Couple questions

Sonya · 21 Nov 2016

First of all does anyone know a simple way to deny permissions to an unknown user in the registry? S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 this unknown user has read permissions all through out the registry - I believe this is actually NVIDIA after having read the NVIDIA program files, and watching this behavior for quite awhile. Unfortunately I cannot confirm this theory since we don't have a system with an AMD graphics card. So that would be my second question, possibly could someone confirm whether or not this user appears with an AMD graphics card.

Strange behavior related to this user: Numerous remote connections, programs blocked in group policy still run, background apps that have been turned off still run, outbound traffic even without an internet connection, spooler sending out data even though no printer installed.

I managed to stop the remote connections by denying access to this user on some registry keys (namely under local machine controlset services) but I am in the process of denying access to the rest of the keys... Not an easy task this user has permissions on practically all keys in the registry. This "user" is on all 5 of our Nvidia windows pcs - Nvidia and windows being the only commonalities.

Just to add a little more information, since denying access to the folder localmachine\system\controlset\services to this "unknown account" there has not been a session 2, session 3 nor %s from %S or even @#$% in my eventviewer under terminalservices.

My windows is fully updated yet these additional sessions were continuing to pop up despite Microsoft's claims to have fixed issues that allow remote connections. For the last 3 days there has not been anything beyond session 1 to appear.

I would love to know if this is Microsoft (even though their support claims to have no idea what it is) or if it is in fact Nvidia - since Nvidia program files have things like "allow anonymous remote connections" "get_every_known_document_type" and "get_every_known_file_format" in them.

Sonya · 22 Nov 2016

Well I have confirmed that this unknown account is indeed Nvidia - now why on earth do we need to allow them access to services and features we have disabled? Let alone why do they need to continue to create remote connections to our pcs without our consent?

Attached are 2 screen shots one of a brandnew clean install of windows 10 without Nvidia and one if of this laptops registry with Nvidia.

Couple questions-confirmed-its-nvidia.png

dalchina · 24 Nov 2016

Hi, I have an Nvidia card, and confirm I see the same.
Discussions: (with no really useful outcome) :
Windows 10 Anniversary Update: The case of the mysterious account SID causing the flood of DCOM errors

Unknown accounts ? - Windows 10 Forums

If you run the registry editor as admin, you could do pretty much what you like to that user- example:

Speculation:
Rt clicking an exe offers 'Run with Graphics processor'
I'm just wondering if there's a connection.

bro67 · 24 Nov 2016

Because some Bean Counter thinks that NVidia needed a user to tell them how many "users" are checking for dowloads and updates to the software. Disable can break it. Check NVidia's forums to see if it may be related to their Shield Platform also.