How to clean the NTUSER.DAT file - revisited


New Member
I have not visited here in a while and since my last post I notice there has been some discussion regarding this topic and decided to answer this question.

I use a shareware utility called RegdatXP - if anyone knows of another way, let me know - you can find it with Google. You need version 1.3 or above.

When deleting files, they may still be visible in the NTUSER.DAT file when opening the file for example by a Hex editor, or even notepad. At my request, the author created a function under MISC to 'create clean NTUSER.DAT'. Once you have crated the new 'clean' file, you can log off, log on as another user with administrator privelages, and replace the old file with the new one.

You can open the file with notepad or a hex editor and see that the records of deleted files are gone.

This program doesn't work, atleast, not for me.

I'm using this one:

"RegdatXP - 1.41
by Henry Ulbrich.
RegdatXP reads non active WinNT/2K/XP/2K3 registry files like ntuser.dat and usrClass.dat and compares them to the current Registry. It is an NT version of Regdat and has also Search and Replace functions for the Registry. Registry Backups can be done by command-line arguments. The full version can recover data from corrupt registry files, repair a corrupt file directly in some cases, and remove user passwords from offline Sam files."

All it did for me was create a copy of the current ntuser.dat file, if not making it a tiny bit smaller, hwoever, all de;eted data was still intact.

If you have anymore information on this, I'd appreciate it.
All that NTREGOPT software did was make my ntuser.dat file 14% smaller than it was. Not clean it.

There must be a way...
oze said:
All that NTREGOPT software did was make my ntuser.dat file 14% smaller than it was. Not clean it.

There must be a way...

That's because all it does is recompress the registry. To delete registry entries try either MRU-Blaster or Spybot S&D Run NTREGOPT afterwards, delete the .bak files in %userprofile%\ and %windir%\system32\config then erase free space.

Securely Deleting Registry Entries
When you delete entries in the registry (for example, using regedit), it is possible that the entries have not actually been removed from the registry database files, even though it may appear so from looking at the registry using regedit. In order to delete registry entries such that they cannot be recovered, you will need to rebuild (compress) your registry database. This process is quite simple, and is described below: