none
What is this (Account Unknown) SID ? RRS feed

  • 질문

  • sorry.  in part, while i'm chasing this, i just want to rag about the msdn link See relative identifier which points to itself.  grrrrr.

    question:  what is this weird account   Account Unknown(S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1000)  which has appeared on two different dual-boot installations?  it appeared as a security acl on every file and folder in the user folder on the older (vista) partition.  it got attached immediately upon accessing that folder the very first time from the new windows7 installation.  when i first clicked that user folder, windows7 gave a uac prompt and said the accessibility would be made permanent.  then it went off for about 5 minutes making this change.  that SID exactly matches the filename of a hidden folder in the $recycle.bin.

    the first time i saw this, it was very alarming.  that Account Unknown descriptor has full privileges.  i struggled with icacls to remove it, but couldn't figure out how.  then by luck i discovered a very simple way to remove this security entry globally from every user file it got attached to.  the descriptor "Applies to  This folder, subfolders, and files", so deleting the very first one at the base user folder causes a wizard to go off for another 5 minutes removing all the rest.  easy.

    now i've reinstalled them, since that's how windows7 wants it to be.  but i'd like a little insight.  anybody know what this is all about?

     

    • 편집됨 ᅠᅠBanned 2010년 5월 22일 토요일 오전 5:56 clarify: from the new windows7 installation
    2010년 5월 21일 금요일 오전 6:35

답변

  • i just booted windows7 and checked the administrator SID at the Command Prompt >  whoami /user   (or whoami /all)

    the SID it reported is the one appearing in all those newly created ACEs in the vista folder.  literally 1000s of files received this new security entry.  upon booting vista, viewing any of those files'  Properties.Security  tab shows the newly added entry, complete with a red ?

        ? Account Unknown(S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1000)

    ---nasty

    • 답변으로 표시됨 ᅠᅠBanned 2010년 5월 21일 금요일 오후 6:44
    2010년 5월 21일 금요일 오후 6:43

모든 응답

  • This can be a SID of the first user account created on the computer before it was sysprepped or an account from a domain.

    If you see these entries while your computer is joined to the domain, try unjoining from and joining the computer to the domain again. If you still see these entries it is safe to delete them.

    If you see these entries while your computer is a member of a workgroup, it is safe to delete all Access Control Entries (ACE's)  in ACL's of the resources where these entries are present.

    The string of numbers you see is called Security Identifier or SID.

    The SID in a domain is formed by:

    Domain SID + Relative Identifier (RID).
    All security principals (user accounts, computer accounts, security groups) in a domain have a SID that consists of the same Domain SID part and unique RIDpart.

    Similary, all local SID's on a computer are created as:
    Unique_Computer_SID_part + RIDpart 

    In your case RID is 1000 and gets incremented each time a new security principal is created.
    BTW, RID 1000 is the first user account created (either on a local computer or in a domain). It is not built-in Administrator account. Built-in Administrator account is 'DomainSID-500' or in a workgroup Unique_Computer_SID_part-500

    You may wish to consult KB article below for more info about well known SID's.
    http://support.microsoft.com/kb/243330

     

    • 답변으로 제안됨 Dale QiaoModerator 2010년 5월 21일 금요일 오전 8:01
    • 답변으로 제안 취소됨 ᅠᅠBanned 2010년 5월 21일 금요일 오전 8:57
    2010년 5월 21일 금요일 오전 7:59
  • thanks Les.  i was just scanning thru msdn info like this  Well-Known SIDs  and TechNet info like this How Security Identifiers Work.  i have seen that info about RID 500 before (built-in Administrator), but can't find a table of RIDs.  where'd you get that from?

    windows7 created those ACEs when i accessed my vista partition.  i already figured out how to undo it.  please read my description above.

     

    my main concern is that it is unsettling to have my systems polluted with Account Unknown ACEs that give full privilege.  it looks like a virus.

    2010년 5월 21일 금요일 오전 8:57
  • Open PowerShell console and run the command below

    gwmi Win32_UserAccount -computername "." -filter "LocalAccount=True"

    This should display local user accounts and their SID's.
    All SID's should have the same unique Computer_SID_part.
    RID's:
    Built-in accounts should be:
    500 - Administrator
    501 - Guest

    Local user accounts should start with 1000 and get incremented by 1 each time a new user account is created.

    Try to compare "Acount Unknown" SID with SID's of your present accounts. Is the first part same?

    It can be that the very first account "1000" was deleted, but some service is still using it's SID?

     

    2010년 5월 21일 금요일 오전 10:54
  • i will tinker with powershell as you suggest.  but look, Les.  i appreciate your trying to be helpful, but please read what i explained.

    the fact remains, upon a virgin windows7 install to a freshly formatted partition, windows7 went and polluted my vista partition.  not at first.  i checked.  but then, before i loaded a single program, i viewed my vista partition's user folder.  just viewed it.  that's when it happened.

    that triggered a uac elevation prompt from windows7, where it said it would make accessibility permanent.  i did not have a clue that meant it would go thru literally 10,000 files and add this Account Unknown ACE.

    net user   and   icacls  do not seem to be able to find any account on the vista partition that corresponds to that SID.

    the only connection i can find is the hidden folder in $recycle.bin  which has that same name.  not SID.  filename.

     

    my main concern is that it is unsettling to have my systems polluted with Account Unknown ACEs that give full privilege.  it looks like a virus.

    2010년 5월 21일 금요일 오전 11:31
  • Grits n Gravy,

    I armed myself with a patience of Tao Master. Let's try to sort this out.

    You have a dual boot computer?

    Windows 7 is installed on one partition?

    Windows Vista is installed on another partition?

    While you run Windows 7, you check security settings of the folder on your Vista partition?

    UAC warns you that you need to supply admin credentials and that the system will make permanent security settings changes to the object you are viewing?

    You confirm?

    In the properties of the file/folder you see a suspicious looking accont, something like
    S-1-5-21-23451392014-3753191404-2044848958-1000 that has FullControl privilege over the file/folder?

    You believe it was populated by some mysterious process running in your Windows 7 when you confirmed UAC prompt?

    If the above is correct, let's discuss.

    1. The suspicious looking unknown account S-1-5-21-23451392014-3753191404-2044848958-1000 is not the full account object, but it's SID. It was created in Vista and is therefore unknown to Windows 7.

    2. Permissions in objects are controlled via Access Control List (ACL's). Each list contains a number of entries, called Acess Control Entry (ACE's). ACE consists of security principal's SID, and multiple types of permissions (Read, Write, Execute etc) , Allow or Deny, Inherited or Explicit.

    IOW, the suspicious looking Unknown Account was not populated when you confirmed UAC prompt. It existed before (it was made by Vista). However, it is unknown to your Windows 7 installation, because it was created in Vista installation and lives in a database called Security Access Manager (SAM) in Vista (Windows\System32\..).
    What happened when you acknowledged UAC prompt is that Windows 7 added it's Windows 7 Administrators group with full control permission to the ACL list of your file/folder created from Vista.

    If you successfuly removed suspicious looking, Unknown Account, congratulations. Your Vista installation will not work correctly and will probably go to Blue Screen. 

     

     

    • 답변으로 제안됨 melbournewolf 2012년 10월 29일 월요일 오전 1:27
    2010년 5월 21일 금요일 오후 12:40
  • I armed myself with a patience of Tao Master. Let's try to sort this out.

    -------

    IOW, the suspicious looking Unknown Account was not populated when you confirmed UAC prompt. It existed before (it was made by Vista). However, it is unknown to your Windows 7 installation, because it was created in Vista installation and lives in a database called Security Access Manager (SAM) in Vista (Windows\System32\..).
    What happened when you acknowledged UAC prompt is that Windows 7 added it's Windows 7 Administrators group with full control permission to the ACL list of your file/folder created from Vista.

    If you successfuly removed suspicious looking, Unknown Account, congratulations. Your Vista installation will not work correctly and will probably go to Blue Screen. 

     

    now i am getting annoyed.  i said i checked very carefully.  that ACE didn't exist in the vista user folder.  it did not get polluted until...

    ...oh forget it.  you killed this thread.  i will repost.  maybe in a different forum.

     

    by the way.  i am running vista from that partition right now.  no blue screen on either computer, Tao Master.

    2010년 5월 21일 금요일 오후 1:05
  • Grits n Gravy,

    I'm sorry to see you loosing patience while I try to educate you.

    Still, if your both configurations are working, so much the better. You can conduct a simple test.

    Start your Windows 7 configuration.

    Open PowerShell. Use Get-Acl commandlet to show ACL's of the suspicious file/folder. For example

    PS C:\Users.001> Get-Acl .\Macarena | fl

    Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users.001\Macarena
    Owner  : NT AUTHORITY\SYSTEM
    Group  : NT AUTHORITY\SYSTEM
    Access : NT AUTHORITY\SYSTEM Allow  FullControl
             BUILTIN\Administrators Allow  FullControl
             S-1-5-21-2275141084-2849885038-3489034743-1000 Allow  FullControl
    Audit  :
    Sddl   : O:SYG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;FA;;;S-1-5-21-2275141084-2849885038-3489034743-1000)(A;OI
             CI;0x1200a9;;;S-1-5-21-3000280061-405087708-2081603636-1190)

    All your known security principals will be displayed with appropriate name.

    Unknown security principals will be displayed with their SID only. I emphasised one with bold above.

    Make a note of this SID.

    Restart your computer and boot into VISTA.

    Start PowerShell

    Get a list of SID's of local accounts with a command
    gwmi Win32_UserAccount -computername "." -filter "LocalAccount=True"

    Compare SID's with your note .

    Did you find a match?

     

    BTW, while I've been contemplating about Tao, I found a nice citation. Hint, press right arrow seven times.
    http://www.amazon.com/Entering-Tao-Master-Guidance-Self-Cultivation/dp/1570621616#reader_1570621616

     

     

     

     

    2010년 5월 21일 금요일 오후 2:08
  • Grits n Gravy,

    I'm sorry to see you loosing patience while I try to educate you.


    there was no Account Unknown security entries in the vista partition before i installed windows7.  then there were.

    can you not read?

    2010년 5월 21일 금요일 오후 2:16
  • there was no Account Unknown security entries in the vista partition before i installed windows7.  then there were.

    You checked that from VISTA. When you installed VISTA, you had to create the first user account. That account was created with a SID of something like S-1-5-21-2275141084-2849885038-3489034743-1000.

    The important part is '-1000'. This represents the first local user account created on VISTA.

    Of course that ACL's set by VISTA were all known to VISTA.

    Then you installed Windows 7

    Windows 7 created it's own accounts. It doesn't know anything about accounts created by VISTA.

    Therefore, account known to VISTA as 'Joe' means nothing to Windows 7. To Windows 7, it is "Account Unknown" and represented just with a SID.

     

    2010년 5월 21일 금요일 오후 2:33
  • there was no Account Unknown security entries in the vista partition before i installed windows7.  then there were.

    You checked that from VISTA. When you installed VISTA, you had to create the first user account. That account was created with a SID of something like S-1-5-21-2275141084-2849885038-3489034743-1000.


    false.  i have only an administrator account.  with no password.

    since i have seen this thing happen on one computer previously, i was very careful to check how and when it was happening on a 2nd.  the pollution happened from windows7 uac prompt when accessing the vista partition.  windows7 hinted it would happen, because it said it would make the accessibility permanent.  it then churned on the disk for nearly 5 minutes writing all those 10,000 entries.  that's what happened.

    then, rebooting vista, i removed all those ACEs and confirmed they were gone.  then rebooted windows7, and the vista folder was no longer accessible.

    then, still with windows7, i accessed the vista folder, again via uac prompt.  5 minutes later, windows7 finished installing all those Account Unknown ACEs in the vista partition.  again.  for certainty.

     

    believe it or not.

    2010년 5월 21일 금요일 오후 2:43
  • i just booted windows7 and checked the administrator SID at the Command Prompt >  whoami /user   (or whoami /all)

    the SID it reported is the one appearing in all those newly created ACEs in the vista folder.  literally 1000s of files received this new security entry.  upon booting vista, viewing any of those files'  Properties.Security  tab shows the newly added entry, complete with a red ?

        ? Account Unknown(S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1000)

    ---nasty

    • 답변으로 표시됨 ᅠᅠBanned 2010년 5월 21일 금요일 오후 6:44
    2010년 5월 21일 금요일 오후 6:43
  • Grits n Gravy, 


    Les52, it looks like he's gone and changed his name to "Mister Black-Boxes" through the wonder of Unicode extended characters.

    Don't worry about him.  He seems to start his days annoyed and it just gets worse, poor guy.  It's no real wonder; Windows treats him awfully badly, almost as though it recognizes him (perhaps by the way he writes, or maybe his IP address is just cursed) and it gives him its worst.  He runs into all kinds of glitches, and they seem to torment him so.  I've tried to advise him to try to work around them - to avoid the pitfalls.  But it just fails again and again to meet his expectations.  Like this inscrutable SID thing did, so many years ago.  Even his versions of Windows prefer to avoid talking to one another on his behalf.

    It might interest you to know there are a whole bunch of "Mister Black-Boxes" in the system...  Some can even be seen conversing with others, because they've been a bit sloppy about covering their tracks.  Or maybe they just can't delete their old posts any more for some reason.

    ᅠᅠ

    ᅠᅠᅠ

    ᅠᅠᅠᅠ

    ᅠᅠᅠᅠᅠ

    ᅠᅠᅠᅠᅠᅠ

    ᅠᅠᅠᅠᅠᅠᅠ

    Fascinating things, these colored boxes.  One can learn much from such simple shapes.

     

    -Noel


    Detailed how-to in my new eBook: Configure The Windows 7 "To Work" Options

    2012년 1월 25일 수요일 오전 6:37
  • I have the same thing happening with a clean install of Win 7Ultimate, no domain joins, just workgroup name changes.

    If I create a copy of a folder, this thing prevents me from deleting folders inside without ever opening the folder.

    I don't need this bug, it serves no use to me and costs me time constantly fighting deletions and renaming constantly.

    How do we disable this SID "feature" which is really a bug ?


    Best Regards =)

    2012년 2월 22일 수요일 오후 9:28
  • I manually wnet to my parent folders and deleted the entry making sure my own Administrator account had full permissions first. I am hoping this removes the problem for good, I just have no idea why it created itself in the first place.

    Best Regards =)

    2012년 2월 22일 수요일 오후 10:52
  • I was hit with a virus that poped up a window, Not Defender or anything like it, I was able to stop it in its tracks and I removed it from the registry, only found it in two places.  But it had already done its stuff and deleted nearly every link in my Programs section. Also my desktop icons were all removed.  I was able to restore all of those as well, but many came back as transparent.  So I try to fix the issue, which is that the icon properties are marked as invisible, yet I see them.  Long story short, as I am checking the visibility, I find this new user on the properties,/ Security section ?Account Unknown(S-1-5-21-603324547-730597012-38171031011) and the user has admin rights!.  When I attempt to remove the rights I got an error that the account was inheriting the rights from another account (Mine!) and that I would have to remove the inherited rights to delete the user.  So I do just that. I proceeded to remove the inherited permisions, and viola, I can now remove the profile from the security section with no problem, but it is on every second icon on the screen, and after about ten of them I came looking for a quick fix. I was hoping to find a way to fix all the icons at once, and also get my links for programs under all Programs put back.  The only group of applications that still have the shortcuts are in MS Office 2010 Professional, all other programs are missing the application links. I am finding it hard to believe it is a Windows initiated account, I am running Win 7 Professional connected to a network of Win Server 2008.  This user is in only on the Win 7 machine, not on any other computer.  So, with four other computers running varrying version of windows 7, why if it is part of the system did it not show up until I was hit with the virus?  I recieved the virus while writing a paper on Global Warming.

    One more thing, there are actually two different accounts, one ends in 1008 and the other in 1011, I checked the root drive, C: and there are no permissions for these two uses in the file system, only attached to the deleted icon shortcuts. So as you might imagine I am currious what it is and how to stop it and restore all the icons.
    • 편집됨 KeyWiz 2012년 10월 21일 일요일 오전 1:43 added images
    2012년 10월 21일 일요일 오전 1:25
  • I armed myself with a patience of Tao Master. Let's try to sort this out.

    You have a dual boot computer?

    Windows 7 is installed on one partition?

    Windows Vista is installed on another partition?

    While you run Windows 7, you check security settings of the folder on your Vista partition?

    UAC warns you that you need to supply admin credentials and that the system will make permanent security settings changes to the object you are viewing?

    You confirm?

    In the properties of the file/folder you see a suspicious looking accont, something like
    S-1-5-21-23451392014-3753191404-2044848958-1000 that has FullControl privilege over the file/folder?

    You believe it was populated by some mysterious process running in your Windows 7 when you confirmed UAC prompt?

    If the above is correct, let's discuss.

    1. The suspicious looking unknown account S-1-5-21-23451392014-3753191404-2044848958-1000 is not the full account object, but it's SID. It was created in Vista and is therefore unknown to Windows 7.

    2. Permissions in objects are controlled via Access Control List (ACL's). Each list contains a number of entries, called Acess Control Entry (ACE's). ACE consists of security principal's SID, and multiple types of permissions (Read, Write, Execute etc) , Allow or Deny, Inherited or Explicit.

    IOW, the suspicious looking Unknown Account was not populated when you confirmed UAC prompt. It existed before (it was made by Vista). However, it is unknown to your Windows 7 installation, because it was created in Vista installation and lives in a database called Security Access Manager (SAM) in Vista (Windows\System32\..).
    What happened when you acknowledged UAC prompt is that Windows 7 added it's Windows 7 Administrators group with full control permission to the ACL list of your file/folder created from Vista.

    If you successfuly removed suspicious looking, Unknown Account, congratulations. Your Vista installation will not work correctly and will probably go to Blue Screen. 

     

     

    Thank you for that patience; it completely answered a query I had between my laptop upgrade to 8 and access between it and my tower running 7, kudos for the persistence in continuing education in the case of illogical responses. I often swap external HDDs around when tinkering so that I don't accidentally wipe my data. 
    • 편집됨 melbournewolf 2012년 10월 29일 월요일 오전 1:34 context
    2012년 10월 29일 월요일 오전 1:30
  • In other words, the Windows platform and ACL security is version specific to each version of windows.  If it wasn't, perhaps Windows 7 would be able to read and understand the accounts in Vista.

    If it wasn't, then users would only have to set up their ACL's one time and be assured that the OS, any OS, would be able to read and obey the ACL's as configured, using the actual names that a user would be expected to recognize.

    A new OS would not have to add additional entries to an ACL list because it would utilize the SYSTEM level settings in the ACL.  It would also read and recognize users who have already been setup.  But then, it would have to have non-version specific user information, and what a pain that would be.  It makes sense that I need to have a different account setup for every version of an OS.

    At the absolute, utter worst, a new OS having to add entries to an ACL would at least ask for a user recognizable name - just seeing UNKNOWN ACCOUNT anything listed with admin rights gave me the extreme willies.  And since you can't actually see the entire name and SID because the window is too small too display the whole thing, and we live in an age of aggressive viruses, I would think it would be better to allow the use to specify the name or name it something like (Vista Administration Account).

    These, of course, are only my opinion.  The current handling goes well with the use of all the bogus Symlinked directories and other annoying things that get created when you upgrade a windows OS.  At least I don't have to worry about my personal documents anymore - I learned to move those out of the My Documents folder a long time ago.

    2014년 12월 10일 수요일 오전 2:02
  • what you are seeing is security permission that carried over from files. if you back up your user files and restored them. you should take ownership to remove the older file/folder permissions.

    may the odds forever be in your favor.

    2015년 8월 19일 수요일 오후 6:49