New
#11
Luiz,
I should also mention that the login uses the full email address of an MSAccount-linked user account but for other internal purposes, such as naming the user folder, Windows uses the shortened form of it. So, for example,
Archibald.Snodgrass@Outlook.com would have a user folder
and his UserName reported by Windows in response toCode:C:\Users\Archi
orCode:net user
would beCode:echo %UserName%
Archi
If you then used the command
the FullName field would reveal the name he declared when the MSAccount was created, possibly Archibald Snodgrass, and this is also what would be displayed in the Start menu, Users sectionCode:net user Archi
All the best,
Denis
I doubt that the (folder) creation date is meaningful to identify if an account is an MS account.
What if I create an MS account just during the installation of Win10?
It would have pretty much the same account creation timestamp as if I would create (and use a local account).
Fiddling around if the account name is an email is not convincing too.
I cannot believe that there is no other indicator.
I did not claim that the folder's creation date showed it was an MSAccount.
But if somebody created the account during installation then the properties I suggested you look at might match the installation date-time.
- If the account's folder creation date-time matches the installation date-time then that account was used during installation.
- If the account's password changed date-time matches the installation date-time then that account was used during installation.
If that account is an MSAccount then installation was done with an MSAccount unless it was originally a local account and was converted to an MSAccount later on.
I do not believe you will find anything more definitive than the [fallible] checks I have suggested.
I can quite believe that there is no other indicator because I believe that it is not useful information.
What difference would it make either way?
All the best,
Denis
If you don't like the answers so far then just identify the account name with the SID that ends in -1001 using the following command in a PowerShell console (doesn't have to be elevated):
Code:Get-Ciminstance -class win32_useraccount | Select name,sid
For example:
SIDs are unique and this particular value (1001) represents the first user account that was created on the device during OOBE (Out Of the Box Experience), i.e. the user account (automatically in the Administrators group by default) that was used to set the device up after installation of the OS. If it doesn't correspond to a local account name then you know it was created by a MSA.
You can confirm what I've just written by using Nir Sofer's RegScanner and searching for oobe. Sort the results by timestamp and you'll see the SID ending in 1001 is the first created user account.
Alternatively, navigate in the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
In the profile list, select the SID ending in 1001 and read the ProfileImagePath value for the account name of the first created account.
Hope this helps...
Last edited by RickC; 08 Dec 2022 at 08:54.
Good tip.
If the owner had been forced to use a Microsoft account in the OOBE, then the easiest way to get only a local account would be to create a new local account, make it an administrator, then delete the first account. A clue that this had been done would be if the -1001 account was missing.