I have been doing some system purging of spyware via spybot.

I also used regedit to cleanup remnants of stuff leftover from spybot.

In the HKEY_USERS section of the registry there is one section named
..DEFAULT Under that is various subsections.

In addition to .DEFAULT there are a series of sections named S-1-5-xx with
xx being number 18 - 21. for some sections there is a matching section with
_classes appended to the S-1-5-xx ( Ex. S-1-5-19_CLASSES). The s-1-5-21
entries have long series of digits attached. Under one of these section is
a key with the title of username and then entries for each of the user
accounts on this system.

These entries of S-1-5-xx are throughout the registry as well as in the
HKEY_USERS section.

My question is: Are these registry entries legit or are they the result of
some sort of virus or spyware?

Thanks,
Lee.

On Sat, 27 Dec 2003 20:05:58 GMT, Lee Bailey wrote:

> I have been doing some system purging of spyware via spybot.
>
> I also used regedit to cleanup remnants of stuff leftover from spybot.
>
> In the HKEY_USERS section of the registry there is one section named
> .DEFAULT Under that is various subsections.
>
> In addition to .DEFAULT there are a series of sections named S-1-5-xx with
> xx being number 18 - 21. for some sections there is a matching section with
> _classes appended to the S-1-5-xx ( Ex. S-1-5-19_CLASSES). The s-1-5-21
> entries have long series of digits attached. Under one of these section is
> a key with the title of username and then entries for each of the user
> accounts on this system.
>
> These entries of S-1-5-xx are throughout the registry as well as in the
> HKEY_USERS section.
>
> My question is: Are these registry entries legit or are they the result of
> some sort of virus or spyware?
>
> Thanks,
> Lee.

They're normal.
--
Sharon F
MS MVP - Windows XP Shell/User

Lee Bailey wrote:
> I have been doing some system purging of spyware via spybot.
>
> I also used regedit to cleanup remnants of stuff leftover from spybot.
>
> In the HKEY_USERS section of the registry there is one section named
> .DEFAULT Under that is various subsections.
>
> In addition to .DEFAULT there are a series of sections named S-1-5-xx
> with xx being number 18 - 21. for some sections there is a matching
> section with _classes appended to the S-1-5-xx ( Ex.
> S-1-5-19_CLASSES). The s-1-5-21 entries have long series of digits
> attached. Under one of these section is a key with the title of
> username and then entries for each of the user accounts on this
> system.
>
> These entries of S-1-5-xx are throughout the registry as well as in
> the HKEY_USERS section.
>
> My question is: Are these registry entries legit or are they the
> result of some sort of virus or spyware?
>
> Thanks,
> Lee.

The alphanumeric number you are seeing is the Security Identifier. (SID)
A data structure of variable length that identifies user, group, and
computer accounts. Every account is issued a unique SID when the account is
first created. Internal processes in Windows refer to an account's SID
rather than the account's user or group name. These contain your rights and
permissions.

Microsoft Windows XP - Well-Known Security Identifiers:
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prnc_sid_cids.asp?frame=true


--
Ronnie Vernon
Microsoft MVP-Windows Shell/User

Please reply to the newsgroup so all may benefit.
http://www.dts-l.org
http://www.mvps.org