A complete, field-tested standard operating procedure for safely removing a corrupted or stale Windows user profile via the registry, file system, and proper session sequencing.
A Windows user profile is a collection of settings, files, and registry entries that define a user's environment on a specific machine. Over time, profiles can become corrupted, orphaned after domain account removal, bloated with stale data, or locked by access permission errors, all of which can prevent a user from logging in successfully.
This SOP covers the complete manual removal process: identifying and deleting the profile's registry entry, removing the physical folder from C:\Users\, and ensuring the user can re-authenticate with a clean, freshly generated profile. This procedure is applicable to Windows 10 and Windows 11 in both domain-joined and standalone environments.
regedit.exe must not be restricted by Group Policy.
Before touching the registry or file system, verify the target user has no active session on the machine. An open session locks profile files and registry hives, which will cause errors or incomplete deletion.
If the user appears, right-click β Log off in Task Manager, or use:
quser /server:<hostname> to check for active sessions.
The ProfileList key stores a subkey for each user profile registered on the system. Each subkey is named after the user's Security Identifier (SID).
regedit, and press Enter.Under ProfileList, expand each SID subkey and look at the ProfileImagePath value to identify the correct user. It will show the path to the user's folder, such as C:\Users\jdoe.
ProfileImagePath before deleting.
If the SID key has a duplicate with a .bak suffix (e.g., S-1-5-21-...-1001.bak), delete both.
wmic useraccount where name="jdoe" get sid
A full system reboot is required before removing the user's folder. Windows holds an open handle to the user's registry hive (NTUSER.DAT) even after the session ends. The reboot releases this lock.
C:\Users\<username> before a reboot will result in file in use errors for NTUSER.DAT and UsrClass.dat.
With the registry entry removed and the machine rebooted, you can now safely delete the physical profile directory from the file system.
C:\Users\.jdoe).If you encounter permission errors on specific subfolders (e.g., AppData\Local\Temp), take ownership first:
Once the old registry key and folder have been removed, Windows will automatically create a new, clean profile the next time the user logs in. This is the built-in self-healing mechanism for profile regeneration.
C:\Users\<username> folder and NTUSER.DAT will be created automatically.C:\Users\ with today's timestamp, and a new SID entry is visible in ProfileList in the registry.
Before deleting any profile folder, ensure critical data (Desktop, Documents, Downloads, browser profiles, Outlook PST files) has been backed up to a network share or cloud storage.
Never perform this operation using the affected user's own account. Always use a separate local or domain admin account to avoid profile lock conflicts.
Right-click the SID key β Export to save a .reg backup before deletion. This allows recovery if the wrong key is removed.
Use Restart rather than Shutdown + Power On. Windows Fast Startup (hybrid boot) does not fully reload the kernel, and file locks may persist.
In domain environments with roaming profiles, also clean up the server-side profile copy to prevent the old corrupted data from syncing back on next logon.
Log the action in your ITSM/ticketing system including the machine name, username, date/time, and the admin account used. This is important for audit trails.
.bak key typically appears when Windows failed to load the original profile and created a temporary one. Delete both the original SID key and the .bak variant to ensure a fully clean state.takeown and icacls commands shown in Step 5 to take ownership and grant full control before retrying rmdir. In rare cases, booting from a WinPE environment may be required.Get-WmiObject Win32_UserProfile and the .Delete() method, or tools like PDQ Deploy, can automate profile removal at scale across managed endpoints.