Error while trying to run the process with Endpoint Security activated on the machine

[maordavidov]

When running ADMU tool to migrate from AzureAD to JC we have a case which CroudStrike is installed on the machine. In such cases we cannot delete it, and we receive the following error:

The process cannot access the file 'C:\Users\******\NTUSER.DAT' because it is being used by another process.

Relevant code:

https://github.com/TheJumpCloud/jumpcloud-ADMU/blob/master/jumpcloud-ADMU/Powershell/Start-Migration.ps1#L1623

[jworkmanjc]

Hello @maordavidov,

Do you have the ability to whitelist the ADMU? There's a signing certificate you can probably match on if you are using the GUI version of the tool. Unfortunately Windows is a little tricky when holding on to the NTUSER.DAT file. That file has to be "unloaded" in order for the script to copy it's contents in to a new user's registry .dat file.

I have seen cases where AntiVirus Applications will prevent the tool from actually copying the registry data, flagging the tool as performing a malicious activity — which in many other cases, copying data from a user's registry would be suspicious. However in this case, it's the only way we can retain the user's preferences, desktop, and access to files when we create a new local user and apply the previous user's registry to that new profile. This application is open source if you'd like to view the contents of the code.

You may be able to temporarily disable Antivirus in order to complete migration. If CrowdStrike is holding on to some user's profile (specifically their NTUSER.DAT and/or UsrClass.dat files) then migration will not be able to continue.