0

What is ntuser.dat and Why is it on My Computer?

Posted by Jamie on August 14, 2018

A reader wrote into us this week and asked about the ‘ntuser.dat’ file on their Windows 10 computer. Specifically, ‘What is ntuser.dat and why does it keep appearing on my computer? I deleted it twice and it keeps reappearing. Why?’ This is something we have seen mentioned before in comments and emails so it’s a good subject for a tutorial.

You can find ntuser.dat in C:\Users\Username. It’s a relatively small file that sits there innocuously. Mine is 6MB in size. It is not a virus. It is not malware. It is not anything to worry about. The file is actually vital to your computer and you should not delete it.

What is ntuser.dat?

The ntuser.dat file is where your Windows user profile is loaded from. It contains the HKEY_CURRENT_USER registry hive which has all your files, preferences and settings contained within it. If you delete the file, many of those settings will return to their defaults. Any configuration changes or customizations that are maintained in the registry will also return to defaults.

The purpose of ntuser.dat is why it will reappear if you delete it. The file is necessary to keep all your registry settings. Every user on the computer will have their own copy that will maintain their individual settings. If you go to C:\Users and check all username folders within you will see each has an ntuser.dat file.

The filename is a legacy from WindowsNT that introduced it to help maintain user settings within a multi-user environment. The format is largely the same now. You cannot open or read ntuser.dat though.

How does ntuser.dat work?

As the file suffix suggests, ntuser.dat is a data file that contains not only the registry hive but logs containing previous versions of that hive. When you make changes to your computer and the hive is updated, the previous version is logged and is how Windows Restore can help return your computer back to a previous configuration. Those logs will refer to other copies of ntuser.dat you may see in the folder.

When you make a change that will be reflected in the registry, it isn’t written immediately. It is held in a temporary file called a regtrans-ms file. This is a log file that tracks all changes you make within a single session that will require a registry change. Only once you sign out or shut down your computer will the regtrans-ms file write your changes to the registry.

The idea is to maintain the integrity of the registry by keeping modification to a minimum. Rather than writing to it all the time, a temporary file is created, checked, validated and then written to the registry once as you shut down your computer. That delay you see when you set your computer to shut down or when you log out? Among other things, that is the regtrans-ms file being written into the registry and copied into ntuser.dat.

What happens if I delete the ntuser.dat file?

As mentioned, the ntuser.dat is an important file for Windows as it contains all your user configurations and HKEY_CURRENT_USER settings. Deleting the file won’t cause Windows to crash but can cause any configurations or system settings that are usually recorded within the registry to disappear.

Not all system settings or changes need to be recorded within the registry so if you delete it, you may see some changes remain while others reset.

You cannot delete the current ntuser.dat that is in use by your account. If you see multiple ntuser.dat files, you can delete those if you wish. Multiple ntuser.dat files within C:\Users\Username indicates that your computer has crashed and couldn’t write to the registry like it should during a normal shutdown. Rather than write a potentially corrupted file, Windows will ignore it create a new file instead. During a crash, the regtrans-ms file would not have been written to ntuser.dat so will be discarded.

Any system changes that are normally recorded in the registry made during the crashed session will not have been saved so you will have to do those again. In this situation, the older ntuser.dat files are now obsolete and are superseded by the latest version of the file. This is what will cause multiple ntuser.dat files to appear.

Multiple ntuser.dat files are safe to delete as long as you do not delete the latest one. In most situations, you should be able to delete the file in use as it will be locked by Windows.

Seeing the ntuser.dat in your Username folder is normal and has been a feature of Windows for the longest time. The file is safe, it is not malware or anything bad. It is a necessary part of Windows and can safely be left alone. If you want to delete older versions you can, but at only a few megabytes, there really is no need. It’s entirely up to you though.

Leave a Reply

Your email address will not be published. Required fields are marked *