Users being added in my non admin account in admin group

idk it could be overthinking it but i feel like its not normal hierarchy to have those accounts in Administrator group because they are already above that. I am just not really sure how to go about knowing that for certain.

BlackVen0m said:

Ok thanks about default account. But then the bigger concern is those other two in admin group, because i dont use my pc for remote stuff i disabled all of it. Well i am using oculus quest with my pc over virtual desktop that is for the use with VR like oculus to connect over wifi. But if im able to use it even though i removed those 2 from the admin group then it has nothing to do with that. Could a program in my pc add it self to the admin group? Could it be a software i use that added itself there?

- - - Updated - - -

I removed them 10 hours ago then went to bed, and overnight it has been added back without me even using the pc meaning I have not installed or started any software on my pc it has added it back all by itself, how is that possible?

- - - Updated - - -

it seems to be added everytime i restart the pc, i might have restarted it before going to bed, but i need to know what is adding it back when i restart, and if this is a security risk at all, if its not then i wont care about it. i cant figure this out by myself hence why im asking you guys

When you disable core components willy-nilly without understanding implications and inter-dependencies then the OS will a) try to send telemetry back for Redmond to look at the problem and; b) try to self-heal because it's designed to be resilient, look for issues and try to bring itself back to core component functionality using built-in SYSTEM accounts.

You're not under attack. Just stop fiddling with the OS and you won't see anomalous behaviour.

Hope this helps...

what would they be disabling for this to occur though?
The logic could be that because NTAUTHORITY is elevating into admin group when it should not be the case? could be a fake user?

Wouldn't NTAUTHORITY be like head chieftain of the universe even though
\Local and \Network have less perms than admin but it feels like a misnomer because NT is Authority over that so why does it need to show as Admin group?

Hackers would want admin so they can do stuff. I still don't really know how to rule this out because i have cheked over multiple computers and they are not in any of the groups even non admin. I guess there is grounds to be concerned unless you can verify why they are in that admin group for, i don't really know myself to say because its not something that i have had to sit down and think about myself.

Malneb said:

what would the be disabling for this to occur though?

OP posts regularly (over 400 posts so far) but rarely gives full details of what he/she has been fiddling with, just hints.

For example, in this thread:

i dont use my pc for remote stuff i disabled all of it

How do we try to diagnose a posted issue with such paucity of information? IMO it's just GIGO.

Malneb said:

Hackers would want admin so they can do stuff. I still don't really know how to rule this out because i have cheked over multiple computers and they are not in any of the groups even non admin. I guess there is grounds to be concerned unless you can verify why they are in that admin group for, i don't really know myself to say because its not something that i have had to sit down and think about myself.

Look back over OP's previous posts. I'll take my hat off to you if you can find one single instance when the reported issue was eventually tracked down to 'external hacker activity'... you've even said so yourself.

Conversely, you have not seen this SYSTEM account activity yourself because it's the result of fiddling with the OS without realising the side-effects and subsequent automated OS responses.

If you're that interested, ask OP what did he/she disable specifically (and how) then try to duplicate the behaviour (in a VM).

Malneb said:

idk it could be overthinking it but i feel like its not normal hierarchy to have those accounts in Administrator group because they are already above that. I am just not really sure how to go about knowing that for certain.

Hi. No the 2 that i have in admin group does only have user privilege originally, but now when they are in admin group of course now they have admin rights. Does not seem good.

- - - Updated - - -

RickC said:

OP posts regularly (over 400 posts so far) but rarely gives full details of what he/she has been fiddling with, just hints.

For example, in this thread:



How do we try to diagnose a posted issue with such paucity of information? IMO it's just GIGO.

I disabled remote desktop services only and that should not have anything to do with that. Not only that, on my other windows on my other ssd i have the exact same setup but i don't have those 2 in admin group. So it has nothing to do with anything i disabled because its the exact same as this windows but still i have these added every time i reboot, how can i pinpoint what does this? Is there no software that can show what is adding it?

BlackVen0m said:

I disabled remote desktop services only

Details are important...

RickC said:

Details are important...

Sure.

- - - Updated - - -

But as i said this is what i have on my second windows, and no issue with added users in admingroup on that one ever. Never had this happening before, and i dont know when it started happening on this windows.

RickC said:

The graphic I included is from the film Phenomenon where John Travolta's character keeps asking his examiner to be specific (about 1:04:00).

You posted a screenshot highlighting a single service as 'Disabled'.

Here's my screenshot of a default install of Windows 10 Pro 22H2:


See the difference? Yours has lots more disabled services which you haven't yet mentioned.

If you cannot be honest about what you've been fiddling with then please don't waste our time. We all have better things to do than cast about for hidden needles in giant haystacks.

IMO, take an image then do a clean install of Windows and see whether your current issue magically goes away.

It's not a waste of time when I said I have an exact copy of windows and in that one this issue is not present. So your theory is not valid, has nothing to do with that.

- - - Updated - - -

I Finally found the event log. But i dont understand it, can someone help what to do from here?

- - - Updated - - -

And here is additional information.