Thread: Strange SIDs in Recycle Bin
View Single Post
  #3  
Old February 20th 18, 08:10 AM posted to alt.comp.virus,alt.windows7.general
Paul[_32_]
external usenet poster
  
Posts: 11,873
Default Strange SIDs in Recycle Bin
B00ze wrote:
Hey all.

I happened to have a look in my laptop's recycle bin (on D drive) the
other day and found this:

S-1-5-21-2265441378-2741054020-2359651104-500
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500
S-1-5-21-3159447838-1600927929-3177602736-1000
S-1-5-21-3159447838-1600927929-3177602736-1004
S-1-5-21-3159447838-1600927929-3177602736-1005
S-1-5-21-3159447838-1600927929-3177602736-500
S-1-5-21-943402231-1081043167-4124935001-1000
S-1-5-21-943402231-1081043167-4124935001-500

The SIDs with the X's are my laptop's current SID's, everything else I
have no idea where it comes from. Even with my laptop's SIDs, I do not
have -1004 and -1005 users. The laptop has always been in a Workgroup,
not a domain, and my other computers do not have those SIDs. I also do
not recall re-installing Windows 7 from scratch (if I did, I did it only
once, ever, but I think I used an image of my early system partition, I
don't think I started from scratch). So where do all these SIDs come
from? C:\ drive is fine, but D:\ drive is a mystery.

Any ideas? I guess some could come from WinPE-booted DVDs, but -1004 or
-1005? I doubt WinPE has more than a single user...

Thank you.
Regards,


So you know that four OSes were involved at some point in time.
Which is where the first three large groups of digits come from.

The 500 is administrator. User accounts start at 1000.

And yes, 1004 and 1005 are strange. Especially as two OSes
have the same pattern.

If the XXXXX are Windows 7, is it possible the laptop got
updated to Windows 10, and the SID portion changed to
the 3159447838 number ? That makes it easier to understand how
the account number on the end got duplicated. Maybe this portion
is all from the laptop.

S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500
S-1-5-21-3159447838-1600927929-3177602736-1000
S-1-5-21-3159447838-1600927929-3177602736-1004
S-1-5-21-3159447838-1600927929-3177602736-1005
S-1-5-21-3159447838-1600927929-3177602736-500

Another possible source of leakage might be a USB stick.
Do they leave a residue like that too ?

What about the "updatus" account that the NVidia driver creates ?
It doesn't have a home directory, but perhaps it still needs
a SID. I don't know if Intel, AMD, and Nvidia do that, or
it's just an Nvidia thing.

*******

I can see I have more accounts than I thought. I have an
NVidia card, but no "updatus" account ? I'm also curious
where "1001" got to :-) Is it on vacation this week ?

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

wmic useraccount get name,sid

Name SID
Administrator S-1-5-21-448539723-1275210071-1417001333-500
ASPNET S-1-5-21-448539723-1275210071-1417001333-1004
User Name S-1-5-21-448539723-1275210071-1417001333-1003
Guest S-1-5-21-448539723-1275210071-1417001333-501
HelpAssistant S-1-5-21-448539723-1275210071-1417001333-1000
SUPPORT_388945a0 S-1-5-21-448539723-1275210071-1417001333-1002

https://www.askvg.com/tip-what-is-up...dows-explorer/

Paul
Ads