What is the “Profile Lists” Windows forensic artifact?

The ProfileList is a specific registry key in the Windows Registry that maintains a list of all user profiles that have ever been created on the system, linking them to their respective Security Identifiers (SIDs). This key is located at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Each user who has logged onto the machine, whether locally or through a domain, will have a subkey under this location named after their unique SID.

For a DFIR investigator, the ProfileList is the definitive source for enumerating all user accounts associated with a system and determining their status. Each SID subkey contains values that point to the user’s profile directory path (e.g., C:\Users\Username), the last time the profile was used, and other configuration details. This information is critical for identifying all active, dormant, or even potentially rogue user accounts created by an attacker for persistence. By correlating a SID found in other artifacts (like file ownership or event logs) back to a username via the ProfileList, an investigator can accurately attribute specific actions to a particular user account, which is a fundamental step in any forensic examination.


Collecting, Decoding, and Viewing “Profile Lists” with TensorGuard

  1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
  2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
  3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
  4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
  5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
  6. Once the report is generated, you’ll have Profile Lists delivered in the browser, alongside an executive summary and timeline of findings.

Get Started
Integration

Profile Lists

Windows

Identifies every user account that has logged into the computer and their associated profile folder.

About Profile Lists

Automate your Compromise Assessment.

Discover previously undetected compromises and understand your systems' true history.

Automate your Compromise Assessment.