Identifying Alternate Accounts During ScreenShare
Linking a player currently being screenshared to a previously banned account requires careful examination of artifacts that store user identities, configurations, or machine identifiers.
Username and Account Artifacts in Files:
Log Files: Game client logs (
latest.log, chat logs), launcher logs (e.g., Lunar Client, Badlion Client), and sometimes mod configuration logs can contain usernames or UUIDs associated with accounts used on the machine.Launcher Configuration Files: Many launchers store account information. For example, custom launchers might have
accounts.jsonor similar files within their data directories (e.g.,.lunarclient/,.feather/often in%appdata%or user home directories on Linux/macOS). Analyzing these files can reveal multiple accounts linked to the device.General File Searches: Players sometimes leave traces of usernames in unexpected places like
.txtfiles, script files, or folder names within their user profile. Searching common user directories (C:\Users\%username%, Desktop, Downloads, Documents) and AppData folders (%appdata%,%localappdata%) for known banned usernames or UUIDs can sometimes yield results.PowerShell Scripting for Alts: Specialized scripts can automate the search for usernames across common locations. For instance, the ADVANCE ALT CHECK PowerShell script available at https://pastebin.com/raw/LBGh2Cyb is designed specifically for this. It recursively searches user directories for files with common log/text/config extensions (
.txt,.log,.json,.jar) and looks for occurrences of a specified username (which could be a known banned alt), outputting a list of files where the name was found. This can significantly speed up the search process compared to manual browsing.
Registry Analysis:
User Profiles: Each Windows user profile has its own registry hive (
NTUSER.DATlocated inC:\Users\{username}\). Analyzing these hives (especially if multiple user profiles exist or existed on the machine) using tools like Registry Explorer can reveal user-specific settings or software configurations potentially linked to different accounts.Software Keys: Registry keys associated with specific game launchers, related software (like Discord), or even Windows components might store account identifiers, license keys, or usage history that could correlate different user activities on the same machine.
File System and Metadata:
Directory Structures: File paths often contain the Windows username (e.g.,
C:\Users\BannedPlayerName\...). Finding game-related files, cheat configurations, or relevant logs under multiple distinct username folders on the same system is a strong indicator of alt account usage.File Ownership: While less commonly checked, file ownership metadata (viewable in advanced security settings or via tools parsing the $MFT) technically links files to the SID of the user who created them. Correlating SIDs with known banned user profiles can be informative, though complex.
Hardware Identification (HWID) Linking:
Server-Side Checks: Many servers maintain databases linking banned accounts to the HWIDs collected during previous gameplay sessions or screenshares.
SS Tool Integration: Some screensharing tools (like Echo) incorporate functionality to collect HWID information from the player's machine during the scan. This collected HWID can then be compared (often automatically by the tool or manually by staff) against the server's database of banned HWIDs.
Detection: A match between the current machine's HWID and a previously banned HWID is strong evidence of ban evasion, even if the player is using a completely new game account and Windows user profile. ScreenSharers should be familiar with how their specific tools collect HWID data and how their server utilizes this information for ban enforcement.
Last updated