RB_1.3.77.44.exe - can't even scan it w/o changing owner!!


  1. Posts : 22
    Win 10 Pro
       #1

    RB_1.3.77.44.exe - can't even scan it w/o changing owner!!


    I am running Windows 10 Pro Version 1803 (OS Build 17134.1)

    The actual questions here are in this blue color.

    1. I have a suspicious .exe on my Dell 7577 laptop. My machine seems very sluggish, and it has happened twice that taskmanager reported this .exe as taking 20% of the CPU. Further the file is buried deep inside SysWOW64, inside a folder even the owner of which is hidden from me. The file is named RB_1.3.77.44.exe and it's full pathname is

    C:\Windows\SysWOW64\Microsoft\Protect\S-1-22-20\RB_1.3.77.44.exe

    I'll add that on this machine, the owner of the "Protect" folder is "Administrators" (Machine-Name\Administrators), and it contains nothing but the single folder "Protect". The folder "Protect" contains nothing but the folder S-1-22-20, and he securitry info for the S-1-22-20 folder shows "unable to display owner information". Nothing happens when I double-click on that S-1-22-20 folder. The only reason I know that the RB_1.3... file is there at all is that it showed up in task manager; and then the wonderful beautiful "Search Everything" utility showed me where it is. But I can't copy and paste it anywhere, or upload it to an online virus checker -- unless I take ownership of the object and change its permissions.

    [OH now that I write this, I guess I could just boot linux and copy the file somewhere, and then scan the file. As usual, Linux shows its value as the pooper-scooper of choice for Windows] A search online gave me no useful info about this .exe file. Can anyone here tell me what RB_1.3.77.44.exe is? Or if it's normal to have the Protect folder there?

    I know how to change the owner of the file so that I can delete it. But perhaps it's legit and needs to have the ownership it does. And even if it's malicious, I"d like to be able to report it as it actually is/was in my system, rather than with a different owner. At the very least, i'd like to be able to record the identity of the current owner, even if to do that causes me to change the owner. Can I do something to find out who the current owner is (since it "can't be displayed")?

    If there is a correct or best-practise way to check out this file which doesn't require a reboot or a different OS, I'd be grateful to learn what it is.

    THanks!
    scott

    P.S. if it would be better to post separate queries for the separate quesitons (1. is RB_1.3.77.44.exe dangrous? 2. how to virus-check a file that one can't see without changing it? 3. How to find the identity of the owner of a file whose identitiy "can't be displayed"? please let me know and I''ll do that.
      My Computer

  2. FreeBooter's Avatar
    Posts : 3,966
    Windows 10 Pro 64-bit
       #2

    You can take ownership of the file and give yourself a full permission to delete the unknown file.

    Code:
    Takeown /f "C:\Windows\SysWOW64\Microsoft\Protect\S-1-22-20\RB_1.3.77.44.exe" 
    
    icacls "C:\Windows\SysWOW64\Microsoft\Protect\S-1-22-20\RB_1.3.77.44.exe"  /grant administrators:F
    Scan your computer malware infection with MalwareBytes.
      My Computer


  3. Posts : 22
    Win 10 Pro
    Thread Starter
       #3

    perhaps i wasn't clear


    Yes, I know i can take ownership and delete the file. I'd like to record who the owner is in case I want to report that. Taking ownership will erase the information about who the previous owner was. I would like to know that.

    Actually, I'll guess that S-1-22-20 somehow identifies the owner, but I don't know how to go about looking up, for example, the microsoft ID that is associated to that string.
      My Computer

  4. Samuria's Avatar
    Posts : 6,028
    windows 10
       #4

    Windows doesnt store names of owners as such it stores a SID S-1-22-20 is a owner that doesnt have a name anymore
      My Computer

  5. Farvatten's Avatar
    Posts : 642
    Windows 10 Pro 64bit 20H2 19042.906
       #5

    sbpetrack said:
    3. How to find the identity of the owner of a file whose identitiy "can't be displayed"? please let me know and I''ll do that.
    Currently assigned users are listed here by SID:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

    The key within each SID profile - 'ProfileImagePath' gives a clue to the user.

    Once a user SID gets deleted from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

    or

    If the SID came from another machine and isn't listed here, their User Permissions appear only as the SID value and will often appear with the prefix Account Unknown ( <SID> )
    Last edited by Farvatten; 27 Feb 2020 at 11:36. Reason: More qualification
      My Computers

  6. Pejole2165's Avatar
    Posts : 745
    Windows 10 Pro 1909
       #6

    I have the same folder but mine is in \System32\Microsoft\Protect with a different but similar S-1-xx-xx name, and it is empty, however I do not use system restore and I have a feeling this file is to do with roll back, hence the RB at the start. My system is Win10 Pro, fully up to date. I suggest you leave that file alone, however if you do delete it, run SFC afterwards and I bet it will be replaced.
      My Computer

  7. Bree's Avatar
    Posts : 18,600
    10 Home x64 (20H2) (10 Pro on 2nd pc)
       #7

    sbpetrack said:
    Can I do something to find out who the current owner is (since it "can't be displayed")?

    Yes. Here's a file where I cannot display the owner....

    RB_1.3.77.44.exe - can't even scan it w/o changing owner!!-file-security-cannot-display-owner.png

    ...but after clicking the Continue button to try again with administrative privileges the owner is shown.

    RB_1.3.77.44.exe - can't even scan it w/o changing owner!!-file-security-continue-displays-owner.png


    Oh, and I found that file in my C:\Windows\System32\Microsoft\Protect folder in a sub-folder called Recovery. There are two other sub-folders, S-1-5-18 and S-1-5-20. There are lots of files (none of them an .exe, they are all system files with no extension) in S-1-5-18, but S-1-5-20 is empty. In fact has a creation date from before this machine was upgraded from W7 to W10.

    RB_1.3.77.44.exe - can't even scan it w/o changing owner!!-image.png
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 10:24.
Find Us




Windows 10 Forums