Came across an interesting issue today while cleaning a Malware infection from a client computer.  Once I had cleaned the system up enough to load Windows XP in normal mode, I noticed a strange icon in the system tray.  It was a large red circle with a white X, and when the mouse was hovered over the icon the message “Warning! You have exceeded your profile space by XXX KB” was displayed. Opening the program displayed a more detailed message:

Profile Storage Space
You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage

This was on a computer that is not attached to a domain,  with no quotas enabled by the administrator.

It seems that the Malware infection implemented a local security policy on the PC restricting the users profile storage space.  Manually deleting unneeded files from My Documents to reduce the size of the profile had no affect.

Luckily I came across this registry modification that removed the quota and corrected the problem.

Take this code and paste it into notepad. Save the file as quotarem.reg (make sure to save as type All Files to avoid the .TXT extension) and then double click on it to merge the changes into your Windows registry.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=-
"ProfileQuotaMessage"=-
"MaxProfileSize"=-
"IncludeRegInProQuota"=-
"WarnUser"=-
"WarnUserTimeout"=-

This technique can be useful when you need to migrate users to a new network domain,  and want to retain all the users profile data for use in the new domain.   Using this simple registry modification saves the time required for a tool like the Files and Settings Transfer Wizard (FAST),  but unlike FAST cannot be used to move a users profile from one PC to another.

1 ) Log in to the PC as the user who’s profile you intend to migrate.  Lets call the account TESTUSER.

2 ) Check the users profile path typically located in C:\Documents and Settings\TESTUSER\ and make note of the exact directory path.

3 ) Login as a user with administrative rights and join the new domain. Reboot the PC.

4 ) Log in after rebooting with the users (TESTUSER) new domain account to create a new profile, the log out.

5 ) Log in with a domain admin account.

6 ) Give the TESTUSER@newdomain account full NTFS permissions to the old account profile path you noted earlier.  It’s best to Apply the changes before pressing Okay,  as I’ve found that they don’t stick when you simply press Okay after adding the permissions.

7 ) Open Regedit and navigate to HKLM\software\microsoft\windows nt\current version\profile list

8 ) You will see a list of all the profiles on the machine.  Be aware that these profile folders are named according to the user security IDs (SIDs) and not according to the user names.  You should find a number of profiles including the old user profile (TESTUSER) and the new domain user profile (TESTUSER.domain). The easiest way to determine which profile belongs to which user is to compare the ProfileImagePath key data to see which account is referenced in the path.

9 ) Edit the domain user profile (TESTUSER.domain) ProfileImagePath key to point to the old user profile path.  For example:  “C:\documents and settings\TESTUSER.domain”  <changes to> “C:\documents and settings\TESTUSER”

10 ) Once complete, login using the domain account and test it out. The desktop should change, the My Documents should contain all their documents, etc.  Make sure to check Outlook to confirm the email profile was migrated correctly,  I’ve seen a few instances where this did not happen and Outlook required reconfiguration.

If you need to remove Kaseya and it won’t uninstall from Add/Remove programs, try this:

First try the uninstall string

“C:\Program Files\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\Setup.exe” UNINSTALL

or

“C:\Program Files(x86)\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\Setup.exe” UNINSTALL

When finished delete the machine entry in Virtual Administrator using the “Delete account now without uninstalling the agent” function.