RB_1.3.77.44.exe - can't even scan it w/o changing owner!!

I am running Windows 10 Pro Version 1803 (OS Build 17134.1)

The actual questions here are in this blue color.

1. I have a suspicious .exe on my Dell 7577 laptop. My machine seems very sluggish, and it has happened twice that taskmanager reported this .exe as taking 20% of the CPU. Further the file is buried deep inside SysWOW64, inside a folder even the owner of which is hidden from me. The file is named RB_1.3.77.44.exe and it's full pathname is

C:\Windows\SysWOW64\Microsoft\Protect\S-1-22-20\RB_1.3.77.44.exe

I'll add that on this machine, the owner of the "Protect" folder is "Administrators" (Machine-Name\Administrators), and it contains nothing but the single folder "Protect". The folder "Protect" contains nothing but the folder S-1-22-20, and he securitry info for the S-1-22-20 folder shows "unable to display owner information". Nothing happens when I double-click on that S-1-22-20 folder. The only reason I know that the RB_1.3... file is there at all is that it showed up in task manager; and then the wonderful beautiful "Search Everything" utility showed me where it is. But I can't copy and paste it anywhere, or upload it to an online virus checker -- unless I take ownership of the object and change its permissions.

[OH now that I write this, I guess I could just boot linux and copy the file somewhere, and then scan the file. As usual, Linux shows its value as the pooper-scooper of choice for Windows] A search online gave me no useful info about this .exe file. Can anyone here tell me what RB_1.3.77.44.exe is? Or if it's normal to have the Protect folder there?

I know how to change the owner of the file so that I can delete it. But perhaps it's legit and needs to have the ownership it does. And even if it's malicious, I"d like to be able to report it as it actually is/was in my system, rather than with a different owner. At the very least, i'd like to be able to record the identity of the current owner, even if to do that causes me to change the owner. Can I do something to find out who the current owner is (since it "can't be displayed")?

If there is a correct or best-practise way to check out this file which doesn't require a reboot or a different OS, I'd be grateful to learn what it is.

THanks!
scott

P.S. if it would be better to post separate queries for the separate quesitons (1. is RB_1.3.77.44.exe dangrous? 2. how to virus-check a file that one can't see without changing it? 3. How to find the identity of the owner of a file whose identitiy "can't be displayed"? please let me know and I''ll do that.

You can take ownership of the file and give yourself a full permission to delete the unknown file.

Code:

Takeown /f "C:\Windows\SysWOW64\Microsoft\Protect\S-1-22-20\RB_1.3.77.44.exe" 

icacls "C:\Windows\SysWOW64\Microsoft\Protect\S-1-22-20\RB_1.3.77.44.exe"  /grant administrators:F

Scan your computer malware infection with MalwareBytes.

Yes, I know i can take ownership and delete the file. I'd like to record who the owner is in case I want to report that. Taking ownership will erase the information about who the previous owner was. I would like to know that.

Actually, I'll guess that S-1-22-20 somehow identifies the owner, but I don't know how to go about looking up, for example, the microsoft ID that is associated to that string.

Windows doesnt store names of owners as such it stores a SID S-1-22-20 is a owner that doesnt have a name anymore

sbpetrack said:

Can I do something to find out who the current owner is (since it "can't be displayed")?

Yes. Here's a file where I cannot display the owner....



...but after clicking the Continue button to try again with administrative privileges the owner is shown.




Oh, and I found that file in my C:\Windows\System32\Microsoft\Protect folder in a sub-folder called Recovery. There are two other sub-folders, S-1-5-18 and S-1-5-20. There are lots of files (none of them an .exe, they are all system files with no extension) in S-1-5-18, but S-1-5-20 is empty. In fact has a creation date from before this machine was upgraded from W7 to W10.