locked
Windows 10 Anniversary Update: The case of the mysterious account SID causing the flood of DCOM errors RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    7
    Sign in to vote

    Hi, 

    I recently upgraded a system on Insider Preview to build 14393.10. However, I ended up with a flood of DCOM errors. I didn't go into much detail (since I had a long overdue for clean install), and went ahead and did a clean install from the release ISO.

    Unfortunately, that didn't help, still had numerous DCOM errors, and also weird behaviors during normal usage, particularly in Modern Apps. So, I decided to trace the source of the problem, and it seemed like all of them were Permission issues for COM objects. 

    Its seems like almost all the core components, have an Unknown Account with SID S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681.

    That's a strange SID which doesn't even look valid. However, I also did fresh installs on other systems, and they all seem to be very consistent with the same SID.

    [Image of SID] 

    All the core system COM objects seem to have this Unknown SID. And it seems that's the source of all the DCOM errors in the event logs.


    It would seem highly likely that someone inside Microsoft screwed up quickly astonishingly this time, hurrying up with shipping the anniversary update, and in the process let an orphaned account potentially created during the installation to be assigned permission for the COM objects, instead of the real accounts, (or even worse by the looks of the SID - since it likely is not even a valid one)

    Essentially, almost every single COM object belonging to the system core is messed up. I haven't checked the filesystem yet, but I probably will also run a check to see if any of the files have any other unknown SIDs associated with them as well. Incidentally, there's also the "defaultuser0" account that's created during the update as well as clean install of the 1607. I suspect that's related as well. 

    This is very disconcerting that Microsoft let something like this pass-by into a release. And currently I've replaced a few of those SID with Network Account, and Local System, and the system seems to be relatively stable with no errors in the event logs. 
    However its also very likely that only a few of them are being logged, during the regular course of time, and there are tons of hidden errors, that could cause problems due to these invalid permissions. 

    Hope there'll be an official fix for this soon. Hopefully, the file system permissions are still sane, and doesn't have more unknown SIDs assigned to them.

    - Prasanna V. Loganathar




    Friday, August 5, 2016 10:31 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    These DCOM errors have been seen in Windows 10 for sometime, been reported in the Feedback Hub. Search this forum for DCOM there are many reports of these errors.

    Repeated DCOM errors - possibly Cortana related? being one.

    So any other issues? These errors are common so not ideal but they can be safely ignored.

    The defaultuser0 is also present on my working Windows 10 1607 systems, I also get the DCOM errors if I look for them but the system are working as expected.

    Saturday, August 6, 2016 5:39 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    These DCOM errors have been seen in Windows 10 for sometime, been reported in the Feedback Hub. Search this forum for DCOM there are many reports of these errors.

    Repeated DCOM errors - possibly Cortana related? being one.

    So any other issues? These errors are common so not ideal but they can be safely ignored.

    The defaultuser0 is also present on my working Windows 10 1607 systems, I also get the DCOM errors if I look for them but the system are working as expected.

    Saturday, August 6, 2016 5:39 PM
  • Question
    Sign in to vote
    2
    Sign in to vote

    .

    Have you found the component referred by {F72671A9-012C-4725-9D2F-2A4D32D65169} AppID?


    Using Win32_DCOMApplication object though WMI and PowerShell I can't see the name of the application that stands for {F72671A9-012C-4725-9D2F-2A4D32D65169}.


    PS C:\WINDOWS\system32> Get-WMIObject Win32_DCOMApplication -Filter "AppID='{F72671A9-012C-4725-9D2F-2A4D32D65169}'"
    AppID                                  InstallDate Name
    -----                                  ----------- ----
    {F72671A9-012C-4725-9D2F-2A4D32D65169}                


    And if you open dcomcnfg and navigate to Component Services | Computers | My Computer | DCOM Config, there are lots of Application identifiers listed there, I have almost broken my eyes trying to drill through the list. No sorting, hey, MMC console!


    Further investigation shows that this somehow refers to CDP:


    PS C:\WINDOWS\system32> Get-WMIObject Win32_ClassicCOMClassSetting -Filter "AppID='{F72671A9-012C-4725-9D2F-2A4D32D65169}'" | select -ExpandProperty Caption
    CDP Remote Text Handler
    CDP Web Account Provider Callback
    CDP Activity Store
    CDP Touch Handler
    CDP App Control Handler
    CDP Resource Policy Broker
    CDP Session Authenticator
    CDP Media Handler


    But there's only one application identifier listed in Component Services that refers to CDP Reference Host and it has another application ID: {A0316E2D-8793-4E74-AA48-8CE2ED05BA57}


    How did you manage to locate {F72671A9-012C-4725-9D2F-2A4D32D65169} ?


    Of course, this can be found through the registry but simply adding Full access permissions to BUILTIN\Administrators group and to NT AUTHORITY\SYSTEM for {8D8F4F83-3594-4F07-8369-FC3C3CAE4919} class identifier did not help...

    I have added permissions for the ACL on the following registry objects


    HKEY_CLASSES_ROOT\CLSID\{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}

    HKEY_CLASSES_ROOT\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}


    PS C:\WINDOWS\system32> Get-Acl -Path "HKLM:\Software\Classes\CLSID\{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}" | Format-List

    Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
    Owner  : NT AUTHORITY\SYSTEM
    Group  : NT AUTHORITY\SYSTEM
    Access : BUILTIN\Users Allow  ReadKey
             BUILTIN\Users Allow  -2147483648
             BUILTIN\Administrators Allow  FullControl
             BUILTIN\Administrators Allow  268435456
             NT AUTHORITY\SYSTEM Allow  FullControl
             NT AUTHORITY\SYSTEM Allow  268435456
             CREATOR OWNER Allow  268435456
             APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
             APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  -2147483648



    PS C:\WINDOWS\system32> Get-Acl -Path "HKLM:\Software\Classes\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}" | Format-List

    Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Classes\AppID\{F72671A9-012C-4725-9D2F-2A4D32D65169}
    Owner  : BUILTIN\Administrators
    Group  : NT SERVICE\TrustedInstaller
    Access : NT AUTHORITY\SYSTEM Allow  FullControl
             BUILTIN\Administrators Allow  FullControl
             BUILTIN\Users Allow  ReadKey
             NT SERVICE\TrustedInstaller Allow  FullControl
             APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
             S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow  ReadKey



    Any clues how to find the CDP Activity Store in Component Services when there is no such application ID listed there?

    This class ID reads that this is connected to CDP Activity Store.


    What is S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 SID referred to defaultuser0 by the way?


    Well this is the world we live in And these are the hands we're given...


    Thursday, September 1, 2016 2:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    took me a while to find this as well.  the item appears in the dcomcnfg as just the appid  {F72671A9-012C-4725-9D2F-2A4D32D65169}

    when in dcom format the list as List, then scroll to the bottom and look up 6 lines. its the only item with {F726 at the beginning, and it really stands out.

    I have also been thinking that the defaultuser0 has something to do with this.  I think the user is created as DefaultUser, and renamed somehow as defaultuser0

    Still searching...  I find that I have to go through every dcom error in my event log, find the appid's of the ones that are failing, locate each of those in the registry, take ownership of the key, then relaunch dcomcnfg, find them  in there and add permissions for local activation for service, system, all application packages, and so on. its frustrating as hell when I have to do this to dozens of computers each week. 

    <quote>

    Have you found the component referred by {F72671A9-012C-4725-9D2F-2A4D32D65169} AppID?

    Using Win32_DCOMApplication object though WMI and PowerShell I can't see the name of the application that stands for {F72671A9-012C-4725-9D2F-2A4D32D65169}.

    </quote>

    Friday, January 6, 2017 5:10 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    You can find more information about these issues by searching in google (or whatever) this term:

    "S-1-15-3-1024"

    Using the quotes. There is no clear consensus, but it appears that you are seeing leftover permissions for an account that was created termporarily, and then removed. The account does not exist but permission remnants remain. It is unclear where the actual problem lies until it can be determined what is creating this account and what is removing it.

    Friday, January 6, 2017 8:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hey, Prasanna,

    I do wonder if the ISO that you and I used (and many others) has been replaced on Microsoft's download servers by an image that does NOT contain this random SID. I have installed this image on a few computers before noticing that ALL of them had this random SID. I'm currently trying to get access to a computer that I did NOT install windows 10 on to see if it also contains the SID. I have messed up one system (my main home workstation) so bad by trying to remove that SID from the registry(100000s of keys) and some file system points (like ProgramFiles\WindowsApps) among others. I can always do a clean install but i'm going to see if the newest ISO from MS's Media Creator tool still has this issue. Yes i will agree that some of the DCOM errors were present for a while now but the poster Mr Happy (who was voted as answer) still did NOT mention if he/she has this unknown SID present or not. Also, he/she didn't say anything about the unknown SID at all.. 

    I just started having all my apps/services/etc fail with permissions errors (many access denied) on things that are running as my account, along with others running as local service/network service/system, etc.. I noticed all these permissions errors after the 1703 update. I believe its related to the Creators update.

    Friday, May 5, 2017 6:22 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I am dealing with the same issue, not because the DCOM errors are causing an issue with my PC. I am a product development manager and the products I am working on right now are using a file share on my Windows PC. When the DCOM error is processed and posted in Event viewer, within minutes the other hardware reboots indicating in the hardware logs that the share had become unavailable.

    My point being maybe the error causes no instability in the PC but if you have something requiring file sharing or connections to your PC, watch for little errors. Once I have the DCOM errors gone I will post what I did to kill them.

    Thursday, May 25, 2017 7:40 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I can confirm as of May 9th 2017 (clean install of Microsoft's latest ISO) that THESE "Account Unknown" still have full permissions to nearly every registry key. I have seen these since Windows 10 came out, I have 2-3 different SIDs for these in my registry and they have been there for a very long time.

    When asked in the forums for my security software in December 2015 about these SIDs the answer they gave me is that these belong to containers.  I can also confirm that removing these or even denying permissions to the registry keys will completely screw up the pc.

    Oh, if it's related to "defaultuser0" is beyond me but this latest install no longer shows that user account on 3 different pcs all wiped and clean installs as of May 9.


    • Edited by SonyaAnn Tuesday, May 30, 2017 9:17 PM
    Tuesday, May 30, 2017 9:16 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Computer\HKEY_USERS\S-1-5-21-3205736349-3230891109-1885040020-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities

    Contains the following keys: 001, 002, 003, 005, 006, 121. Each key contains the same multi-string data, including the unknown account SID:

    S-1-15-3-1
    S-1-15-3-9

    S-1-15-3-3215430884-1339816292-89257616-1145831019
    S-1-15-3-787448254-1207972858-3558633622-1059886964
    S-1-15-3-3845273463-1331427702-1186551195-1148109977

    S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
    S-1-15-3-1024-3623855041-1826999956-3747069818-3525260223-3747374510-1746272624-950601168-56556331
    S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-991631256
    S-1-15-3-1024-1502825166-1963708345-2616377461-2562897074-4192028372-3968301570-1997628692-1435953622
    S-1-15-3-1024-3203351429-2120443784-2872670797-1918958302-2829055647-4275794519-765664414-2751773334
    S-1-15-3-1024-1788129303-2183208577-3999474272-3147359985-1757322193-3815756386-151582180-1888101193
    S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187
    S-1-15-3-1024-126078593-3658686728-1984883306-821399696-3684079960-564038680-3414880098-3435825201
    S-1-15-3-1024-1692970155-4054893335-185714091-3362601943-3526593181-1159816984-2199008581-497492991
    S-1-15-3-1024-220022770-701261984-3991292956-4208751020-2918293058-3396419331-1700932348-2078364891
    S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205
    S-1-15-3-1024-1864111754-776273317-3666925027-2523908081-3792458206-3582472437-4114419977-1582884857
    S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422
    S-1-15-3-1024-2922296261-1647482768-2017091146-3858667068-4135663662-2931985894-1627820925-818366431
    S-1-15-3-1024-2440306377-3304611049-1494399071-1161926223-163912384-1437065773-1456820560-2390158196

    As shown in every WOW64 Account

    Account Unknown(S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)
    HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}

    Tuesday, August 29, 2017 7:44 AM
  • Question
    Sign in to vote
    2
    Sign in to vote

    These many unknown SID starting by S-1-15-1024- effectively all lokk to be related to the Microsoft Edge AppX. They are apparently used to add "special permissions", but the permission editor is not able to "granted" identify those permissions (which seem to be completely undocumented, so there's not even any checkbox in front of the detailed attributes)

    I don't like Microsoft adding such invisible accounts for storing undocumented privileges and then adding these accounts to various system components. For me they are security holes.

    If they are no longer used or needed by supported apps or system components, Microsoft SHOULD PROVIDE a tool to CLEANUP these old permissions that are constantly left over (notably after each Windows version update).

    They just cause more nightmares when managing our systems (e.g. with files supposed to be unused, but still locked by some services to which these permissions were left, forbidding these files to be deleted).

    This is especially problematic now that Windows uses internal hardlinks for its components (stored in WinSxS and linked in the final target installation): these hardlinks cannot be removed, so these old components cannot be removed from filesystems (permission denied for all, included for the local Administrator with elevated privileges).

    I can only find a single way to remove them: you need to boot from another Windows instance, on a separate disk, where you'll manually mount the disks you want to cleanup, and manually open the registry hives stored on them, in order to cleanup these registries and filesystems, removing the old broken security attributes left in so many places.

    Microsoft is not good at all when it leaves so many traces everywhere (including many broken registry entries for softwares that have never been installed and will never be installed, or with broken file paths, or missing AppIDs). Even when installing a new Windows to a fresh unpartitioned disk, there are lot of pollution left. There's a very low quality level for installations that create such dumb data everywhere on our system (this time this was for the preinstallation of Edge that each Windows version update will promote and open again and again, even if we don't use that webbrowser...)

    Tuesday, August 29, 2017 3:43 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    You should be able to eliminate any unwanted SIDs from the security settings by using subinacl.exe.  It may be time consuming, but you can use wildcards to set multiple files or registry keys simultaneously.  You need to check that removing the SIDs doesn't foul things up on you PC.  I came across these posts while I was researching the unknown SIDs on my system, but I haven't tried to remove them.
    Monday, September 4, 2017 1:08 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Gents,                                                                                                                                                                                                                                                                                                                                 I read most of what was in this threads Q and A, enough to know how far ahead of me you are at tracking and identifying this mysterious SID. First time I saw this was way back in one of the first 15 series builds. Maybe January of 2017. found it connected to a bunch of my cloud files. I couldn't shake it and its still around. Just found it again in my printer app. Any chance this is cloud related ? I wouldn't know how to tell.

    Kevin C.

    Sunday, September 24, 2017 9:20 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I have the exact same issue:

    Account Unknown(S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681).

    And not only that I experience similar DCOM errors but computer also randomly freezes as reported in a different post: https://social.technet.microsoft.com/Forums/windows/en-US/80095788-85f1-4640-abdf-82f43cc5cc35/event-id-10016-the-applicationspecific-permission-settings-do-not-grant-local-activation?referrer=http://social.technet.microsoft.com/Forums/windows/en-US/80095788-85f1-4640-abdf-82f43cc5cc35/event-id-10016-the-applicationspecific-permission-settings-do-not-grant-local-activation?referrer=http://social.technet.microsoft.com/Forums/windows/en-US/80095788-85f1-4640-abdf-82f43cc5cc35/event-id-10016-the-applicationspecific-permission-settings-do-not-grant-local-activation?forum=win10itprohardware
    • Proposed as answer by sgorrill Friday, March 2, 2018 9:38 PM
    • Unproposed as answer by sgorrill Friday, March 2, 2018 9:39 PM
    Thursday, February 22, 2018 2:23 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    From another support site: https://answers.microsoft.com/pt-br/windows/forum/windows_10-security/usu%C3%A1rio-desconhecido-s-1-15-3-1024-no-windows/34512cb4-466c-47cc-9253-c2e13d55e831 

    This user is associated with the Protected Mode of Internet Explorer that was implemented in2006 in order to prevent an attack via the internet. This mechanism was deployed in Windows Vista and is present today on Microsoft operating systems. Not only in Windows 10 , but inWindows 7 and Windows 8.1. The "unknown user" description occurs because there are no links to any system user group (guest, administrator, and default). In some cases, the user may not be present or be hidden.

    The Microsoft Edge or Internet Explorer feature (SID: S-1-15-3-1024) is used by thesandboxed process to access browser-related resources located outside the specificAppContainer locations (local in-system records and files that are readable / writeable to processes running in a specific AppContainer for data storage).

    • Proposed as answer by sgorrill Friday, March 2, 2018 9:40 PM
    Friday, March 2, 2018 9:40 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

     First time I saw it was on the root of A.D., and I was having a problem, and it was my first real trial by fire, right after the last of my windows NT servers died....

     It was where someone was "playing" adding thier name here and there, then the account was deleted when they left the job...

     No biggie, in that case, but it seemed like one for a little while. I simply printed out the white papers and best practices and got on the ball, working until it was correct.

    blah.no time for profiles.

    Tuesday, March 27, 2018 11:55 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You are not alone...

    https://www.google.com/search?q=S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681&oq=S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681&ie=UTF-8

    blah.no time for profiles.

    Tuesday, March 27, 2018 11:57 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    All these SID (like S-1-15-1024-*) with unusual long Numbers, are in fact special identities created for sandboxed (and encrypted) AppX containers.

    Some of them may be created by Microsoft, but I've seen similar SID created by third party [notably advertized games such as the "Candy Crush Saga" dumb promoted immediately during the installation (without asking any permiussion before) and that you have to uninstall (but which remains permanently in your online licences wallet online, on your Microsoft account, as a "owned application" within your Library of apps: you cannot delete them but you may only "hide" them].

    Microsoft also has other (like S-1-15-1024-*) accounts used while you subscribe Insiders program, and one is created to manage your Insiders subscription (and there's a hidden AppX installed, in an encrypted folder for it). You cannot manage these "unknown" SID, they are resolved via a parent SID apparently associated to the "Containers" service (Windows 10 now has its own containers for sandboxing AppX and synchronizing them securely with the cloud; the format of the SID allows to know its parent SID that controls it, but this parent is apparently NOT on your local system, but on the cloud, just like the SID used by "TrustedInstaller" which is also created when you first install your Windows and then later used by Windows Update, from online Microsoft servers or from a WSUS local server); the additional digits after the parent, are used to identify the sandboxed ID on the cloud. These accounts cannot be managed locally, they get an Identity only when they are properly connected to the online cloud service with which they were identified and secured by some key exchange and signatures.

    These long SID are able to continue working when your are offline, they act as a local proxy; but they should only be associated to sandbox AppX containers (which work more or less like the SELinux contexts in Linux or Android to sandbox apps with limited view to the local OS and resources).

    However Microsoft should offer a way to identify which locally-hosted sandbox (generally an AppX) is the parent of these SID's and why and how they could get privilege of various files on the local OS outside their normal storage (in C:\Program Files\WindowsApps, or in X:\WindowsApps if apps were installed or moved on another volume X: using the "Storage preference settings"). For me these left-over outside their normal storage is a clear breach of privacy as they are not manageable and often get privileges on the OS.

    Microsoft still does not comply correctly to the RGPD rules and should allow users to identify these privilèges and cancel them (all you can do is to cancel them online with the Ms webapp, but they remain permanently hidden on our installed systems, even after we've uninstalled some unwanted AppX): they are real backdoors that allows Microsoft to reuse them silently.

    But the pollution of DCOM error events is also unacceptable.

    Thursday, June 21, 2018 7:25 AM
  • Question
    Sign in to vote
    5
    Sign in to vote

    I got it!

    It is registryRead capability.

    I've dumped all capabilities from Edge Manifest:

    internetClient: S-1-15-3-1
privateNetworkClientServer: S-1-15-3-3
childWebContent: S-1-15-3-1024-2440306377-3304611049-1494399071-1161926223-163912384-1437065773-1456820560-2390158196
confirmAppClose: S-1-15-3-1024-719903687-4232398539-3510704256-4190309334-1296461745-392634193-3994393407-3122493104
enterpriseDataPolicy: S-1-15-3-1024-373139346-748750918-1948434659-2643498477-4072104851-1007166015-1979446734-3878125657
extendedExecutionBackgroundAudio: S-1-15-3-1024-1757733230-3792965022-4183625483-1509180916-2800675197-3882158587-2291756888-318020845
extendedExecutionUnconstrained: S-1-15-3-1024-374222737-2106488203-813473153-3732709437-2286922564-1719656165-2804691494-2247406137
featureStagingInfo: S-1-15-3-1024-1045063015-423899465-3012769174-65638258-1865874412-2349348127-763856749-1075684855
hevcPlayback: S-1-15-3-1024-3631914340-188226977-3551325271-2255822655-4149116707-2222894358-109158049-3700719646
packageQuery: S-1-15-3-1024-1962849891-688487262-3571417821-3628679630-802580238-1922556387-206211640-3335523193
packageManagement: S-1-15-3-1024-734518492-402359323-2580938124-1419864735-4212787651-2727913556-228323224-564805089
slapiQueryLicenseValue: S-1-15-3-1024-3578703928-3742718786-7859573-1930844942-2949799617-2910175080-1780299064-4145191454
windowsHelloCredentialAccess: S-1-15-3-1024-1902118268-936929782-3474333872-803346623-1872623265-3899080591-2872335817-3963487957
registryRead: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
lpacWebPlatform: S-1-15-3-1024-3623855041-1826999956-3747069818-3525260223-3747374510-1746272624-950601168-56556331
lpacAppExperience: S-1-15-3-1024-1502825166-1963708345-2616377461-2562897074-4192028372-3968301570-1997628692-1435953622lpacCryptoServices: S-1-15-3-1024-3203351429-2120443784-2872670797-1918958302-2829055647-4275794519-765664414-2751773334lpacIdentityServices: S-1-15-3-1024-1788129303-2183208577-3999474272-3147359985-1757322193-3815756386-151582180-1888101193
lpacEnterprisePolicyChangeNotifications: S-1-15-3-1024-126078593-3658686728-1984883306-821399696-3684079960-564038680-3414880098-3435825201
lpacMedia: S-1-15-3-1024-1692970155-4054893335-185714091-3362601943-3526593181-1159816984-2199008581-497492991
lpacPnPNotifications: S-1-15-3-1024-220022770-701261984-3991292956-4208751020-2918293058-3396419331-1700932348-2078364891
lpacServicesManagement: S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205
lpacSessionManagement: S-1-15-3-1024-1864111754-776273317-3666925027-2523908081-3792458206-3582472437-4114419977-1582884857
lpacInstrumentation: S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187
lpacPrinting: S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422
lpacPayments: S-1-15-3-1024-2922296261-1647482768-2017091146-3858667068-4135663662-2931985894-1627820925-818366431
lpacClipboard: S-1-15-3-1024-4092130000-472000003-1670882671-259370826-3862510858-3415016346-1868891083-3396446831
lpacCom: S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-991631256
lpacIME: S-1-15-3-1024-79080987-3398622760-2608912076-1085899501-4039864605-4024366022-736258278-368603348
previewStore: S-1-15-3-1024-3995113440-3884054055-1031826285-344537609-2951767964-1612438789-3955710486-685105120
lpacPackageManagerOperation: S-1-15-3-1024-1742180919-3973133362-3881819074-3076390979-3006877977-1258694795-2087530448-2333862241
smbios: S-1-15-3-1024-1882001508-3166212979-1759549478-1197938037-69236898-20095667-1131865092-67241044
enterpriseAuthentication: S-1-15-3-8
picturesLibrary: S-1-15-3-4
sharedUserCertificates: S-1-15-3-9
userAccountInformation: S-1-15-3-1024-3014353654-4060050185-4188274494-1467411622-2017116772-860365275-2455311434-3523940624
cortanaSettings: S-1-15-3-1024-1216833578-114521899-3977640588-1343180512-2505059295-473916851-3379430393-3088591068
enterpriseCloudSSO: S-1-15-3-1024-983922258-2159917625-2751362240-3284369410-2497023943-943411171-3503282929-3741434461
microsoftEdgeRemoteDebugging: S-1-15-3-1024-2687912068-1527563483-2246345126-2445616054-2679617633-2814117500-2092001380-704615243
liveIdService: S-1-15-3-1024-1941919063-976504945-3191785059-2835515153-1936800635-1519032070-1452055454-2678282739
settingSyncConfiguration: S-1-15-3-1024-4013343662-1780721540-2368661007-3594614809-3500637591-3061816900-1306469177-829351717
storeAppInstall: S-1-15-3-1024-4267310653-3012624349-32869343-335676702-674013981-1531007892-2777328540-762217067
storeConfiguration: S-1-15-3-1024-2707581722-3970398075-3301609242-3412871183-2565310287-2959982868-2531230773-2372594412
targetedContent: S-1-15-3-1024-3036464858-3155602757-2052184566-2810840899-4148930525-1208855857-3369979990-1199230028
location: S-1-15-3-1024-1120341015-4059530845-270443254-1514536596-2315272569-284657971-419501928-776969430
microphone: S-1-15-3-1024-3996699186-3595629362-3480063212-3905085333-2276303035-3068169911-3004821721-4252886170
webcam: S-1-15-3-1024-4131216513-4266103714-3944869821-2853506808-3373049249-4035912394-2659877950-3593780078

    Monday, September 3, 2018 8:03 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    You're the boss!
    Saturday, November 3, 2018 8:45 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Guy's Please Can someone tell me this all s-1-15 etc is not a virus or something like that ? I know i dont know nothing about all of this but i was going to my proprietes and i saw Unknow user S-1-15 etc i was shitting in my pants i was like somebody hacking my pc or something like that.. Can please someone explain me this all of numbers ? Thank you
    Thursday, January 31, 2019 5:56 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Guy's Please Can someone tell me this all s-1-15 etc is not a virus or something like that ? I know i dont know nothing about all of this but i was going to my proprietes and i saw Unknow user S-1-15 etc i was shitting in my pants i was like somebody hacking my pc or something like that.. Can please someone explain me this all of numbers ? Thank you
    Thursday, January 31, 2019 8:41 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I got it!

    It is registryRead capability.

    I've dumped all capabilities from Edge Manifest:

    internetClient: S-1-15-3-1
privateNetworkClientServer: S-1-15-3-3
childWebContent: S-1-15-3-1024-2440306377-3304611049-1494399071-1161926223-163912384-1437065773-1456820560-2390158196
confirmAppClose: S-1-15-3-1024-719903687-4232398539-3510704256-4190309334-1296461745-392634193-3994393407-3122493104
enterpriseDataPolicy: S-1-15-3-1024-373139346-748750918-1948434659-2643498477-4072104851-1007166015-1979446734-3878125657
extendedExecutionBackgroundAudio: S-1-15-3-1024-1757733230-3792965022-4183625483-1509180916-2800675197-3882158587-2291756888-318020845
extendedExecutionUnconstrained: S-1-15-3-1024-374222737-2106488203-813473153-3732709437-2286922564-1719656165-2804691494-2247406137
featureStagingInfo: S-1-15-3-1024-1045063015-423899465-3012769174-65638258-1865874412-2349348127-763856749-1075684855
hevcPlayback: S-1-15-3-1024-3631914340-188226977-3551325271-2255822655-4149116707-2222894358-109158049-3700719646
packageQuery: S-1-15-3-1024-1962849891-688487262-3571417821-3628679630-802580238-1922556387-206211640-3335523193
packageManagement: S-1-15-3-1024-734518492-402359323-2580938124-1419864735-4212787651-2727913556-228323224-564805089
slapiQueryLicenseValue: S-1-15-3-1024-3578703928-3742718786-7859573-1930844942-2949799617-2910175080-1780299064-4145191454
windowsHelloCredentialAccess: S-1-15-3-1024-1902118268-936929782-3474333872-803346623-1872623265-3899080591-2872335817-3963487957
registryRead: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
lpacWebPlatform: S-1-15-3-1024-3623855041-1826999956-3747069818-3525260223-3747374510-1746272624-950601168-56556331
lpacAppExperience: S-1-15-3-1024-1502825166-1963708345-2616377461-2562897074-4192028372-3968301570-1997628692-1435953622lpacCryptoServices: S-1-15-3-1024-3203351429-2120443784-2872670797-1918958302-2829055647-4275794519-765664414-2751773334lpacIdentityServices: S-1-15-3-1024-1788129303-2183208577-3999474272-3147359985-1757322193-3815756386-151582180-1888101193
lpacEnterprisePolicyChangeNotifications: S-1-15-3-1024-126078593-3658686728-1984883306-821399696-3684079960-564038680-3414880098-3435825201
lpacMedia: S-1-15-3-1024-1692970155-4054893335-185714091-3362601943-3526593181-1159816984-2199008581-497492991
lpacPnPNotifications: S-1-15-3-1024-220022770-701261984-3991292956-4208751020-2918293058-3396419331-1700932348-2078364891
lpacServicesManagement: S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205
lpacSessionManagement: S-1-15-3-1024-1864111754-776273317-3666925027-2523908081-3792458206-3582472437-4114419977-1582884857
lpacInstrumentation: S-1-15-3-1024-3153509613-960666767-3724611135-2725662640-12138253-543910227-1950414635-4190290187
lpacPrinting: S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422
lpacPayments: S-1-15-3-1024-2922296261-1647482768-2017091146-3858667068-4135663662-2931985894-1627820925-818366431
lpacClipboard: S-1-15-3-1024-4092130000-472000003-1670882671-259370826-3862510858-3415016346-1868891083-3396446831
lpacCom: S-1-15-3-1024-2405443489-874036122-4286035555-1823921565-1746547431-2453885448-3625952902-991631256
lpacIME: S-1-15-3-1024-79080987-3398622760-2608912076-1085899501-4039864605-4024366022-736258278-368603348
previewStore: S-1-15-3-1024-3995113440-3884054055-1031826285-344537609-2951767964-1612438789-3955710486-685105120
lpacPackageManagerOperation: S-1-15-3-1024-1742180919-3973133362-3881819074-3076390979-3006877977-1258694795-2087530448-2333862241
smbios: S-1-15-3-1024-1882001508-3166212979-1759549478-1197938037-69236898-20095667-1131865092-67241044
enterpriseAuthentication: S-1-15-3-8
picturesLibrary: S-1-15-3-4
sharedUserCertificates: S-1-15-3-9
userAccountInformation: S-1-15-3-1024-3014353654-4060050185-4188274494-1467411622-2017116772-860365275-2455311434-3523940624
cortanaSettings: S-1-15-3-1024-1216833578-114521899-3977640588-1343180512-2505059295-473916851-3379430393-3088591068
enterpriseCloudSSO: S-1-15-3-1024-983922258-2159917625-2751362240-3284369410-2497023943-943411171-3503282929-3741434461
microsoftEdgeRemoteDebugging: S-1-15-3-1024-2687912068-1527563483-2246345126-2445616054-2679617633-2814117500-2092001380-704615243
liveIdService: S-1-15-3-1024-1941919063-976504945-3191785059-2835515153-1936800635-1519032070-1452055454-2678282739
settingSyncConfiguration: S-1-15-3-1024-4013343662-1780721540-2368661007-3594614809-3500637591-3061816900-1306469177-829351717
storeAppInstall: S-1-15-3-1024-4267310653-3012624349-32869343-335676702-674013981-1531007892-2777328540-762217067
storeConfiguration: S-1-15-3-1024-2707581722-3970398075-3301609242-3412871183-2565310287-2959982868-2531230773-2372594412
targetedContent: S-1-15-3-1024-3036464858-3155602757-2052184566-2810840899-4148930525-1208855857-3369979990-1199230028
location: S-1-15-3-1024-1120341015-4059530845-270443254-1514536596-2315272569-284657971-419501928-776969430
microphone: S-1-15-3-1024-3996699186-3595629362-3480063212-3905085333-2276303035-3068169911-3004821721-4252886170
webcam: S-1-15-3-1024-4131216513-4266103714-3944869821-2853506808-3373049249-4035912394-2659877950-3593780078

    Sincerely, reading this post I feel like I am a lot smarter on this subject however, now that we have the Edge Manifest and in it I located my particular unknown account, IpacCom, how do I use this intelligence to get rid of the Event Errors?  Trust me, I am lost on most subjects that go deeper than Control-Alt-Delete but I still read a lot hoping that one day my brain will comprehend what is being said...but alas, no.  So, does having this info help me in ridding myself of dozens of these things popping up each day? 

    Oh, thanks to all of you who participated in this treasure hunt giving me hope that not everyone associated with  or using Windows is out to get me.

    • Edited by Tidestick Saturday, April 6, 2019 3:15 AM
    Saturday, April 6, 2019 3:13 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Got here because of a restart of my computer related to RuntimeBroker and a broken permissions setup (see https://answers.microsoft.com/en-us/windows/forum/windows_10-security/event-id-10016-runtime-broker/18c291c6-f2a1-4f3c-b4ad-2b7ff59fd9f9). In my case, the RuntimeBroker had the same user applied to it. Even with the applied powershell script, I cannot remove the user. Makes sense if it's the registry read permission!

    I'd be curious if others aren't having this issue. Check event viewer for errors related to :

    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    The CLSID and APPID might differ in your case. 

    Thursday, August 8, 2019 4:16 PM