redacted my machine SID here). Open the Registry and navigate to the key mentioned by harrymc:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Open the subkey named the same as the SID you found. The ProfileImagePath value holds the path to their profile folder.