New
#1
The mysterious unknown account: Threat or harmless bug?
In the process of performing the usual necessary cleanup after installing FCU (fixing the various DCOM errors due to improper permission settings) I was reminded of this particular situation again. I was hoping that perhaps the collected expertise in this forum could shed some light on this potentially serious problem.
In a nutshell, it appears that for certain hardware configurations (see below), there is an unusual SID that is being created which the system does not recognize, so it is listed as an "Unknown Account". This could be a minor nuisance, except for the fact that this SID is assigned permissions at top-level registry keys and then propagates down to a vast number of system objects. As a consequence, this unknown account has permissions to a large number of objects and processes, including the permission to launch and activate almost any DCOM object on the system.
The SID of this account is S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681, and there is some indication (from two posts by Sonya here and here) that these security entries are created during the installation of NVidia video drivers. Now, like I said, this could just be a minor cosmetic nuisance, except it may not be.
First of all, the SID above does not look like a standard, properly formed SID. Second, I have seen some references that Windows allows processes to generate SIDs of that kind "on the fly" for special purposes, such as sandboxing: You create an SID for a non-existent account for a process, which means that such a process does not have access to any of the regular system objects except those with permissions for "Everyone", I think.
If that is correct, and if a process can create such SIDs freely, then the issue we have with this NVidia-generated SID is that it cracks our systems wide open to any process that can generate this SID for itself. In other words, we would be looking at a catastrophic security hole. Indeed, the poster I have quoted above (Sonya) reports that NVidia software seems to be starting all sorts of processes using just this mechanism, including remote connections of all sorts. In one of her posts she goes as far as referring to this as "theft ware".
So, here are my questions:
- Can we confirm that this SID indeed "belongs" to NVidia? Does everyone with NVidia drivers have these? Do others not have them? Also, as far as I can tell this SID is only generated on Windows 10 systems.
- Since the SID in question is defined for top-level registry keys and propagates down from there, it could be fairly easy to get rid of it: Simply remove those permissions from HKLM, HKCU, etc., and the offending permissions should be (almost?) all gone. The question is, will that have any adverse consequences? Note that, since the SID in question is illegal, once I remove those permissions I cannot recreate them. If removing them breaks something, then I'm looking at a reinstall...
- Are my concerns above valid? Perhaps they're not, and other than a cosmetic issue those permissions for the offending SID don't really matter. If Sonya is correct, however, this may not be the case.
Here's hoping somebody knows more about this...