Programmatic Windows user profile creation

Question

I am trying to do something similar to what the user who asked this question is trying to do:

HTTPS Request From a Credential Provider DLL

Concerning the components of a user profile, I found this.

• What is the minimum profile that Windows will recognize and load?
• How do I create and register a profile with Windows?

My target is Windows 7 (Professional or Enterprise). I'm more of a Linux guy, so I'm pretty clueless when it comes to programming on Windows, so please be gentle.

P.S. Is there a way that I can start developing on Linux then test on Windows without using a VM?

This is what I'm trying to do

I am building a profile synchronization program to be used by people that move around a lot so they don't have to bring a laptop everywhere. This question addresses the case where the user logs in to a new computer. Possible applications are:

• Businessmen that travel between offices frequently
• Students who use different computers everyday
• Users of internet cafes in foreign countries
• Home users who don't like copying files when they get a new computer

I want to provide the best possible user experience that I can, and this means near-instantaneous profile creation. Roaming profiles are slow and buggy at best. Letting Windows create a profile is not really an option because I need to do custom authentication (I figured this one out) and I need to copy down settings from a server.

What I need is a way to:

• Create only the bare essentials on user logon
• Update settings from the cloud if the profile has been updated
• Get the user from logon screen to working in under 30 seconds (preferably much faster)

This is what I'm thinking of doing:

• Authenticate user with server
• Contact Windows service to handle profile creation/update
• windows service will download bare settings while profile is created
• Settings are applied
• User is logged in

Answer 1

First of all I would recommend you to read this about user profiles.

The main idea of user profiles is simple and it stay unchanged starting with the first version of Windows NT (I mean Windows NT 3.1): The user profile consists from the directory structure existing on the local computer. One file (so named hive) from the user profile represents the current user part of the registry. It is important that the user has full access on his user profile. The access permission is saved not only in the file system, but also inside of the registry. So to create the profile for the user one have to create the user account before because the part of security descriptor of files of keys of registry must contain the SID (security identifier) of the user.

If new user profile will be created the "prototype" of the user profile will be used as the template. The path to the template you can find in the registry as Default value under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList registry key. You can use GetDefaultUserProfileDirectory to get the same information.

To create the profile one should login with the user account to get the login token (see LogonUser with LOGON32_LOGON_INTERACTIVE flag for the dwLogonType parameter) and then use LoadUserProfile which will create the local user profile if it is not exist for the user. If the user has central or roaming profile one should fill in the input PROFILEINFO structure the lpProfilePath so that it points to the user's roaming profile path which are on the server. To get the path one can use NetUserGetInfo with dwLevel equal to 4. This way is very old and is described for example here.

Because the login token from [LogonUser] are really needed only to get the users SID which are needed to grand user permission to his files and registry keys, starting with Vista Microsoft introduced another simplified and very practical API CreateProfile which replaces CreateUserProfileEx (which exist only on Windows XP).

All what I explain before is really needed only in seldom situations. Mostly only if you use the user account for the windows service. In the standard situation the user profile will be automatically created at the first interactive user login on the computer.

If you need to make some changes for all users on the computer for example after the installation of new software you can do this in many ways without creating user profiles.

If you explain more exactly why you need to create the user profiles I could probably suggest you some alternative way to archive the same goals.

Answer 2

I asked a very similar question on ServerFault, and I really liked the answer I got there. To paraphrase, these are the steps:

• Create Windows service to create profiles
• Create a custom ICredentialsProvider and authenticate user
• Call the profile-create service
• Tell Windows to continue logging on

It seems there is no direct way to override it, but this seems quite clever, and quite possibly the only solution.

Since nobody has commented or left an answer, I'll change my question a little.