Windows 10: The mysterious unknown account: Threat or harmless bug?

  1.    30 Oct 2017 #1

    The mysterious unknown account: Threat or harmless bug?

    In the process of performing the usual necessary cleanup after installing FCU (fixing the various DCOM errors due to improper permission settings) I was reminded of this particular situation again. I was hoping that perhaps the collected expertise in this forum could shed some light on this potentially serious problem.

    In a nutshell, it appears that for certain hardware configurations (see below), there is an unusual SID that is being created which the system does not recognize, so it is listed as an "Unknown Account". This could be a minor nuisance, except for the fact that this SID is assigned permissions at top-level registry keys and then propagates down to a vast number of system objects. As a consequence, this unknown account has permissions to a large number of objects and processes, including the permission to launch and activate almost any DCOM object on the system.

    The SID of this account is S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681, and there is some indication (from two posts by Sonya here and here) that these security entries are created during the installation of NVidia video drivers. Now, like I said, this could just be a minor cosmetic nuisance, except it may not be.

    First of all, the SID above does not look like a standard, properly formed SID. Second, I have seen some references that Windows allows processes to generate SIDs of that kind "on the fly" for special purposes, such as sandboxing: You create an SID for a non-existent account for a process, which means that such a process does not have access to any of the regular system objects except those with permissions for "Everyone", I think.
    If that is correct, and if a process can create such SIDs freely, then the issue we have with this NVidia-generated SID is that it cracks our systems wide open to any process that can generate this SID for itself. In other words, we would be looking at a catastrophic security hole. Indeed, the poster I have quoted above (Sonya) reports that NVidia software seems to be starting all sorts of processes using just this mechanism, including remote connections of all sorts. In one of her posts she goes as far as referring to this as "theft ware".

    So, here are my questions:
    • Can we confirm that this SID indeed "belongs" to NVidia? Does everyone with NVidia drivers have these? Do others not have them? Also, as far as I can tell this SID is only generated on Windows 10 systems.
    • Since the SID in question is defined for top-level registry keys and propagates down from there, it could be fairly easy to get rid of it: Simply remove those permissions from HKLM, HKCU, etc., and the offending permissions should be (almost?) all gone. The question is, will that have any adverse consequences? Note that, since the SID in question is illegal, once I remove those permissions I cannot recreate them. If removing them breaks something, then I'm looking at a reinstall...
    • Are my concerns above valid? Perhaps they're not, and other than a cosmetic issue those permissions for the offending SID don't really matter. If Sonya is correct, however, this may not be the case.

    Here's hoping somebody knows more about this...
      My ComputerSystem Spec

  2.    30 Oct 2017 #2

    I forgot one additional possibility: Perhaps permissions for that mysterious SID are in fact somehow needed (at least on systems with NVidia drivers?). In that case it would of course be unwise to delete these permissions. Of course, the question still remains if indeed only NVidia-based systems use that entry. Unfortunately the only Windows 10 systems I can get my hands on right now do have NVidia cards, so I cannot check that hypothesis.
      My ComputerSystem Spec

  3.    31 Oct 2017 #3

    I have that SID in registry (values and permissions) and only have Intel HD so it is not to do with NVidea.

    I read some speculation that it was due to leftovers from defaultuser0 not being deleted correctly during install. I don't know whether it is a bug or deliberate - it seems unclear.

    Click image for larger version. 

Name:	Capture.PNG 
Views:	5 
Size:	76.1 KB 
ID:	161350
      My ComputerSystem Spec

  4.    31 Oct 2017 #4

    Interesting. So it's not an NVidia thing. Thanks!
      My ComputerSystem Spec

  5. Posts : 8,142
    10 Home x64 (1803) (10 Pro on 2nd pc)
       31 Oct 2017 #5

    lx07 said: View Post
    ...I read some speculation that it was due to leftovers from defaultuser0 not being deleted correctly during install. ...
    You can get the same leftover (an unknown SID with permissions here, there and everywhere) if you ever created another local user account, then deleted it later. I have often done this, so I see a lot of 'unknown users'.

    Remove the unknown account from the permissions or leave it there, either way it has no impact as the SID doesn't represent an actual account any more.
      My ComputersSystem Spec

  6.    31 Oct 2017 #6

    Well, this one may be different. Notice that this particular SID is not a user account SID, it's what is called an "application SID" in order to specify permissions for application containers. Windows 10 is using these all over the place, which can complicate things considerably. The fact that this is listed as an "Account Unknown" does not necessarily mean that it's not needed. As a matter of fact, in the case of the SID above I have seen reports of people having deleted the SID from permissions, only to end up with a broken system (Edge crashing on launch, etc., etc.) Fixing such a system is possible, but not straightforward, and will require some PowerShell wizardry...
      My ComputerSystem Spec

  7. Posts : 8,142
    10 Home x64 (1803) (10 Pro on 2nd pc)
       31 Oct 2017 #7

    Pirx said: View Post
    Well, this one may be different. Notice that this particular SID is not a user account SID, it's what is called an "application SID" in order to specify permissions for application containers....
    Apparently an Application SID is used during an install if the install needs to restart an app or sevice after completing.

    The errors ”Application SID does not match Conductor SID” will be generated whenever the user account the service is being run under does not match the user account used to launch the setup instance. The term “Conductor” refers to the MSI setup engine. It also appears that if the setup is executed with elevated permissions (Run As Administrator), then the SID check is bypassed. This behavior is by design and is intended to prevent the malicious restarting of critical system services.
      My ComputersSystem Spec


Related Threads
Solved Unknown User Account in User Accounts and Family Safety
Hi I recently carried out a fresh windows 10 install, however when I boot up my laptop, two User Accounts appear, one is my own and the other has an ID of "KCUBMA5". If I try to log in to this account, it requires a password. I never created...
Account Unknown in User Accounts and Family Safety
Why do I have an account Unknown? I have 6 accounts. The only ones that I recognize are Administrator, Clint and public. 154661 154662
unknown account in User Accounts and Family Safety
Via Windows Store I downloaded and installed "Persons" (in Dutch: Personen) everything works fine (can add, edit and delete persons,..) but on opening I see an error message "Failed Synchronisation on 1 account" Selecting this I see a button...
Mysterious account SID in Windows 10 in User Accounts and Family Safety
Account Unknown(S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681) So when is MS gonna deal with this issue? Remove them if I don't need them? Unknown accounts ? ...
So I have a kinda weird one that I cannot wrap my head around. I'll try to be as clear as possible... I am the administrator of my home PC, and I am using a Microsoft account instead of a local account. When I look at the properties of my...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 23:13.
Find Us