A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows 7 » Windows 7 Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Strange SIDs in Recycle Bin



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old February 20th 18, 06:39 AM posted to alt.comp.virus,alt.windows7.general
B00ze
external usenet poster
 
Posts: 472
Default Strange SIDs in Recycle Bin

Hey all.

I happened to have a look in my laptop's recycle bin (on D drive) the
other day and found this:

S-1-5-21-2265441378-2741054020-2359651104-500
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500
S-1-5-21-3159447838-1600927929-3177602736-1000
S-1-5-21-3159447838-1600927929-3177602736-1004
S-1-5-21-3159447838-1600927929-3177602736-1005
S-1-5-21-3159447838-1600927929-3177602736-500
S-1-5-21-943402231-1081043167-4124935001-1000
S-1-5-21-943402231-1081043167-4124935001-500

The SIDs with the X's are my laptop's current SID's, everything else I
have no idea where it comes from. Even with my laptop's SIDs, I do not
have -1004 and -1005 users. The laptop has always been in a Workgroup,
not a domain, and my other computers do not have those SIDs. I also do
not recall re-installing Windows 7 from scratch (if I did, I did it only
once, ever, but I think I used an image of my early system partition, I
don't think I started from scratch). So where do all these SIDs come
from? C:\ drive is fine, but D:\ drive is a mystery.

Any ideas? I guess some could come from WinPE-booted DVDs, but -1004 or
-1005? I doubt WinPE has more than a single user...

Thank you.
Regards,

--
! _\|/_ Sylvain /
! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Why doesn't the glue stick to the inside of the bottle?

Ads
  #2  
Old February 20th 18, 08:22 AM posted to alt.comp.virus,alt.windows7.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Strange SIDs in Recycle Bin

B00ze wrote:

I happened to have a look in my laptop's recycle bin (on D drive) the
other day and found this:

S-1-5-21-2265441378-2741054020-2359651104-500
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500
S-1-5-21-3159447838-1600927929-3177602736-1000
S-1-5-21-3159447838-1600927929-3177602736-1004
S-1-5-21-3159447838-1600927929-3177602736-1005
S-1-5-21-3159447838-1600927929-3177602736-500
S-1-5-21-943402231-1081043167-4124935001-1000
S-1-5-21-943402231-1081043167-4124935001-500

The SIDs with the X's are my laptop's current SID's, everything else I
have no idea where it comes from. Even with my laptop's SIDs, I do not
have -1004 and -1005 users. The laptop has always been in a Workgroup,
not a domain, and my other computers do not have those SIDs. I also do
not recall re-installing Windows 7 from scratch (if I did, I did it only
once, ever, but I think I used an image of my early system partition, I
don't think I started from scratch). So where do all these SIDs come
from? C:\ drive is fine, but D:\ drive is a mystery.

Any ideas? I guess some could come from WinPE-booted DVDs, but -1004 or
-1005? I doubt WinPE has more than a single user...


Shortcuts are .lnk files with attributes pointing to a target executable
file and other options. Not all that appear as shortcuts are .lnk
files. For example, an object can be added to the desktop which looks
like a shortcut; however, right-clicking on it does not present you with
a context menu where you can select to see a normal Properties dialog.
For example, when you right-click on the desktop's Network shortcut,
Properties will take you to that object's wizard dialog. Those
shortcut-like objects are references to registry entries. When you
delete them, the reference gets deleted.

After deletion and while they still reside in the Recycle Bin, are any
of those SIDs still defined in the registry?
  #3  
Old February 20th 18, 09:10 AM posted to alt.comp.virus,alt.windows7.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Strange SIDs in Recycle Bin

B00ze wrote:
Hey all.

I happened to have a look in my laptop's recycle bin (on D drive) the
other day and found this:

S-1-5-21-2265441378-2741054020-2359651104-500
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500
S-1-5-21-3159447838-1600927929-3177602736-1000
S-1-5-21-3159447838-1600927929-3177602736-1004
S-1-5-21-3159447838-1600927929-3177602736-1005
S-1-5-21-3159447838-1600927929-3177602736-500
S-1-5-21-943402231-1081043167-4124935001-1000
S-1-5-21-943402231-1081043167-4124935001-500

The SIDs with the X's are my laptop's current SID's, everything else I
have no idea where it comes from. Even with my laptop's SIDs, I do not
have -1004 and -1005 users. The laptop has always been in a Workgroup,
not a domain, and my other computers do not have those SIDs. I also do
not recall re-installing Windows 7 from scratch (if I did, I did it only
once, ever, but I think I used an image of my early system partition, I
don't think I started from scratch). So where do all these SIDs come
from? C:\ drive is fine, but D:\ drive is a mystery.

Any ideas? I guess some could come from WinPE-booted DVDs, but -1004 or
-1005? I doubt WinPE has more than a single user...

Thank you.
Regards,


So you know that four OSes were involved at some point in time.
Which is where the first three large groups of digits come from.

The 500 is administrator. User accounts start at 1000.

And yes, 1004 and 1005 are strange. Especially as two OSes
have the same pattern.

If the XXXXX are Windows 7, is it possible the laptop got
updated to Windows 10, and the SID portion changed to
the 3159447838 number ? That makes it easier to understand how
the account number on the end got duplicated. Maybe this portion
is all from the laptop.

S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500
S-1-5-21-3159447838-1600927929-3177602736-1000
S-1-5-21-3159447838-1600927929-3177602736-1004
S-1-5-21-3159447838-1600927929-3177602736-1005
S-1-5-21-3159447838-1600927929-3177602736-500

Another possible source of leakage might be a USB stick.
Do they leave a residue like that too ?

What about the "updatus" account that the NVidia driver creates ?
It doesn't have a home directory, but perhaps it still needs
a SID. I don't know if Intel, AMD, and Nvidia do that, or
it's just an Nvidia thing.

*******

I can see I have more accounts than I thought. I have an
NVidia card, but no "updatus" account ? I'm also curious
where "1001" got to :-) Is it on vacation this week ?

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

wmic useraccount get name,sid

Name SID
Administrator S-1-5-21-448539723-1275210071-1417001333-500
ASPNET S-1-5-21-448539723-1275210071-1417001333-1004
User Name S-1-5-21-448539723-1275210071-1417001333-1003
Guest S-1-5-21-448539723-1275210071-1417001333-501
HelpAssistant S-1-5-21-448539723-1275210071-1417001333-1000
SUPPORT_388945a0 S-1-5-21-448539723-1275210071-1417001333-1002

https://www.askvg.com/tip-what-is-up...dows-explorer/

Paul
  #4  
Old February 21st 18, 05:18 AM posted to alt.comp.virus,alt.windows7.general
B00ze
external usenet poster
 
Posts: 472
Default Strange SIDs in Recycle Bin

On 2018-02-20 03:10, Paul wrote:

B00ze wrote:
Hey all.

I happened to have a look in my laptop's recycle bin (on D drive) the
other day and found this:

S-1-5-21-2265441378-2741054020-2359651104-500
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500
S-1-5-21-3159447838-1600927929-3177602736-1000
S-1-5-21-3159447838-1600927929-3177602736-1004
S-1-5-21-3159447838-1600927929-3177602736-1005
S-1-5-21-3159447838-1600927929-3177602736-500
S-1-5-21-943402231-1081043167-4124935001-1000
S-1-5-21-943402231-1081043167-4124935001-500

The SIDs with the X's are my laptop's current SID's, everything else I
have no idea where it comes from. Even with my laptop's SIDs, I do not
have -1004 and -1005 users. The laptop has always been in a Workgroup,
not a domain, and my other computers do not have those SIDs. I also do
not recall re-installing Windows 7 from scratch (if I did, I did it
only once, ever, but I think I used an image of my early system
partition, I don't think I started from scratch). So where do all
these SIDs come from? C:\ drive is fine, but D:\ drive is a mystery.

Any ideas? I guess some could come from WinPE-booted DVDs, but -1004
or -1005? I doubt WinPE has more than a single user...

Thank you.
Regards,


So you know that four OSes were involved at some point in time.
Which is where the first three large groups of digits come from.


Yup, but I only have the one Windows 7 boot partition, that disk never
booted anything else (besides WinPE and Linux optical disks) AND I never
re-installed Windows, as far as I can remember; it's always had the same
SID. So where the hell does the completely different SID (the OTHER one
with 1004/1005) come from? This is really early too - if I look at
folder the dates; I don't know exactly when I purchased that laptop, but
those other SIDs pre-date my first ever image of the system partition by
5 months. Maybe something at the factory?

The 500 is administrator. User accounts start at 1000.
And yes, 1004 and 1005 are strange. Especially as two OSes
have the same pattern.


It could be temporary users, like for .NET optimization or something
like that. I'd have to create a new user to see where the counter is at;
if the new user gets 1006 then we know I had a 1004 and 1005 at some
point (I do not have them right now).

If the XXXXX are Windows 7, is it possible the laptop got
updated to Windows 10, and the SID portion changed to
the 3159447838 number ? That makes it easier to understand how
the account number on the end got duplicated. Maybe this portion
is all from the laptop.


Lol, nope, still running Win 7 and as far as I know, still running the
first ever image of it. Ah hell, maybe I did run the laptop for some
months before I re-started from scratch and THEN started taking system
images. It's like 5 years ago, I don't really remember...

S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005
S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500
S-1-5-21-3159447838-1600927929-3177602736-1000
S-1-5-21-3159447838-1600927929-3177602736-1004
S-1-5-21-3159447838-1600927929-3177602736-1005
S-1-5-21-3159447838-1600927929-3177602736-500

Another possible source of leakage might be a USB stick.
Do they leave a residue like that too ?


Nope, unless you boot WinPE with them, but then they would never leave a
1004/1005 user folder behind...

What about the "updatus" account that the NVidia driver creates ?
It doesn't have a home directory, but perhaps it still needs
a SID. I don't know if Intel, AMD, and Nvidia do that, or
it's just an Nvidia thing.


Yeah, that's what I'm thinking is the source of those 1004/1005 folders;
some Microsoft update created a user to run whatever, then deleted them;
the users are long gone by now...

I can see I have more accounts than I thought. I have an
NVidia card, but no "updatus" account ? I'm also curious
where "1001" got to :-) Is it on vacation this week ?


Lol, did you never delete a user?

wmic useraccount get name,sid

Name SID
Administrator S-1-5-21-448539723-1275210071-1417001333-500
ASPNET S-1-5-21-448539723-1275210071-1417001333-1004
User Name S-1-5-21-448539723-1275210071-1417001333-1003
Guest S-1-5-21-448539723-1275210071-1417001333-501
HelpAssistant S-1-5-21-448539723-1275210071-1417001333-1000
SUPPORT_388945a0 S-1-5-21-448539723-1275210071-1417001333-1002


Best Regards,

--
! _\|/_ Sylvain /
! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo "I am the scourge that pecks at your nightmares!" -Darkwing

 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 12:40 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.