I've got very strange HKEY_USER registry keys. RRS feed

  • Question

  • I was looking at the registry and found three very strange keys that I don't understand under HKEY_CURRENT_USER (and HKEY_USER). I'm logged in under a local account with admin privileges, Windows 10 1703. Can someone explain the S-1-5-21 users? Is it just me? Can I just get rid of those keys? They really don't have much at all in data.

    Wednesday, November 22, 2017 1:03 AM

All replies

  • Hi,

    Each registry key located under the HKEY_USERS hive corresponds to a user on the system and is named with that user's security identifier, or SID.

    While you'll likely have .DEFAULT, S-1-5-18, S-1-5-19, and S-1-5-20, which correspond to built-in system accounts. Your S-1-5-21-xxx keys will be unique to your computer since they correspond to "real" user accounts in Windows.
    The HKEY_CURRENT_USER hive acts as a kind of shortcut to the HKEY_USERS subkey corresponding to your SID.

    In other words, when you make changes in HKEY_CURRENT_USER, you're making changes to the keys and values under the key within HKEY_USERS that's named the same as your SID.
    I noticed your SID is S-1-5-21-2421686853-2596532319-3253155357-1001, HKEY_CURRENT_USER will point to HKEY_USERS\S-1-5-21-2421686853-2596532319-3253155357-1001. Edits can be made in either location since they are one in the same.

    We could use command line below as administrator to check the SID:

    wmic useraccount get name,sid


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Joy-Qiao Thursday, November 23, 2017 6:50 AM
    Thursday, November 23, 2017 6:50 AM
  • Thanks, Joy-Qiao. I probably was not clear in the original post. It's the last three keys with the weird characters that I'm wondering about. They are all identical and look like this (cache2 and ext keys are empty):

    I am wondering who would have put them there... Windows 10, or some application. I'll probably just delete them but I'm curious as to what they may be. And I wonder if anyone else has them.

    Thursday, November 23, 2017 3:35 PM
  • here is someone with the same pattern of entries:
    [WIN7] Chinese letters/Words in registry
    and I concur with their idea: some buggy program is writing the keys.
    Thursday, November 23, 2017 8:14 PM
  • Whilst I concur with what EckiS has stated I'd just like to add that if you do remove them, export a copy first so that they can be restored in the unlikely event that it breaks an application. 

    Thursday, November 23, 2017 11:06 PM

  • I now believe this problem is related to Avast Browser Cleanup because I see HKCU\Software\Avast Software\Avast Browser Cleanup, which has the same "cl" data and "cache2" and "ext" subkeys.

    I went into the Component settings in Avast Free Anti-virus and the customization for the Browser Cleanup showed the feature unchecked. Regardless, I have now uninstalled the component so we'll see if it reappears.
    • Proposed as answer by -Jacob- Saturday, February 10, 2018 11:31 PM
    Friday, December 15, 2017 11:52 PM