Delprof gone wild!

[Jonpet]

Hi, my first post here, so please be gentle with me!

I work for an organisation which has for many months been using delprof.exe on 7000+ Windows XP workstations to routinely clean up old profiles (>120 days unused). Now suddenly we have two devices where delprof appears to have deleted a contemporary profile, ie one that was used the previous day, resulting in some fairly disasterous data loss (thankfully we have centrally managed software deployment, so we have been able to turn delprof off across all devices whilst we investigate, to limit further damage).

Despite one of the devices being shut down the instant the problem was noticed, I have spent hours attempting data recovery on both hard drives with pretty poor results. It's as if delprof has 'shredded' the files - ie deliberately overwritten the sectors from which data was deleted.

I can find no other postings documenting this issue. My main concern is getting the data back, although having tried 5 or 6 free recovery tools I am beginning to lose hope. Second issue is to discover why this happened. It seems delprof may have been confused about the datestamp on the ntuser.dat file (I am assuming that is what it looks at?). This was not an issue of the PC clocks being wrongly set - we can see the timestamps in the event log were correct at the time it ran.

Any help appreciated.

[Jon]

Running Delprof on machines where critical data is stored localy in users profiles is a recipie for disaster... I have done the same thing and never managed to get the data back.

I now redirect all folders that could hold data - my docs, desktops,app data etc - back to servers, not only is the data much less likley to get deleted but it is also backed up.

[Jonpet]

Hi Jon,

Thanks for your reply. I agree with you. I think if we need to set something like this up again in future I will be looking to "backup-then-delete-later" at the very least.